Reputation: 135
Azure P2S VPN - Restrict access to specific users/groups
Currently I have an Azure P2S setup and all is working fine. My main issue at the moment is that all that is needed is to be added to the users of the Enterprise Application associated to the VPN in order to be able to login and then be able to connect to all the services.
Ideally what I want to achieve is that any user added to the Enterprise App can access the P2S VPN but that in order to be able to, for example, connect to specific VMs or specific services etc they need to be configured to grant access somehow.
Does anyone have any idea how I can achieve this?
I read an article on here about something similar that was achieved by using different enterprise applications associated to different VPN gateways for the restrictions but was really trying to find a way of doing it via a single gateway.
Upvotes: 0
Views: 563
Answers (1)
Reputation: 7725
Azure P2S VPN - Restrict access to specific users/groups
To allow users to access Azure resources after connecting to the VPN, you can provide RBAC role to a group and add the required users to that group, this way, only users in the group can connect to Azure resources like virtual machines.
- Create a group for adding users to the group, who wants to connect Azure Virtual Machine.
- Assign a role to the group for connecting to VM.
To allow a user to sign in to the VM over RDP, you must assign the Virtual Machine Administrator Login or Virtual Machine User Login role to the VM , refer this link for more details.
- After assigning the role to that group, only users within the group will have access to the Virtual Machine. Similarly, you can create other roles for connecting to other resources.
Note: If the users in the vm_allowed_users group are not part of the Enterprise application for connecting to the VPN, add the same group to the Enterprise application.
You can also restrict users from connecting to Azure resources if they are not connected to the VPN.
- Create an NSG rule to allow connections to azure resources, such as
Virtual Machines, only from the VPN address range.
Upvotes: 0
Related Questions
- Azure P2S VPN - Restrict access for Azure AD users/groups
- Azure conditional access by device name
- Azure VPN P2S Azure AD Authentication Connection Problem: The operation was canceled by the user
- How to give access to Azure-sql server over p2s vpn for developers
- Connect to Azure Resource under VPN P2S
- Azure internal load-balanced network with VNet Gateway with P2S VPN
- Connecting a P2S VPN to a VNET
- Azure Point-to-site VPN routing