In this pattern, we leverage the Azure Virtual Network Gateway’s private IP address as the Ikev2 tunnel termination endpoint to for a VPN tunnel through Azure firewall’s public IP addess. ArchitectureAzure VPN Gateway ConfigurationFirewall DNAT and Network RulesUser Defined RoutesConsiderationsConclusionArchitecture VPN Gateway Configuration Deploy a route-based VPN gateway
Make sure to choose a Zone-Redundant SKU (like VpnGw1AZ, VpnGw2AZ, etc) because they’re the only ones that support VPN over private IP (Azure Docs)
ArchitectureBackend App: App ProxyService Principal ConfigurationAzure APIM Configuration and PolicyComparing Access TokensOBO Flow LimitationsConclusionArchitecture The end-user makes an autheticated request to the middle tier/OBO application. Token audience: OBO application The OBO application validates the access token from the user The OBO application requests a new access token from the backend application on behalf of the user the OBO application forwards the request on-behalf of the user with the new token that has its (the OBO app) client ID as audience Backend App In my use-case, I configured an internal backend app using Azure AD App Proxy
Intro Install Azure Setup Intro Terraform is a tool for building, changing, and versioning infrastructure safely and efficiently. Learn more
Basically, with Terraform you can define what you’d like like this:
server { os = windows version = Windows_10 memory = 16 CPU = i7 } This allows you to manage your Infrastructure as code since now you can commit infra changes to a repository and have a CI/CD pipeline to build/test any infra changes, with approval flows.