web
You’re offline. This is a read only version of the page.
close
Skip to main content

Notifications

Announcements

No record found.

News and Announcements icon
Community site session details

Community site session details

Session Id :
Dynamics 365 Community / Forums / Microsoft Dynamics AX (Archived) / Azure site-to-site VPN...
Microsoft Dynamics AX (Archived)

Azure site-to-site VPN : how to access AX only through VPN?

(0) ShareShare
ReportReport
Posted on by Raphael Tagliani

Dear all,

We are live on the New Dynamics AX : we have put in place Azure AD, AAD and single sign-on, as well as a Site-to-Site VPN. All of this is working fine.

Now, I would like to prevent access from the internet to our AX (we don't need or want AX to be accessible from the web).

How may I achieve that? How to find the "internal" IPs or DNS names of the machines, and render the AX environments unreachable from Internet?

Thank you,

*This post is locked for comments

I have the same question (0)
  • Verified answer
    André Arnaud de Calavon Profile Picture
    André Arnaud de Cal... 301,200 Super User 2025 Season 2 on at

    Hi Raphael,

    There is no option to block the AX ULR from the internet as far as I know, but I might be wrong. There are options to limit access the Azure AD for at least devices, but probably also IP ranges. Then you might achieve that users can logon from only the office location or other managed locations or devices.

    You can try to get more help on the Azure AD forum for this.

    social.msdn.microsoft.com/.../home

  • Raphael Tagliani Profile Picture
    Raphael Tagliani on at

    Thank you, for your advice.

  • Cristian Campora G. Profile Picture
    Cristian Campora G. 240 on at

    Hello Raphael I am facing the same requirement, can you tell me if you had the chance to solve it ?? Thank you. 

  • Raphael Tagliani Profile Picture
    Raphael Tagliani on at

    Hello Cristian,

    We are now in the Microsoft managed cloud, hence, our servers are in one of Microsoft subscriptions.

    This means that our site-to-site vpn is not relevant anymore (linked to our subscription, not to the MS subscription).

    Microsoft offers currently one and only one solution (to my knowledge) to avoid exposing AX directly to the web : ExpressRoute.

    Basically, you ask your ISP to provide an MPLS or similar carrier-managed connection to the Microsoft cloud. They set it up for you, and you then have a guaranteed access to AX, with guarantees on the latency, packet loss...

    This is a good solution, but it may be costly (EUR 1000+ / month, because you need to pay both for ISP connection and MS connection). Definitely the solution if you have 500 users+, below that, I would not advise it.

    I don't know if there is a solution for 2-factor auth : this might be something nicer to put in place, and would still allow for external access. Drawbacks : less user-friendly, potentially harder to integrate with external apps/custom interfaces... To discuss with a premier field engineer or MS architect.

    I hope this helps a bit, have a nice day,

  • Cristian Campora G. Profile Picture
    Cristian Campora G. 240 on at

    Thanks for your reply Raphael, you are totally right. We can't create site to site vpn so far. So in your customer end up getting express route or did you figure out another way? In Ops roadmap is logic apps and a tool that you can  Install onpremises for queue and dequeue messages from data entities runs (not GA yet)

    One other option I want to try, although less secure, is to IP forward from a virtual gateway in your azure subscription to Ops environments and on premises. It's not a vpn but at least it may be more transparent to the user.

  • Raphael Tagliani Profile Picture
    Raphael Tagliani on at

    Well, for integration with on-prem applications (file-based time attendance, on-prem dynamics crm), I used AX web services. They are reliable, and their performance is very good for my needs.

    I've never heard of the ip forward solution, but I guess AX would still be web-facing.

  • Suggested answer
    nmaenpaa Profile Picture
    nmaenpaa 101,166 Moderator on at

    At the moment there is no solution for limiting access to your D365O instance that would be based on network related things (source IP address).

    Even ExpressRoute doesn't prevent connections from public Internet to your D365O instance. With D365O, you will use ExpressRoute public peering, which basically means just a dedicated route from your on premise network to the edge of Microsoft's Azure services. So user sessions originating from on premise network would be routed through ExpressRoute.

    Also, Multi factor authentication doesn't work with ExpressRoute (docs.microsoft.com/.../expressroute-faqs).

Under review

Thank you for your reply! To ensure a great experience for everyone, your content is awaiting approval by our Community Managers. Please check back later.

Helpful resources

Quick Links

Responsible AI policies

As AI tools become more common, we’re introducing a Responsible AI Use…

Neeraj Kumar – Community Spotlight

We are honored to recognize Neeraj Kumar as our Community Spotlight honoree for…

Congratulations to the November Top 10 Community Leaders!

These are the community rock stars!

Leaderboard > 🔒一 Microsoft Dynamics AX (Archived)

#1
Priya_K Profile Picture

Priya_K 4

#1
Martin Dráb Profile Picture

Martin Dráb 4 Most Valuable Professional

#3
MyDynamicsNAV Profile Picture

MyDynamicsNAV 2

Last 30 days Overall leaderboard

Featured topics

Product updates

Dynamics 365 release plans