Vnet routing over IPSEC

Question

Hello,&nbsp;I have set up a Site-to-Site IPSEC connection between my customers Vnet in Azure and their on-premise network.I all works just fine and the routing works fine for the address spaces in the tunnel.&nbsp;&nbsp;Now, they want to specify address ranges that exists on the Internet to route through the VPN tunnel and reach Internet from their on-premise network. With other words, they want forced tunneling but only for specific addresses. Is this possible to set up in Azure in some way?

bryan haslip · Answer

+1 to&nbsp;CraigWilson_&nbsp;This is exactly how to can accomplish this. You can use the tools in network watcher to verify the traffic flow as well. IP flow verify and Next hop utilities can confirm its routing to your liking.&nbsp;

marcus pettersson · Answer

Hi CraigWilson_&nbsp;and&nbsp;Bryan Haslip&nbsp;Thanks a lot for your help! I will try your suggestions and hopefully get it to work!

craigwilson_ · Answer

Hi&nbsp;Marcus Pettersson&nbsp;&nbsp;Take a look at setting up a User Defined Route. UDR will allow you to force addresses down any path. Azure routes traffic in the following order,&nbsp;User-defined route, BGP, route System route.&nbsp;You should be able to tell the route to use either a virtual appliance, of the VPN gateway are the next hop.&nbsp;If this fails, look at using Azure Firewall as a router to replace a virtual appliance.&nbsp;&nbsp;&nbsp;

Forum Discussion

Vnet routing over IPSEC

Share

Resources