I have 1 VNET GW and configured an OpenSSL P2S connection using Entra ID authentication.
Is there any way to restrict users or groups from connecting to certain subnets? It seems like it’s all or nothing access. The use case is: I have contractors who are tunneling into manage a few servers on 1 subnet using an Entra ID account I created for them on our tenant. That’s all I want them to access. As it stands they’re able to talk with other systems on other subnets.
Sounds like you inadvertently created a hub and spoke vpn GW that uses vnet peering to allow access to vents.
Can you describe your virtual network and server ip’s in more details?
After reading over the use case, I think the answer is vpn gw for each isolated subnet.
You can use Network Security Groups (NSGs) and User-Defined Routes (UDRs) to limit access to specific subnets.
Here’s how you can implement this:
1. Create a Network Security Group (NSG):
• Create an NSG and associate it with the subnet where the servers are hosted.
• Add inbound security rules to allow access only from the IP addresses or user groups associated with your contractors.
2. Use NSG with Azure Private IPs:
• If your users connect to specific VMs or services on a specific subnet, you can use the NSG to allow or block traffic based on source/destination IP and ports.
• This way, even if the users are connected via the VPN, they can only communicate with the resources in the allowed subnet.
3. Conditional Access Policy:
• Use Conditional Access Policies in Entra ID (Azure AD) to further restrict access based on user group membership. This will ensure only certain users can connect to the VPN or have access to the specific resources.
4. User-Defined Routes (UDRs):
• If more granularity is required, create UDRs to route traffic from specific IP ranges (the subnets your users are connecting from) only to the allowed subnet. Any attempt to reach other subnets can be routed to a null destination.
Is that the only way? Spinning up separate vpn GW is an extra 100-150/month.
How does one associate a user group to an inbound security rule?
On the inbound security rule, for source: The options I have are Any, IP Addresses, My IP Address, Service Tag, Application Group. I do not see user/groups.
After further digging into this I found a couple different methods that might work.
1: Create a custom vpn .XML profile and send to the contractors. Within the profile, I can specify the subnets they have access to.
2: Spin up Azure Bastion and with NSG’s grant the bastion subnet individual RDP access to the VM ip’s. While associated to a cost, this eliminates the need to give them VPN access and seems to be the best option I can find at this point.
I think the comment below talking about using nsg’s with user groups to control the plane you want, might work…?
We have a hub and spoke at work for s2s. I’ve never had to control P2S network access with Vnets.
But the user group nsg sounds legit
You got it. Also, application security groups may be closer to what you might need. You can group VMs and apply rules based on their roles, and while not directly user-based, it helps abstract infrastructure rules.