allow private access to on-prem server via s2s vpn

KyawZinOo 20 Reputation points
2024-12-13T16:15:00.6+00:00

We need to allow the traffic from Azure Tenant B to On-prem web server that already had connect to Azure Tenant A. What will be the most cost effective method to connect not to expose internet.

Private endpoint, Private link, vnet peering or if there any others way that can achieve.

On-prem web server <------site 2 site VPN-----> Azure Tenant A <------ ??? -----Azure Tenant B

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,595 questions
{count} votes

Accepted answer
  1. Marcin Policht 30,740 Reputation points MVP
    2024-12-13T16:18:54.4766667+00:00

    In your scenario, where you want to allow a virtual network (VNet) in the Azure subscription associated with Entra tenant B (let's call it VNetB) to connect to an on-premises web server through an existing Site-to-Site (S2S) VPN connection to the virtual network (let's call it VNetA) in the Azure subscription associated with Entra tenant A, the most cost-effective solution would likely be VNet Peering between the two virtual networks:

    1. VNet Peering (Cost-effective solution)
      • Description: VNet peering allows two VNets to communicate with each other, and if you peer VNets in different tenants, you can enable communication between VNetB and the on-premises environment via the existing S2S VPN.
      • Cost: VNet peering charges are typically low compared to other options, especially if the traffic is limited to intra-region or same-region peering. The cost will mainly depend on the amount of traffic transferred between the VNets. Since you are only seeking minimal connectivity, VNet peering will be cost-effective.
      Steps:
      1. Set up VNet Peering between Tenant A and Tenant B, ensuring proper network routes.
      2. Configure routing in Tenant A to forward traffic from Tenant B's VNet to the on-premises network.
      3. Ensure network security groups (NSGs) and other security controls are properly configured to allow the required traffic.
    2. Private Link
      • Description: Private Link enables private, secure connections to services hosted on Azure, such as PaaS services. It maps the traffic to a private IP address in the VNet.
      • Cost: Private Link generally involves higher costs compared to VNet peering because it involves provisioning private endpoints, traffic charges, and more setup complexity.
      • Use case: Private Link would typically be used for PaaS services.
    3. Private Endpoint (for PaaS services)
      • Description: Private Endpoint allows you to connect to Azure services (like Azure SQL, Storage, or other PaaS services) using private IP addresses. It is primarily used for Azure-hosted services.
      • Cost: Similar to Private Link, using Private Endpoints involves additional costs.
      • Use case: This is not suitable for connecting to an on-premises web server since it’s designed for connecting to Azure services.

    If the above response helps answer your question, remember to "Accept Answer" so that others in the community facing similar issues can easily find the solution. Your contribution is highly appreciated.

    hth

    Marcin

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.