Infrastructure Background
I have a virtual network with IP space 10.0.0.0/16, the GatewaySubnet in which my VPN Gateway is deployed in is 10.0.1.0/24. The VPN Gateway is configured to use certificate authentication via OpenVPN and has the client IP address pool allocated to 10.2.0.0/24. I have two clients connected to the VPN Gateway and their respective IP addresses are 10.2.0.2 and 10.2.0.3. Currently, from 10.2.0.2 I have network access to 10.2.0.3 and vice-versa. As I wish to use the VPN Gateway as a convenient means for third-party clients to access my Azure virtual network, having clients being able to communicate with each other within the VPN Gateway's client address IP space 10.2.0.0/24 is undesirable from a security perspective as if one client got compromised, they could possibly move laterally to adjacent networks other clients connected in that same IP space.
Question: How can I prevent all connected clients in the VPN Gateway's client IP address space 10.2.0.0/24 from communicating with each other?
I tried using network security groups and Azure firewall to solve this problem, but they don't seem to work with the subnets allocated within the VPN gateway's client address IP space. One approach that seems to work is creating multiple VPN gateways, but that can become quite expensive and is also undesireable. I still want to make use of VPNs to access my virtual networks as I don't think whitelisting IP addresses with security groups will scale when I want to grant more peers access to my virtual network.
Azure P2S does not provide any support for preventing client-to-client communication.
The only workaround is to set up a Network Virtual Appliance (NVA) to control the traffic between VPN clients.
You can use either 3rd party NGFWs (Palo Alto, Fortinet, etc.) or just an Azure VM with routing and firewall set up on it.
VPN Gateway supports "Custom Routes" that will enable you to inject the routes towards the NVA.