How to create an Azure Point to Site VPN that allows connected clients to appear on the internet as a static IP address

Question

I am trying to create a VPN solution in Azure, so that colleagues working from home can connect into the VPN and then have a static IP address (as provided by a NAT Gateway) for accessing resources on the internet. We use these for whitelisting etc.

The first part of this was creating the Virtual Network and Virtual Network Gateway with Point-to-site configured. This all seems to work as my colleague and I can both connect to the VPN (using the Azure VPN Client) and I can view a webserver on his machine via the IP address assigned by the VPN (e.g.: http://172.16.201.3/Test.html) when we are both connected.

Our App Services (on another Virtual Network) use a NAT Gateway to achieve a specific range of IP addresses for outbound calls.

My assumption was that I could simply connect a NAT Gateway to my new Virtual Network and change the routing (on the client) so that the IP addresses of the sites we want to access (or all ip-addresses) route through the VPN (as per: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes).

However, if I do this, then entering a site / IP address that gets "routed" ends up being unable to connect.

I can see that we could maybe use "peering" to link our Virtual Networks and use "internal" IP addresses for some of our tasks, but there are also 3rd party sites that require static IP addresses from us.

As far as I understand VPNs are all about giving you a different IP address, but I can't seem to figure out some critical linkage between the VPN Gateway, Virtual Network and NAT Gateway.

Hope someone who has gone through this can help.

Answer 1

You may be missing some of the following:

Did you create a custom route table in the Azure portal? The route should direct all outbound traffic (0.0.0.0/0) to the NAT gateway's resource ID. This custom route table should be associated with your subnet.

The traffic from the VPN client should be aware of the route to the NAT gateway.

Sometimes, accessing sites by their domain names could be a DNS issue rather than a routing issue. When VPN clients connect, they should have knowledge of the Azure DNS or your custom DNS to resolve names correctly.

Can you check traceroute results? How far do your packets get?

Answer 2

It turns out that that:

"Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped."

from: https://github.com/MicrosoftDocs/azure-docs/issues/114556

I did finally get a solution working by first setting up a Network Virtual Applicance (NVA) and routing via it.. In case anyone else wants to do the same, here are my notes:

• Set up an "Network Virtual appliance" as per: https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal#create-an-nva-virtual-machine
• Set up IP forwarding in the portal: https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal#enable-ip-forwarding-in-azure
• Enable IP forwarding and ability to use the NAT Gateway in the OS: https://learn.microsoft.com/en-us/azure/nat-gateway/tutorial-hub-spoke-route-nat#configure-virtual-machine-software -- point 10 onwards differs from the plain routing table tutorial, they both un-comment "net.ipv4.ip_forward=1"
• Set IP to static: From vm-nva, select the "networking" tab, Select the network interface; select the "IP configurations" tab then Click on the only "ip configuration" and set it to "Static". Note the ip address for configuration of the route table
• Create route table: https://learn.microsoft.com/en-us/azure/virtual-network/tutorial-create-route-table-portal#create-a-route-table
• Create the routes: Name: "to-external", Destination type: IP address, Destination IP range: x.x.x.x/32, Next hop type: Virtual appliance, Next hop address: 10.0.3.4 (ip address of NVA)
• Other internet routes can be added by just varying the ip address / adding routes
• Associate route table with Subnets "default" and "GatewaySubnet"