Forum Discussion

Marcus Pettersson's avatar
Marcus Pettersson
Copper Contributor
Oct 10, 2019

Vnet routing over IPSEC

Hello,

 

I have set up a Site-to-Site IPSEC connection between my customers Vnet in Azure and their on-premise network.

I all works just fine and the routing works fine for the address spaces in the tunnel. 

 

Now, they want to specify address ranges that exists on the Internet to route through the VPN tunnel and reach Internet from their on-premise network. With other words, they want forced tunneling but only for specific addresses. Is this possible to set up in Azure in some way?

  • CraigWilson_'s avatar
    CraigWilson_
    Brass Contributor

    Hi Marcus Pettersson 

     

    Take a look at setting up a User Defined Route. UDR will allow you to force addresses down any path. Azure routes traffic in the following order, User-defined route, BGP, route System route.

     

    You should be able to tell the route to use either a virtual appliance, of the VPN gateway are the next hop.

     

    If this fails, look at using Azure Firewall as a router to replace a virtual appliance.

     

     

     

    • Bryan Haslip's avatar
      Bryan Haslip
      Iron Contributor

      +1 to CraigWilson_ This is exactly how to can accomplish this. You can use the tools in network watcher to verify the traffic flow as well. IP flow verify and Next hop utilities can confirm its routing to your liking. 

Resources