Vnet routing over IPSEC

%3CLINGO-SUB%20id%3D%22lingo-sub-904655%22%20slang%3D%22en-US%22%3EVnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-904655%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20set%20up%20a%20Site-to-Site%20IPSEC%20connection%20between%20my%20customers%20Vnet%20in%20Azure%20and%20their%20on-premise%20network.%3C%2FP%3E%3CP%3EI%20all%20works%20just%20fine%20and%20the%20routing%20works%20fine%20for%20the%20address%20spaces%20in%20the%20tunnel.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENow%2C%20they%20want%20to%20specify%20address%20ranges%20that%20exists%20on%20the%20Internet%20to%20route%20through%20the%20VPN%20tunnel%20and%20reach%20Internet%20from%20their%20on-premise%20network.%20With%20other%20words%2C%20they%20want%20forced%20tunneling%20but%20only%20for%20specific%20addresses.%20Is%20this%20possible%20to%20set%20up%20in%20Azure%20in%20some%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-904655%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ENetworking%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EVirtual%20Network%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-909411%22%20slang%3D%22en-US%22%3ERe%3A%20Vnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-909411%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F119121%22%20target%3D%22_blank%22%3E%40Marcus%20Pettersson%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ETake%20a%20look%20at%20setting%20up%20a%20User%20Defined%20Route.%20UDR%20will%20allow%20you%20to%20force%20addresses%20down%20any%20path.%20Azure%20routes%20traffic%20in%20the%20following%20order%2C%26nbsp%3BUser-defined%20route%2C%20BGP%2C%20route%20System%20route.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EYou%20should%20be%20able%20to%20tell%20the%20route%20to%20use%20either%20a%20virtual%20appliance%2C%20of%20the%20VPN%20gateway%20are%20the%20next%20hop.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIf%20this%20fails%2C%20look%20at%20using%20Azure%20Firewall%20as%20a%20router%20to%20replace%20a%20virtual%20appliance.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-910807%22%20slang%3D%22en-US%22%3ERe%3A%20Vnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-910807%22%20slang%3D%22en-US%22%3E%3CP%3E%2B1%20to%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102871%22%20target%3D%22_blank%22%3E%40Craig%20Wilson%3C%2FA%3E%26nbsp%3BThis%20is%20exactly%20how%20to%20can%20accomplish%20this.%20You%20can%20use%20the%20tools%20in%20network%20watcher%20to%20verify%20the%20traffic%20flow%20as%20well.%20IP%20flow%20verify%20and%20Next%20hop%20utilities%20can%20confirm%20its%20routing%20to%20your%20liking.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-911343%22%20slang%3D%22en-US%22%3ERe%3A%20Vnet%20routing%20over%20IPSEC%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-911343%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F102871%22%20target%3D%22_blank%22%3E%40Craig%20Wilson%3C%2FA%3E%26nbsp%3Band%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F183000%22%20target%3D%22_blank%22%3E%40Bryan%20Haslip%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot%20for%20your%20help!%20I%20will%20try%20your%20suggestions%20and%20hopefully%20get%20it%20to%20work!%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Hello,

 

I have set up a Site-to-Site IPSEC connection between my customers Vnet in Azure and their on-premise network.

I all works just fine and the routing works fine for the address spaces in the tunnel. 

 

Now, they want to specify address ranges that exists on the Internet to route through the VPN tunnel and reach Internet from their on-premise network. With other words, they want forced tunneling but only for specific addresses. Is this possible to set up in Azure in some way?

3 Replies
Highlighted

Hi @Marcus Pettersson 

 

Take a look at setting up a User Defined Route. UDR will allow you to force addresses down any path. Azure routes traffic in the following order, User-defined route, BGP, route System route.

 

You should be able to tell the route to use either a virtual appliance, of the VPN gateway are the next hop.

 

If this fails, look at using Azure Firewall as a router to replace a virtual appliance.

 

 

 

Highlighted

+1 to @Craig Wilson This is exactly how to can accomplish this. You can use the tools in network watcher to verify the traffic flow as well. IP flow verify and Next hop utilities can confirm its routing to your liking. 

Highlighted

Hi @Craig Wilson and @Bryan Haslip

 

Thanks a lot for your help! I will try your suggestions and hopefully get it to work!