It looks like this question and variants of it are very common, but I have been unable to come up with an answer after a full day researching and testing. I appreciate any feedback!
GOAL: In Azure, I have one VNET with multiple subnets (frontend, internal, secure). Essentially, I would like these subnets to be extensions of my on-prem zones on my Juniper SRX firewall. On the Juniper side, I believe this means I need a tunnel for each subnet, terminating at a respective st0.x interface. Then I can add each st0.x interface to the appropriate zone.
QUESTION: How do I associate each incoming subnet to its own st0.x interface? Do I need a unique VPN gateway IP for each subnet?
I've look at "traffic selectors" on the Juniper side, creating a ipsec VPN for each subnet and entering that subnet at the traffic selector, but it seems that only one VPN connects.
I understand that I could have all traffic from my VNET come over the same tunnel and bind to a single interface and put that interface into a dedicated zone (like Azure-Tunnel). The problem I have with this approach is that someone creating a policy allowing traffic from Azure-Tunnel to another zone and destination would need to remember to specify a source address, or they would be allowing all Azure subnets to communicate with the destination.
Thanks!