Azure P2S VPN Users Access Remote Peering Networks

The Azure point-to-site solution is cloud-based and can be provisioned quickly to cater for the increased demand of users to work from home. It can scale up easily and turned off just as easily and quickly when the increased capacity is not needed anymore.

This post summarize the configuration for allowing Point-2-site vpn users to access your remote peering network. 

Related Post::

• Azure Point-to-Site VPN Configuration (Using Certs or AD Authentication)

The table below shows the client operating systems and the authentication options that are available to them. I

(from: https://learn.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support)

Diagram and Protocols

Azure supports three types of Point-to-site VPN options:

• Secure Socket Tunneling Protocol (SSTP). SSTP is a Microsoft proprietary SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

• OpenVPN. OpenVPN is a SSL-based solution that can penetrate firewalls since most firewalls open the outbound TCP port that 443 SSL uses.

• IKEv2 VPN. IKEv2 VPN is a standards-based IPsec VPN solution that uses outbound UDP ports 500 and 4500 and IP protocol no. 50. Firewalls don't always open these ports, so there's a possibility of IKEv2 VPN not being able to traverse proxies and firewalls.

Steps to Configure Peering

Azure supports the following types of peering:

• Virtual network peering: Connecting virtual networks within the same Azure region.

• Global virtual network peering: Connecting virtual networks across Azure regions.

The following steps assume you have configured both resource groups in different Azure regions, both virtual networks and one Point-2-site virtual network gateway. Your remote users are able to use this p2s gateway to access the resources in one region (one resource group).

Previous related posts: Azure Point-to-Site VPN Configuration (Using Certs or AD Authentication)

To have your remote users to access another region's network and resources, here are steps:

1 Go to your Azure virtual network, choose Peerings from left panel

2 Click add button

3 Enter local peering link name and remote peering link name. Azure will create two links for you in this one time setup.

4 Choose remote virtual network name 

Once you completed peering, the VMs can talk each other in those two virtual networks (10.1.0.0/16 and 10.2.0.0/16) without further configuration.

Note: You will notice virtual network gateway or route server 's default setting is none. In our next step, we will need to make change on this settings to allow remote P2S users to access peering networks. 

Configure Peering Links

1  Add a route for peering network into Virtual Network Gateway Configuration

Next step is to change gateway for both peering network. 

2 Change Peering configuration on local )

This will allow P2S users to access your remote peering network.

Explanation for Virtual network gateway or Route server: 

• Dynamic routes for virtual machines in a virtual network are programmed by virtual network gateways or Route Servers. Additionally, a virtual network gateway routes traffic between on-premises networks and Azure virtual networks. A virtual network gateway can be created for either VPN Gateway or ExpressRoute.

3 Change Peering configuration on remote 

After above steps, your P2S users should be able to access remote site's network. 

References

• About Point-to-Site VPN routing - Multiple peered VNets