What is the simple strategy to implement group based restrictions based for Point-to-Site (P2S)VPNgateway? It is small environment and servers are mixed together in few Azure subnets. Customer is migrated all servers to Azure and decommissioning on premises Firewall gateway.
Typical situation, business wants defence in depth and only allow tech to All and Sales to some IP addresses (servers in Azure).
I did some online research but did not found any definitive answer. Some users recommend playing with split tunnel settings and same gateway. Some recommend to define two gateways and two configurations (Sales and Tech). Does this work and what about admin and support? I want something plain and simple.
If you do two gateways (Sales gateway and Tech gateway) you can manage sales and tech access using application security groups (probably just directed to the sales address space since they will only have access to a few), just don’t overlap the private ip address space of the gateways. Also you could use network security groups too but that would require putting an NSG at each NIC which may be cumbersome.
Doing one gateway would be more difficult, split tunneling wouldn’t matter that’s really just how the client accesses the internet, does it go through the vpn gateway then the internet (straight tunnel) or does it just go to the internet from their isp (split tunnel). The only way I see this working is through the routing table, you would need a sales routing table and a tech routing table (probably can just use the .exe since they will be able to access all the servers) and would need to be pretty granular in the ips instead of using a wide range and if a IP address ever changes then basically the routing table needs to be updated for all the clients for that group (This would most likely be a security flaw if a sales guy has the knowledge and permissions to change their routing table). I’m sure it can be done since I think Azure does generate the routing table for you (been a while since I’ve done a p2s) but basically that makes the .exe client worthless for the sales team.
I was expecting this will be hard. Thanks for sharing your thoughts.
Well, Mark Simos (aka.ms/markslist) suggest not to rely on Network for security controls. I will suggest the customer keep it simple and against this overly sophisticated option.