I currently have a gateway (VNG) with point to site configured and a dns resolver. I noticed that the routes being delivered are not as isolated as I want them.(open VPN with aad auth and the azure vpn client) The VPN pool, and another address space I have in the vet are route able from the vpn. I want to limit it to just a particular class b space that I will basically deliver a jump server to they can then access the rest from.
Does anyone know how to change these routes specific to the point to site VPN?
Thanks in advance.
Edit: Advertise custom routes for point-to-site VPN Gateway clients - Azure VPN Gateway | Microsoft Learn I am aware of the options here. However this adds too and does not replace, which isnt what i am looking for.
Where are the routes coming from that you don’t want?
You could put static routes on the Gateway subnet to ensure the traffic can only flow the way you want it to. It won’t remove the routes advertised to the P2S clients though, it just won’t connect if they try.
Gateway subnet to ensure the traffic can only flow the way
So create a custom route table, put the routes i want in it and apply to the gatewaysubnet? I did that earlier and assumed that would be where the Gateway was getting it from, so i didnt event test when i saw the same table. I will give that a shot.
EDIT: in all fairness i could use NSGs to get what i need out of this but just clipping it at the knees seemed like a better route in my mind.
routes advertised to the P2S clients
I havent figured out a way to change this. Its really what I would like to do but isnt a deal breaker with the other proposed solution.
I spoke with MS product group on this as it doesn’t work as expected and in fact they disabled some features of it from when I first configured it as they said it was not intended to work that way yet. ~6 months or so is what I was told to fix it.
Yeah, I would say don’t try too hard on fixing the advertised routes. There’s not really a “clean” way to do it unless you set up the VNET with just the VNG and peer/BGP exactly what they need and nothing else.
For the UDR on the Gateway subnet, that will NOT remove the routes, but if you use an NVA (or NSG) you can control traffic.