Exploring Cost-Effective Solutions for Routing Traffic from an Azure Private Endpoint to a VPN Gateway

Omer Cohen 40 Reputation points
2024-11-01T16:40:03.28+00:00

Greetings,
I would appreciate assistance with a design to a solution I would like to implement on Azure. Below I summarized all the information and approaches I tried.

  • Customer has a private endpoint on a "consumer" VNet, from which I would like to allow them to privately consume a service.
  • The private endpoint is to be connected to a private-link resource in a "producer-surrogate" VNet.
  • The aforementioned private-link resource will route traffic to a VPN gateway (also contained in the "producer-surrogate" VNet). Said VPN gateway is connected to a remote service VNet hosting the remote service.
  • I'm allowed to commit changes only to resources in the "producer-surrogate" VNet, i.e., the private endpoint on the "consumer" VNet is the only way for the consumer to consume.

Connected to the above private endpoint I've looked into:

  • A private link service, but those are not supporting a Standard Load Balancer with a backend pool configured by an IP address, hence it cannot be used to route traffic to a VPN gateway. I am aware that routing traffic to a VM, followed by a user defined route, directing traffic to the VPN gateway is possible, but I am not interested in a solution I would have to maintain and scale myself.
  • An application gateway connected to a standard Azure Firewall with forced tunneling (which is used to route traffic to the VPN gateway) should work, however, this seems to be an extremely high cost solution for a simple routing job.

I will appreciate your expertise in the matter, Thanks.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,592 questions
Azure Private Link
Azure Private Link
An Azure service that provides private connectivity from a virtual network to Azure platform as a service, customer-owned, or Microsoft partner services.
526 questions
{count} votes

Accepted answer
  1. KapilAnanth-MSFT 47,996 Reputation points Microsoft Employee
    2024-11-04T05:28:18.7666667+00:00

    @Omer Cohen ,

    Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

    From your verbatim,

    • The VNET "consumer" has a Private EndPoint
    • And this VNET can use this PE only to access a resource in a remote Network which is connected to the VNET "producer-surrogate" via VPN Gateway.

    Observation,

    • I am afraid I do not see the requirement for using a Azure Firewall with forced tunneling in this case.
    • May I ask if it is not possible to directly add the IP Address or FQDN of the "resource" as the backend Pool
    • See : App Gw Components Backend pools
      • User's image
      • You don't need the Azure Firewall to do a forced tunneling
    • See : Application Gateway Private Link

    Kindly let us know if this helps or you need further assistance on this issue.

    Thanks,

    Kapil


    Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.