How can we improve Azure Networking?

Adjust route based VPN vNet gateway traffic selectors

We use routes based VPNs for most connectivity to Azure. However, we do have some policy based VPNs that need access to Azure as well.

Unfortunately, it doesn’t appear that Azure lets you configure the local network prefix When using traffic selectors in IPSEC.

This is extremely common on network equipment outside of Azure. I’ll reference an example with a Juniper SRX.

https://www.juniper.net/documentation/en_US/junos/topics/example/ipsec-vpn-traffic-selector-configuring.html

Azure automatically uses every prefix configured within a vNet as the local prefix. It’s my hope that we can configure this per ‘Connection’ when using traffic selectors.

Can we have this feature considered?

Thank you.

20 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
You have left! (?) (thinking…)
NateMellendorf shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

1 comment

Sign in
(thinking…)
Sign in with: Microsoft
Signed in as (Sign out)
Submitting...
  • Marc L. Allen commented  ·   ·  Flag as inappropriate

    I'm going to wade in on this.

    There are a LOT of Cisco ASA devices out there that require policy-based VPNs. I have trouble explaining to my customer why they continually get "Crypto map" errors for traffic selectors they aren't interested in.

    At a minimum (and maybe this is possible, but I haven't found examples), we need the ability to limit traffic to/from specific VPN connections. If a customer VPN decides to suddenly accept some additional selector, it suddenly can route traffic to/from those resources. If this can be solved by routing table or something, let me know and point me in the right direction, please.

Feedback and Knowledge Base