How to Restrict On-Premises Access to Specific Endpoints in a Hub-and-Spoke VNet Architecture with Site-to-Site VPN?
I have a question related to this topic: https://learn.microsoft.com/en-us/answers/questions/1361035/how-to-allow-and-restrict-resources-in-site-to-sithttps://learn.microsoft.com/en-us/answers/questions/1361035/how-to-allow-and-restrict-resources-in-site-to-sit.
Description:
I have a VNet with a VPN Gateway set up, which acts as a hub and has peerings with three other VNets that host my production, testing, and development resources. Within each of these VNets, there are specific endpoints that the on-premises device should have access to (addresses are just examples):
Production: 10.100.1.2 Testing: 10.100.2.2 Development: 10.100.3.2
According to the first topic, I should modify the NSG rules in all three VNets. However, I found another topic: https://learn.microsoft.com/en-us/answers/questions/767869/site-to-site-vpn-subjects-to-nsg, which suggests that once traffic enters the Azure network via the VPN gateway in the hub VNet, it is treated as originating from within the Azure network itself. Consequently, my NSG rules would not work as intended, and the on-premises device would have access to all my resources.
What is the proper way to address this issue?
How to Restrict On-Premises Access to Specific Endpoints in a Hub-and-Spoke VNet Architecture with Site-to-Site VPN?
To restrict on-premises access to specific devices within an Azure VNet, you can use several methods. The most effective methods are listed below:
The most secure method is to use
Azure Firewall, although it may not be the most cost-effective option.The second approach is using
Network Security Groups, which are cost-effective andeasiestway.
NSG Rule
If you want to block specific endpoints in an Azure VNet from a VPN network, you can configure the Network Security Group rules. You can specify the NSG rule with the source set to the VPN network range and the destination set to the IP addresses or subnets of the Azure-connected resources.
Firewall configuration
You can follow the Azure Firewall in a hybrid network for restricting the traffic from VPN ranges to Azure Vnet.
Refences:
Filter network traffic with a network security group using the Azure portal
How to block network traffic with Azure Virtual Network Manager - Azure portal
- Scope is not being added to Access Token returned from Azure Ad
- az cli : create container app via yaml fail due to parsing to json
- Display agents API ADO with SystemCapabilities filter
- Azure devops variables are not updating
- Azure DevOps Pipeline Throwing Error with Terraform While Deploying to Azure
- Azure AppService and SQL Server in Docker compose can't connect
- The required field 'nonce' is missing from the credential. Ensure that you have all the necessary parameters for the login request. [Azure Open ID]
- MongoDB - conditional uniqueness constraints on different "id" fields
- Retry delay on Function with Azure ServiceBus queue trigger
- Azure Static Web App: Add an header for each JS file
- How to configure Application Insights for sending telemetry from .net 4.8 application
- IServiceCollection does not contain a definition for AddAzureClients
- How to authenticate with Azure ACR from Azure container app service
- Azure Cli how to change subscription default
- Problem RDP to Azure Virtual Desktop through Azure Firewall
- az role assignment delete: The request did not have a subscription or a valid tenant level resource provider
- Azure PIM Role Settings for Owner role
- Graphclient ArgumentException: Only HTTP/1.0 and HTTP/1.1 version requests are currently supported. Parameter name: value
- Azure Static Web App ignoring config json sometimes
- How do I avoid "Couldn't find a metric" when creating a metric alert in Bicep
- Using Az.Websites module to set up user assigned managed identity to pull image from ACR
- resource not found with Azure OpenAI service
- Why I'm getting 404 Resource Not Found to my newly Azure OpenAI deployment?
- Azure Service Bus Topic - Using REST API to Send Message - Message going into Dead Letter Queue
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- Azure Service Bus - REST API - Sending a message to a Session Enabled Topic/Subscription
- How are you supposed to install a Python library using azure webapp as template?
- Could not load file or assembly "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
- Search-AzQuery querying authorizationresources returns 0 records
- Azure APIM: Identifying the API resource id from the portal