Setup Azure Point to Site VPN


1
10 shares, 1 point
(Last Updated On: July 15, 2018)

Microsoft Azure provides different ways to access resources/infrastructure setup at Azure IaaS. Enterprise organizations may choose to setup Azure express route, Site to Site VPN or Point to Site VPN to access azure resources depending upon their requirements. Site to Site VPN helps to setup connectivity between on-premise network to azure network while Point to Site VPN allows connection from individual client machines to azure network.

In this article we will discuss about setting up Point to Site VPN to access an Azure VM that’s not configured with Public IP.

Here are some of the characteristic for Point to Site VPN:

  • It uses Secure socket tunnelling protocol for Windows clients and IKEv2 for Mac Clients
  • Point to Site VPN clients can be authenticated using Azure Certificate authentication or Active directory. Active directory authentication requires Radius server integration with active directory.
  • Clients connect Point to Site VPN using TLS 1.2.
  • Point to site VPN can be setup with all VPN Gateway SKUs
  • Maximum 128 VPN clients can connect to Point to Site VPN at a time

Prerequisites to configure Point to Site VPN:

  • Azure Virtual Network
  • Azure Virtual Network Gateway
  • Certificate for authentication

Now let’s set up the prerequisites for Point to Site VPN:

  • Azure Virtual Network

Here we will setup Azure virtual network with address space 10.100.0.0/16

 

  • Azure Virtual Network Gateway

Now we need to setup Azure virtual network gateway with gateway subnet and Public IP address which will be the endpoint for VPN client to connect Point to Site VPN. Here Virtual Network gateway must be route based.

Virtual network gateway deployment can take up to 45 minutes.

 

  • Certificate for Authentication

VPN Client must have client certificate to connect Point to Site VPN. This certificate can be generated from Enterprise CA or it can be self-signed root certificate. In this case we will use Self Signed certificate generated using PowerShell.

Open up a PowerShell and run these PowerShell cmdlets to generate the certificate.

Create a self-signed Root certificate:
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject “CN=VPNP2SRootCert” -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation “Cert:CurrentUserMy” -KeyUsageProperty Sign -KeyUsage CertSign

Create a self-signed client certificate:
New-SelfSignedCertificate -Type Custom -DnsName VPNP2SClientCert -KeySpec Signature -Subject “CN=VPNP2SClientCert” -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation “Cert:CurrentUserMy” -Signer $cert -TextExtension @(“2.5.29.37={text}1.3.6.1.5.5.7.3.2”)

Export the Self Signed Root certificate:
Export the self-signed root certificate using the Base-64 encoded X.509(.CER) format. We need to upload it while configuring Point to Site VPN under azure virtual network gateway.

Now we have met all the prerequisites and good to configure Azure Point to Site VPN.

Here we need to specify the address pool which will be used to assign the IP address for VPN Clients and root certificate.

Now we are good to download the VPN client and connect client to Azure Point to Site VPN.

It will download the zip file that contains following :

Choose the VPN client setup based on the client machine and run the executable to install it. Choose yes to proceed

You will find the VPN Client setup under VPN on your client machine. Click at connect

Click at Continue to proceed further.

It will validate the client certificate. Post validation VPN client will be connected to Point to Site VPN successfully and it will also update the routing table at client machine.

Here is the IP address assigned to our VPN client.

Same can be verified at Azure Portal.

Now we can successfully connect to our VM using private IP address.

 


Like it? Share with your friends!

1
10 shares, 1 point
Hasnain Shaikh
I am a Messaging and Cloud enthusiast with 12 years of experience in Presales, Planning, Designing and Implementing Microsoft Exchange, Office 365, Microsoft Azure IaaS, Microsoft Intune and Active directory infrastructure. I love to learn new technologies and share my knowledge with others.

0 Comments

Leave a Reply

Send this to a friend