Site to Site VPN Connection Filtered by Azure Firewall

Site to Site VPN Connection Filtered by Azure Firewall

Image: https://petri.com/how-to-architect-an-azure-firewall-with-a-vpn-gateway

Site to Site VPN connection is commonly used in hybrid structure. So in this post, I will show you the key steps for this architecture to work.

I have three Vnets for this lab,

  • Cloud Vnet with VM subnet: 172.16.0.0/24
  • DMZ Hub with FW subnet: 192.168.3.0/24, Gateway subnet: 192.168.1.0/24 and VM subnet: 192.168.0.0/24
  • Local Vnet with VN subnet: 10.0.0.0/24 and Gateway subnet: 10.0.3.0/24

With needed services provisioned such as VMs, FW, VPN Gateway etc, the key points are as below.

Please do pay attention that Cloud Vnet is peered with DMZ Hub.

DMZ Hub

All traffics from remote/local through S2S VPN to cloud must forward to Azure FW for filtering and controlling, therefore, UDR is configured and apply on DMZ Gateway subnet.

Site to Site VPN Connection Filtered by Azure Firewall
Site to Site VPN Connection Filtered by Azure Firewall

Cloud Vnet

All traffics from cloud to remote/local need to be filtered and controlled by Azure Firewall too, so a UDR is needed and apply on Cloud Vnet VM subnet as well.

Site to Site VPN Connection Filtered by Azure Firewall
Site to Site VPN Connection Filtered by Azure Firewall

Azure FW Rules

Lastly, configure a FW rule to verify the connection. I setup a one way connection which only allow local to cloud only.

Site to Site VPN Connection Filtered by Azure Firewall
Site to Site VPN Connection Filtered by Azure Firewall

Reference:

https://petri.com/how-to-architect-an-azure-firewall-with-a-vpn-gateway

--

--

--

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to setup completely Private Azure Kubernetes Service (AKS) Clusters with Azure Private Links?

How to write integration tests against 🔥 FHIR in Python 🐍

ICYMI: Why Do We Put Up With Monitoring Solutions That Hurt?

Mutation Testing on Scala with Stryker4s

Why Gojek, you ask?

AngelBrain, a cyber salad for the Raspberry PI

In-Memory Data Grid

CrowFinance Transparency Report #1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Yst@IT

Yst@IT

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.

More from Medium

Windows: How to find my Jenkins Workspace directory

5 Ways To Run Background Tasks On Azure

Introduction to Azure Boards

The YAML Onboarding Wizard: an easy way to onboard your REST API service to the Zowe API Mediation…