Hi Adam Following your video and trying to implement force tunneling but haven't had much success. Can you share what your firewall policy looks like? Whenever I turn on the force tunnel I am not getting any packs via the VPN interface at all. Traffic does go out but nothing comes back. Any help is greatly appreciated.
@AdamStuart1 Great Video! I have a question though. Is there a way to advertise included routes from the virtual hub route table (rather than adding them to the .xml file)? Our company frequently adds/removes routes from our VPN end users.
@@AdamStuart1 Haven't tried ikev2 yet, but the azure VPN client does receive the BGP routes that are being advertised from our on-prem (just not routes added to the vhub). We use AAD authentication flow which only is supported only on openvpn. If I use the standard P2S virtual network gateway for vnets (not vwan), I can add static routes to the vpg and they work with openvpn.
@@hotwired2424 Thanks for confirmation. OpenVPN should be safe bet. I would expect static routes to be advertised but I don't remember explicitly testing it. I don't have time to do so at the moment, I would raise a support ticket to confirm behaviour and expectations.
00:00 Intro 01:05 Context - caution with centralised Internet breakout! 02:10 Topology overview 04:44 Default behaviour 06:23 Local interface metric issues 06:54 Workaround using 2 * /1 routes 08:40 Workaround using Azure VPN Client version parameter 10:54 Local ISP DNS issues 12:10 P2S Custom DNS servers via Azure Firewall DNS Proxy 14:38 Routing only specific Public IP via Azure Internet breakout 19:19 Conclusion
Do I need to use Virtual WAN or I can deploy Virtual Network Gateway instead because it is 3 times cheaper. Is there any alternative to Azure Firewall ? I found options to deploy custom NVA but still the overall price is really high. The goal is to get a cheap VPN solution with internet breakout.
Thanks Adam, this has been very helpful. Been trying to set this exact set up for a week now!
Hi Adam
Following your video and trying to implement force tunneling but haven't had much success. Can you share what your firewall policy looks like? Whenever I turn on the force tunnel I am not getting any packs via the VPN interface at all. Traffic does go out but nothing comes back. Any help is greatly appreciated.
@AdamStuart1 Great Video! I have a question though. Is there a way to advertise included routes from the virtual hub route table (rather than adding them to the .xml file)? Our company frequently adds/removes routes from our VPN end users.
Are you seeing same behaviour with ikev2 and openvpn?
@@AdamStuart1 Haven't tried ikev2 yet, but the azure VPN client does receive the BGP routes that are being advertised from our on-prem (just not routes added to the vhub). We use AAD authentication flow which only is supported only on openvpn. If I use the standard P2S virtual network gateway for vnets (not vwan), I can add static routes to the vpg and they work with openvpn.
@@hotwired2424 Thanks for confirmation. OpenVPN should be safe bet. I would expect static routes to be advertised but I don't remember explicitly testing it. I don't have time to do so at the moment, I would raise a support ticket to confirm behaviour and expectations.
00:00 Intro
01:05 Context - caution with centralised Internet breakout!
02:10 Topology overview
04:44 Default behaviour
06:23 Local interface metric issues
06:54 Workaround using 2 * /1 routes
08:40 Workaround using Azure VPN Client version parameter
10:54 Local ISP DNS issues
12:10 P2S Custom DNS servers via Azure Firewall DNS Proxy
14:38 Routing only specific Public IP via Azure Internet breakout
19:19 Conclusion
Do I need to use Virtual WAN or I can deploy Virtual Network Gateway instead because it is 3 times cheaper. Is there any alternative to Azure Firewall ? I found options to deploy custom NVA but still the overall price is really high. The goal is to get a cheap VPN solution with internet breakout.
How to route traffic for a fqdn (because the site has dynamic ip range).
figured out the issue. The VPN client must have the HA option un-checked.
Where is this HA option? I am still experiencing the issue that users cannot reach internet.