Cloud Safety: How to Establish Azure Point-to-Site VPN Connections

Table of Contents

• Table of Contents
• Introduction
• Understanding Point-to-Site (P2S) VPN Connection
  • P2S Example Sceneraio
• Setting up P2S VPN Connection in Azure
• Step by step P2S VPN implementation
  • Create resource group
  • Create virtual network
  • Create gateway subnet
  • Create virtual network gateway
  • Point-to-Site Configuration
  • Authorize the Azure VPN application
  • Download VPN Client Configuration
  • Install the Azure VPN client
  • Import VPN Client Configuration
  • Connect to the VPN
• Create Virtual Machine
• Logging into VM with Private IP
• Conclusion

Introduction

In a world where remote work has become a norm, ensuring secure and reliable access to company infrastructure has become increasingly important, Cloud solutions like Microsoft Azure offer tools for establishing secure connections between remote users and resources hosted in the cloud. One such tool is the Point-to-Site (P2S) VPN, a mechanism that enables individual devices to securely connect to your azure infrastructure.

In this guide, we'll walk through the process of setting up a Point-to-Site VPN connection in Azure, providing step-by-step instructions to on how you can establish a secure link between your local device and your Azure infrastructure.

Understanding Point-to-Site (P2S) VPN Connection

Before diving into the setup process, let's briefly explain what a Point-to-Site VPN connection is and how it functions. In a Point-to-Site VPN configuration, individual client devices establish encrypted connections to a virtual network in Azure. This enables remote users to securely access resources such as Azure Virtual Machines, Azure SQL Databases, and other services within the virtual network, as if they were directly connected to it.

P2S Example Sceneraio

A company XYZ has an Azure virtual machine (VM) resource that has both a public & private IP address and is secured behind a virtual private network. Usually, logging into the VM is done with the public IP address but this is unsecure because it goes through the internet. So the company decides to get rid of the public IP entirely and requies staff to access the VM with only the private IP.

When trying to access the VM with private IP, the staff encounter a connection error because that private IP address is not discoverable from outside the Azure virtual network. This means that attempting to access the VM solely via its private IP address from an external network, such as the internet or another corporate network, won't establish a connection due to network isolation.

To address this problem and make sure the staff can securely reach the VM, Company XYZ opts to set up a Point-to-Site (P2S) VPN connection in Azure. With this setup, our team members can safely connect to the Azure virtual network where the VM is located from anywhere they have internet access.

Setting up P2S VPN Connection in Azure

We will go over setting up everything from scratch, including the virtual machine. Here are resources and tools that will be used in this setup:

• Resource Group
• Virtual Machine
• Virtual Network (VNet) and Subnets
• Virtual Network Gateway
• Azure VPN Client

Step by step P2S VPN implementation

Create resource group

Create a resource group with name "RGTEST1". This is the resource group that you will create every other resource in.

Create virtual network

Create a virtual network resource in the RGTEST1 resource group

• Name: my-secure-vnet

Create gateway subnet

Create a gateway subnet in the "my-secure-vnet" virtual network

Create virtual network gateway

Create a virtual network gateway resource with the following details:
Name: secure-vnet-gtw
SKU: VpnGw1
Gateway Type: VPN
Generation: Generation 1
Virtual Network: my-secure-vnet
Public IP address name: vnet-gtw-ip
Enable active-active mode: Disabled

⚠️ Price alert: virtual network gateway is NOT free. Except the SKU type VpnGw1 that is only free for the 1st 12 months of your azure free account subscription.
⚠️ DELETE ALL RESOURCES AFTER PRACTICE

Point-to-Site Configuration

In the virtual network gateway resource, navigate to and click point-to-site-configuration under settings section in the left menu. Click on Configure now. You should see something like this:

Use the details below to complete the configuration:

• Address pool (can be any valid address range of your choice): 10.1.3.0/27
• Tunnel type: OpenVPN(SSL)
• Authentication type: Azure Active Directory
• Tenant ID: https://login.microsoftonline.com/<YOUR_TENANT_ID>/ (for your tenant id go to Microsoft Entra ID -> Properties)
• Audience (same for everyone): 41b23e61-6c1e-4545-b367-cd054e0ed4b4
• Issuer: https://sts.windows.net/<YOUR_TENANT_ID>/

Click Save

Note:
The trailing " / " is required
Saving can take up to 30 minutes

Authorize the Azure VPN application

Make sure you are signed into to your azure portal as a Global administrator.
Copy the link below.
Replace <YOUR_TENANT_ID> with your Azure tenant ID.

https://login.microsoftonline.com/<YOUR_TENANT_ID>/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

You will be prompted to sign in again, sign in with the global administrator user. You should then see this

Click "Accept"

Download VPN Client Configuration

When the P2S configuration is done saving, refresh the page and click the Download VPN Client button

A zipped file is downloaded, Extract the content to a folder. The contents are as shown below

Install the Azure VPN client

Download and install the Azure VPN client from Microsoft Store (for windows PC) and Mac App Store (For Mac)

Import VPN Client Configuration

Open the Azure VPN client and click the plus sign on the bottom left

Click on Import
Navigate to the Extracted content fronme step 7 and select the file AzureVPN/azurevpnconfig.xml.
After Importing, Click Save.

Connect to the VPN

When you click the connect button, you will be prompted to login to your azure account for authentication.

Create Virtual Machine

Now that we have our network infrasture setup, we can go ahead and create a virtual machine that will be in the virtual network. I will be creating a windows VM, here are the details i used to create the vm:

Basics Tab

-** resource group**: RGTEST1

• Name: my-secure-vm
• Image: Windows Server 2019 Datacenter - x64 Gen2
• Size: Standard_B2s - 2 vcpus, 4 GiB memory
• Username: adminUser
• Password: ******************
• Public Inbound Ports: Allow Seleted Ports
• Select Inbound Ports: RDP (3389)

Networking Tab

• Virtual network: my-secure-vnet (the vnet we created ealier)
• Public IP: None (We won't be needing a public facing IP address for this vm)

⚠️ Price Alert: Creating a VM is NOT free
DELETE ALL RESOURCES AFTER PRACTICE

Click Create
Go to the newly creted VM resource and get the Private IP address

Logging into VM with Private IP

1. Connect your virtual network with Azure VPN Client
2. Open Remote Desktop Connection
3. Input the Private IP
4. Input Username and Password that we set when creating the VM

Conclusion

Throughout this guide, we've navigated the process of setting up a Point-to-Site (P2S) VPN connection in Azure. From understanding the concept of P2S VPNs to configuring the necessary resources in Azure and connecting remote devices securely, we've covered the essentials. By implementing this solution, you can ensure secure access to your Azure infrastructure for your remote workforce, enabling seamless collaboration and productivity from any location.