Summary of Work
Between September and October, we evaluated options for setting up an Azure VPN to provide secure remote access and, optionally, allow connected users to exit to the internet via Azure.
The main goal was to enable VPN connectivity for users while maintaining control over routing and minimizing Azure costs.
Options Considered
Point-to-Site (P2S) VPN
Good for individual users connecting to Azure resources.
User end tested, AzureVPN application works, users can connect and access Azure virtual network but no internet access.
“Force tunneling” (routing all internet traffic through Azure) works but:
Requires Azure Firewall or Network Virtual Appliance (NVA).
Involves additional egress traffic charges.
Rejected due to high cost for the intended use.
Alternative Approach (Not Tested)
Use MikroTik S2S VPN with BGP peering to Azure.
Advertise the default route (0.0.0.0/0) from Azure to MikroTik via BGP.
Allow local clients to send internet-bound traffic through Azure using the established tunnel.
Perform NAT and routing control on the MikroTik side, avoiding Azure Firewall costs.
Requirements:
Azure VPN Gateway SKU that supports BGP (VpnGw1 or higher).
Configure BGP peering (Azure ASN 65515) and ensure route propagation works both ways.
Test to confirm Azure accepts default route advertisement.