![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 50%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,628 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 71%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 4%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Hello Mohammed Asif,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are in need to restrict access to certain subnets to specified individuals using Azure point-to-site VPN users access to specific subnets only.
For your specific access control, which is crucial for your requirement and not to just use NSG and Firewall to control network traffic. If you would like a more precise best practices, these are the step-by-step guide to solve the issue:
Step 1: Enable Azure AD Authentication for P2S VPN : https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
- Configure your VPN gateway to use Azure AD authentication:
- Navigate to VPN Gateway in the Azure portal.
- Under Point-to-Site Configuration, choose Azure Active Directory as the authentication method.
- Link your Azure AD tenant to the VPN configuration.
Step 2: Create User Groups in Azure AD
- Define user groups for each subnet (e.g., Subnet1Access, Subnet2Access).
- Add users to the appropriate groups based on their access requirements.
Step 3: Configure Conditional Access Policies
Navigate to Azure Active Directory > Security > Conditional Access > New Policy.
- Define policies for each user group:
- Assign the policy to the group (e.g., Subnet1Access).
- Restrict access based on the IP range of the specific subnet.
Step 4: Configure NSGs for Subnet Access
- Create an NSG for each subnet.
- Define inbound rules that allow traffic only from specific IP ranges (mapped to the P2S VPN IP pool) and based on Azure AD groups.
- Deny all other traffic.
Step 5: Validate Configuration
- Test the setup by connecting to the VPN as different users and verifying access to the respective subnets.
Use this link for more explanation - https://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-gateway
I hope this is helpful! Do not hesitate to let me know if you have any other questions.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.