Azure VPN / Vhub P2S Advertised routes troubleshooting

Question

Good afternoon all,

I am having some issues with a VPN P2S i have set up within a vHub, whereby the Azure VPN client is not populating the custom advertised routes listed in the Default route table, and thus the traffic is not routing correctly unless i explicitly add the route into the VPN xml profile (which i want to avoid for administrative maintenance purposes).

My goal is to ensure that only specific internet traffic is routed through the firewall and SNAT'd out to public ip connections (that have whitelisted my Azure firewall's public IP address) for access, whilst not force-tunnelling all internet traffic to go through the firewall. E.g. There are several jump boxes that some of my users need to connect to, and those jumpboxes have a whitelist of public IP addresses that may connect to to them. When connected to the VPN, i want the users to be able to access the jumpboxes with the firewall's public IP address, but i dont want any other internet traffic to go through the vpn tunnel.

The custom advertised route is to a public internet IP address, which, if i edit my Azure vpn xml file to include the following, it works as intended:

<clientconfig>

<includeroutes>

<route>

<destination>[public_ip_address]</destination><mask>32</mask>

</route>

</includeroutes>

</clientconfig>

However, this list of custom public destinations could grow very large and change regularly, and so i want to avoid having to not only update the prefixes within the Virtual hub route table, but then also do it again in the xml file.

This is my current set up:

-EnableInternetSecurityFlag has been set to True

Azure VPN profile version has been changed from "1" to "2" within the XML

Virtual WAN

• Virtual WAN, with a virtual hub

Azure Firewall Manager

• Contains Azure Firewall which has a Firewall Policy
• Azure Firewall has a Public IP address
• Azure Firewall has a SKU of Standard
• Firewall policy is associated to the virtual hub
• Firewall policy has a policy tier of Standard
• Firewall policy has only 1 custom network rule, which is to allow all forwarded traffic from my p2s address pool to reach a destination of *

Virtual Hub

• Routing Intent and Routing Policies: Internet traffic set to None. Private traffic to set to Azure Firewall, next hop to my firewall.
• Route Tables: Default and None.

I have purposefully not chosen for Internet traffic to be routed to the azure firewall via Routing Intent, because doing so routes everything (0.0.0.0/0), and i don't want that. I just need a handful of static IP addresses to go to the firewall and everything else to go through the local network adaptor.

Could someone please kindly tell me where i've gone wrong, and point me in the right direction?

 

Thanks in advance!

Answer 1

Hi @Dylan,

Greetings

Currently, there is no automatic way to advertise specific IP addresses/routes to P2SClients. We are releasing one new feature (Route Maps) which would support this (currently it is in Preview, GA date yet to be announced) Advertising specific IP addresses to P2S clients from Azure Virtual WAN is only possible via 2 methods:

• Adding those specific routes to client config XML file.
• Using Route maps for virtual hubs (Preview).

NOTE: Route-maps is currently in Public Preview and is provided without a service-level agreement. It shouldn't be used for production workloads. Certain features might not be supported, might have constrained capabilities, or might not be available in all Azure locations.

Same question: https://learn.microsoft.com/en-us/answers/questions/1332929/specific-route-to-a-public-ip-through-p2s-vpn

---

I hope this has been helpful!

Your feedback is important so please take a moment to accept answers. If you still have questions, pleaslet us know what is needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!

Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.