3

I have 3 VNets, 3 Point-2-Site VPN Gateways, one for each Vnet, and VNet peering is setup as below image.

enter image description here

What I want to achieve is:

  1. If I use VPN1, I can ping all VMs in all 3 VNets.
  2. If I use VPN2, I can only ping VMs in VNet 2 and 1.
  3. If I use VPN3, I can only ping VMs in VNet 3 and 1.

As I understand, to achieve 1, I have to allow forwarded traffic in both peering. But then, 2 and 3 cannot be fulfilled - I can ping all VMs regardless what VPN I use. Is that correct?

What should be the right way to do this?

Update: For more details, here's my use case:

In VNet 1, I have an Intranet server, which should be available for everyone.

In VNet 2, I have a development server.

In VNet 3, I have a test server.

A manager should be able to access all servers --> VPN1.

A developer should be able to access the Intranet and the Dev server --> VPN2

A tester should be able to access the Intranet and the Test server --> VPN3

Hien Le
  • 301
  • 3
  • 14

1 Answers1

2

For your requirements, I believe you could achieve it via configuring VPN gateway transit for virtual network peering a hub-and-spoke network architecture. In this network architecture, you need to deploy one VPN gateway in the VNet1(as the hub) and peer with the other two VNets(as the spoke) instead of deploying VPN gateways in every spoke virtual network. Routes to the gateway-connected virtual networks or on-premises networks will propagate to the routing tables for the peered virtual networks using gateway transit.

The following diagram shows how gateway transit works with virtual network peering. enter image description here

In this case, you could configure the VNet1 peers with VNet2 and VNet1 peers with VNet3 each other.

On the peering from VNet1 to VNet2 and VNet1 to VNet3, enable the Allow gateway transit option. On the peering from VNet2 to VNet1 and VNet3 to VNet1, set the Use remote gateways option.

Nancy
  • 26,865
  • 3
  • 18
  • 34
  • Hi. I haven't tried this but from what I understand, hub-and-spoke network allows whoever connects to the VPN to access everything in all the VNets. So it doesn't fulfill my goal. Is it possible to authorize people using Azure AD when they connect the VPN? – Hien Le Aug 10 '20 at 08:50
  • Yes, it's possible for windows 10 clients(uses Open VPN protocol ) with Azure AD authentication. Read [here](https://medium.com/@syerge/azure-point-to-site-p2s-connection-with-azure-ad-authentication-4584a90bad88). As far as I know, in a hub-spoke network, the spoke VMs are not communicated with each other without any configurations. – Nancy Aug 10 '20 at 08:57
  • hi. I think you misunderstand my question. The link you provided is for Authentication, while what I want is Authorization. For example, in your picture there're 3 VNets: Hub, Spoke 1 and Spoke 2. If a project manager connects the VPN, I want him to be able to access everything. But if a developer connects, he should only be able to access VMs on the Hub and Spoke 1. – Hien Le Aug 10 '20 at 10:00
  • so do you need authorization on vm specific resource instead of vpn connection? – Nancy Aug 10 '20 at 10:24
  • Well, my original question was not about connecting to the VMs. When I say "access VMs", I actually mean not only SSH/RDP into the servers, but also access the website running on them. I hope this clarifies. – Hien Le Aug 10 '20 at 10:33
  • I see, so the best way is to set limitations from the networking level. In this case, you can use a VPN gateway in a hub-spoke network like my above reply. Then all clients will access three networks from one gateway. Then you can only allow the selected client private Ip in the inbound rule of [NSG](https://learn.microsoft.com/en-us/azure/virtual-network/security-overview#inbound) of VNET2 and VNET3. – Nancy Aug 11 '20 at 07:05