Setup Forced tunneling and manage route tables

Avatar
Richard Kneip

It would be nice to be able to setup forced tunneling and requisite route tables from NMM. It isnt hard to do and can be done via powershell but the proper routes for the selected subnet need to be in place.

 

NMM should do the following:

1. for the selected subnet, see if there is already a route table in place for the selected subnet

-If not create route table with 0.0.0.0/0 and the needed KMS server routes

-if so, check for conflicting routes

2. enable Defaut Site forced tunneling

3. assign/update route table for subnet

 

Relevant MS articles:

https://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-tunneling

https://learn.microsoft.com/en-us/troubleshoot/azure/virtual-machines/windows/custom-routes-enable-kms-activation

0

Comments (3 comments)

Sort by
0
Avatar
Dave Stephenson

Welcome to the community, Richard Kneip 🙂!

I like the idea, however I'm not certain it's something many partners will utilize.
In a previous life (at an MSP), I worked with a customer who would utilize Routes, Azure Firewall, virtual Firewall Appliance and a whole Hub and Spoke setup with their AVD environment.
However, they were definitely an exception as most of our customers didn't need any of that.
Like you mentioned, it's not too difficult to do with PowerShell. Creating the logic to check for existing routes/regions may be a bit more difficult. 🤔

Can you elaborate a little more of your use-case for this feature request?
Is this something you're currently doing for all of your customers or more of a future-proofing step?

 

 

1
Avatar
Richard Kneip
(Edited )

A lot of our smaller clients that already have a business class firewall (think Sonicwall or Fortigate or whatever) with security services no longer want an on prem server.  We will usually do a "DC in the cloud" solution using a basic VPN gateway and a B2 VM.  For security we will block access to the internet on the subnet.

This is a great budget solution for small clients.  The downside is updates.  The service tag for the Windows update servers no longer works and 95% of the traffic is LDAP from the DC.  So we use forced tunneling to push all traffic back to the site and out through the security appliance. It is secure and leverages existing security services.

It is cost effective, secure, and you don't need extra services that cost more (Azure firewall, NAT gateway, even Public IP). 

It's not a good solution if you have large environments in Azure with lots of access but for many of our smaller clients it works well.

0
Avatar
Dave Stephenson

Ah. That makes sense.
I appreciate you sharing your use-case with us. 🙂

Where Azure is going to be removing Default Internet Access for Azure VMs in September 2025, your solution may be a great alternative for partners/customers who don't need/want a NAT Gateway.

Until we're able to implement something like this in the product, it's likely that you could create an Azure Runbook that would do this for you.

I don't have any environments to test this with, but asking an AI engine to create a script that you run in NMM could be a good bandaid, for now.

Please sign in to leave a comment.