1

It looks like this question and variants of it are very common, but I have been unable to come up with an answer after a full day researching and testing. I appreciate any feedback!

GOAL: In Azure, I have one VNET with multiple subnets (frontend, internal, secure). Essentially, I would like these subnets to be extensions of my on-prem zones on my Juniper SRX firewall. On the Juniper side, I believe this means I need a tunnel for each subnet, terminating at a respective st0.x interface. Then I can add each st0.x interface to the appropriate zone.

QUESTION: How do I associate each incoming subnet to its own st0.x interface? Do I need a unique VPN gateway IP for each subnet?

I've look at "traffic selectors" on the Juniper side, creating a ipsec VPN for each subnet and entering that subnet at the traffic selector, but it seems that only one VPN connects.

I understand that I could have all traffic from my VNET come over the same tunnel and bind to a single interface and put that interface into a dedicated zone (like Azure-Tunnel). The problem I have with this approach is that someone creating a policy allowing traffic from Azure-Tunnel to another zone and destination would need to remember to specify a source address, or they would be allowing all Azure subnets to communicate with the destination.

Thanks!

Matthew
  • 11
  • 2
  • IIRC, you can only have one VPN gateway of the type that you want per virtual network in Azure, so you can't make one for each subnet. That might have changed either recently or with the change from Classic to ARM Azure. – Todd Wilcox Jan 12 '18 at 20:13
  • Thanks Todd. That sounds correct to me. I would like to just have one Virtual Network Gateway on the Azure side, but a Gateway can have multiple Connections. Each Connection associates a Local Network Gateway with the Virtual Network Gateway and specifies the IP of the remote gateway. I'd expect that I would have one Connection for each subnet, specifying a different remote VPN IP. – Matthew Jan 12 '18 at 20:28

0 Answers0