Routing on-premises internet traffic through existing Azure VPN and virtual network

We have established an Azure virtual network with multiple VMs, and a site-to-site VPN tunnel from our on-premises network to our Azure virtual network.  All connectivity and routing between the two is operational.  Azure VMs have internet access through their respective cloud-services' public IP addresses.

We'd like to design a routing solution for select on-premises servers that would route on-premises internet access through the VPN tunnel and Azure public IPs.

How might this be designed and implemented?  Perhaps using a software router running as a VM in our Azure virtual network?  This would, in theory, allow us to set static routes on the servers to send the traffic to the routing VM in Azure.

Thanks for your suggestions.

Frederick, MD
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Having the s/w router seems viable but there can be challenges from the Azure side that I foreseen with the use case where you will want all the Azure instances to route thru VPN for on-premise Internet. The Internet gateway on Azure does not have such option available for configuration, to my best knowledge.

Furthermore, with multiple (and growing no. of) VM selection path(s) as static routing on your customised s/w router, the scale up performance and management of the many static routes can be challenging ...

I came across this article which may interest you to further assess possible use case (but can be complex and incurred additional cost) ...use of Forced Tunneling
The current generation Azure VNet has a default route for all public Internet traffic which is out over Azure’s managed Internet infrastructure (it’s just there and you can’t manage it or turn it off). On some other public cloud platforms you can disable public internet traffic by not adding an Internet Gateway – on Azure that option isn’t currently available.

In order to mitigate some challenges around controlling the path public traffic takes from an Azure VNet, Microsoft introduced Forced Tunelling which can be used to force traffic bound for the Internet back over your VPN and into your on-prem environment.

You must plan your subnets appropriately and only apply Forced Tunelling to those where required. This is especially important if you will consume any of Azure’s PaaS offerings other than Web or Worker Roles which can be added to an Azure VNet.
There is the mention of ExpressRoute which I see as dedicated "VPN" route that give you more control but it seems more of an overhaul (if taking this option), just for info
When using ExpressRoute you can use BGP to advertise the default route for all your Azure VNets to be back over your ExpressRoute connection to your on-prem environment. Unlike the VPN connection scenario though, where all Azure PaaS services will route back over your on-prem Internet gateway, with ExpressRoute’s peering you can use the public peer as the shortcut back to Azure.

While this is a better option than you get with VPN it still means you are pushing Azure calls back to your ExpressRoute gateway so you will potentially see a performance hit and will see the data included if you are using an IXP connection.

Pardon me, just sharing some thoughts though they may not be fitting in your use case - probably to trigger off discussion on better means.
E.g. using Azure internal load balancer has been in my thoughts but doesn't really serve like a gateway or  forward proxy into public Internet unless it can be a Link balancer instead (which is not what I am aware of)...or using s/w instances of application delivery controller (ADC) to manage such link routing
Dimarc67Author Commented:

Thanks very much for the information you provided.  My research had found the same info, including ExpressRoute.  It's interesting how Azure is addressing their customer's challenges around connecting multiple premises networks to a single Azure environment, as well as the limitations of disabling public interfaces to instances.

Unfortunately, I don't think these areas are pertinent to our goal.

We currently run public-facing proxy servers in Azure to which we send browsing traffic over the VPN from our on-premises servers, and this model works well.  However, .NET issues are causing accumulative memory leaks that bring down our services (Microsoft has confirmed the leakage issue is in .NET, but they won't be addressing it anytime soon).  So we thought we might get around the .NET issues by routing all internet traffic through to our Azure vnet and to the internet from there.

Hence, the routing scenario and questions.  Maybe what we need is an Azure instance acting as a NAT firewall?
btanExec ConsultantCommented:
Looks like workaround to the real root cause, MS has to suggest the means rather than customer faced with this and trying to into options for forced scenario which may not be even sure to work out to resolve this real root cause. I am just afraid the internet routing may create more repercussion.

Regardless, I am thinking of on premise ADC to decide which gateway to take - either Azure instance (via VPN and static routing) that you mentioned as gateway or from on premise Internet gateway. The ADC (F5 LTM or Citrix Netscalar) form the proxy to "load-balance" the apps Internet route based on health of your on premise server .. just some thoughts
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

btanExec ConsultantCommented:
I see another means may be Azure User defined route
For most environments you will only need the system routes already defined by Azure. However, you may need to create a route table and add one or more routes in specific cases, such as:
•Force tunneling to the Internet via your on-premises network.
•Use of virtual appliances in your Azure environment.

In the scenarios above, you will have to create a route table and add user defined routes to it. You can have multiple route tables, and the same route table can be associated to one or more subnets. And each subnet can only be associated to a single route table. All VMs and cloud services in a subnet use the route table associated to that subnet.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Dimarc67Author Commented:
I think this may be greatly simplified.  It might be best to use a router (virtual or physical) in our on-premises network as the dedicated gateway for those servers that we want to configure to use Azure's IPs for internet.  If we configure the on-premises gateway router to route traffic to an Azure-hosted virtual NAT firewall, that would effectively provide what we're looking for.

For this I just need to identify suitable virtual router solutions.
Dimarc67Author Commented:
None of the proposed solutions could be made functional, mainly due to seemingly strategic limitations in Azure.  Awarding points based on great effort, but we're shelving this idea for a while.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.