Azure S2S vpn
Have a question and apologies in advance if its not very precise.
Have deployed a cluster in Azure, classic cloudguard Iaas HA topology.
everything seems to work fine when i dont nat anything behind the external VIP (private).
Now the question is regarding VPN, do you usually need extra config on the load balancers or anywhere in azure to permit 500/4500/ESP towards the gateway from the load-balnacers public IP?
As i dont seem to get anything except if there is a rule in the lB in azure for it.
Hope its more or less clear.
I dont recall one of our customers having to do any extra config on load balancer end for this couple of years ago. We have pay as you go Azure subscription, so I can fire up a lab in it this week and verify for you. I know Azure is super limited when it comes to doing any sort of troubleshooting (certainly nothing like any major vendor's firewall).
I don't believe you can use Load Balancers with VPN (either Site-to-Site or Remote Access).
That's suggested by: https://support.checkpoint.com/results/sk/sk109360
You would need to set up an active/passive cluster pair for VPN.
we don't use the LB for VPN at all , the LBs don't pass ESP traffic so it will never work.
you need to configure it with the Cluster's VIP which attached to the ACTIVE member , like we do with any other regular deployments.
check the Azure HA admin guide: