How can we improve Azure Networking?

Possibility of restrict point-to-site vpn access to certain ip address

49 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
Przemyslaw Krasuski shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

4 comments

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Michael commented  ·   ·  Flag as inappropriate

    We'd need assigning of specific IPs to specific VPN clients as well. Scenario: We are developing solutions for the medical field. For this purpose we are "PACS"-Servers (mainly for storing medical images) running on our Azure VM. The PACS Server must be configured to know which clients connect to it by their IP. If however we are having dynamic IPs assigned to the connecting test clients, as you see it doesn't work.

    Bye,
    Michael

  • Jens Ramlow commented  ·   ·  Flag as inappropriate

    Hi Yushun,

    Thank you for your comment. The goal of predefined IP-addresses is not tracking of users.

    Our SQL server based development environment is requiring a name to IP resolution on both sides - the SQL server on repositories' side as well as the SQL server instance which resides on the dev-clients.

    So if we want to host our repository server in Azure and the development clients are connected via P2S dial-in, the server in Azure must be able to resolve the IP addresses of connected clients by their names to establish a connection between SQL instances.

    The idea was providing client names and IP addresses in repository server's etc/hosts file. Which is not working if the dial-in-client address cannot be predefined in any way. Furthermore the P2S VPN client package for Windows 10 seems to not contain any useful configuration possibility for our scenario.

    Thank you. Best Jens

  • Yu-Shun Wang commented  ·   ·  Flag as inappropriate

    Hi Jens,

    This is actually not on our roadmap at this point. A couple of reasons - P2S VPN is primarily designed for VPN client-server or user-access types of scenarios. As such, there are usually more users than addresses available. So reservation would not really work well as you can imagine. If the purpose is to track user access, we are actually working on better integration with proper identity systems such as Windows Domain Controllers etc.

    Could you share your scenarios or whether some form of Identity integration will work instead of using IP addresses?

    Thanks,
    Yushun [MSFT]

  • Jens Ramlow commented  ·   ·  Flag as inappropriate

    We want to host all our IT environment in Azure. This is including repository server resources with an established bi-directional communication to the development clients (by registered host/client names).

    The P2S connection currently does not allow fixed/reserved IP addresses for dial-in -clients or -users or -certificates. We then could feed a bunch of name to IP entries into the hosts file on our virtual servers in Azure.
    I do not see an alternative way ensuring that an Azure virtual server is reaching VPN clients by its name.

    So my suggestion is for Point-to-site VPN clients an enhanced IP address management - providing predefined IP per user/cert OR a configuration possibility to "stick" a currently assigned IP to the used certificate on the management page.

    Thank you. Best Jens

Feedback and Knowledge Base