Adjust route based VPN vNet gateway traffic selectors
We use routes based VPNs for most connectivity to Azure. However, we do have some policy based VPNs that need access to Azure as well.
Unfortunately, it doesn’t appear that Azure lets you configure the local network prefix When using traffic selectors in IPSEC.
This is extremely common on network equipment outside of Azure. I’ll reference an example with a Juniper SRX.
Azure automatically uses every prefix configured within a vNet as the local prefix. It’s my hope that we can configure this per ‘Connection’ when using traffic selectors.
Can we have this feature considered?
Thanks for the feedback. This is currently not possible, and not in our roadmap. We will review the ask and post updates if the status changes.
Ulisses Poveda do Nascimento commented
Alguns casos para mim resolver com política personalizada com traffic sellector allow e PFSGroup None, com Cisco ASA
$ipsecPolicy = New-AzIpsecPolicy -SALifeTimeSeconds 3600 -SADataSizeKilobytes 102400000 -IpsecEncryption "AES256" -IpsecIntegrity "SHA1" -IkeEncryption "AES256" -IkeIntegrity "SHA1" -DhGroup "DHGroup2" -PfsGroup "None"
Set-AzvirtualNetworkGatewayConexão -VirtualNetworkGatewayConexão $connectionObject -UsePolicyBasedTrafficS $true -IpsecPolicies $ipsecPolicy
Marc L. Allen commented
I'm going to wade in on this.
There are a LOT of Cisco ASA devices out there that require policy-based VPNs. I have trouble explaining to my customer why they continually get "Crypto map" errors for traffic selectors they aren't interested in.
At a minimum (and maybe this is possible, but I haven't found examples), we need the ability to limit traffic to/from specific VPN connections. If a customer VPN decides to suddenly accept some additional selector, it suddenly can route traffic to/from those resources. If this can be solved by routing table or something, let me know and point me in the right direction, please.