Table of Contents
- Table of Contents
- Introduction
- Understanding Point-to-Site (P2S) VPN Connection
- Setting up P2S VPN Connection in Azure
- Step by step P2S VPN implementation
- Create Virtual Machine
- Logging into VM with Private IP
- Conclusion
Introduction
In a world where remote work has become a norm, ensuring secure and reliable access to company infrastructure has become increasingly important, Cloud solutions like Microsoft Azure offer tools for establishing secure connections between remote users and resources hosted in the cloud. One such tool is the Point-to-Site (P2S) VPN, a mechanism that enables individual devices to securely connect to your azure infrastructure.
In this guide, we'll walk through the process of setting up a Point-to-Site VPN connection in Azure, providing step-by-step instructions to on how you can establish a secure link between your local device and your Azure infrastructure.
Understanding Point-to-Site (P2S) VPN Connection
Before diving into the setup process, let's briefly explain what a Point-to-Site VPN connection is and how it functions. In a Point-to-Site VPN configuration, individual client devices establish encrypted connections to a virtual network in Azure. This enables remote users to securely access resources such as Azure Virtual Machines, Azure SQL Databases, and other services within the virtual network, as if they were directly connected to it.
P2S Example Sceneraio
A company XYZ has an Azure virtual machine (VM) resource that has both a public & private IP address and is secured behind a virtual private network. Usually, logging into the VM is done with the public IP address but this is unsecure because it goes through the internet. So the company decides to get rid of the public IP entirely and requies staff to access the VM with only the private IP.
When trying to access the VM with private IP, the staff encounter a connection error because that private IP address is not discoverable from outside the Azure virtual network. This means that attempting to access the VM solely via its private IP address from an external network, such as the internet or another corporate network, won't establish a connection due to network isolation.
To address this problem and make sure the staff can securely reach the VM, Company XYZ opts to set up a Point-to-Site (P2S) VPN connection in Azure. With this setup, our team members can safely connect to the Azure virtual network where the VM is located from anywhere they have internet access.
Setting up P2S VPN Connection in Azure
We will go over setting up everything from scratch, including the virtual machine. Here are resources and tools that will be used in this setup:
- Resource Group
- Virtual Machine
- Virtual Network (VNet) and Subnets
- Virtual Network Gateway
- Azure VPN Client
Step by step P2S VPN implementation
Create resource group
Create a resource group with name "RGTEST1". This is the resource group that you will create every other resource in.
Create virtual network
Create a virtual network resource in the RGTEST1 resource group
- Name: my-secure-vnet
Create gateway subnet
Create a gateway subnet in the "my-secure-vnet" virtual network
Create virtual network gateway
Create a virtual network gateway resource with the following details:
Name: secure-vnet-gtw
SKU: VpnGw1
Gateway Type: VPN
Generation: Generation 1
Virtual Network: my-secure-vnet
Public IP address name: vnet-gtw-ip
Enable active-active mode: Disabled
⚠️ Price alert: virtual network gateway is NOT free. Except the SKU type VpnGw1 that is only free for the 1st 12 months of your azure free account subscription.
⚠️ DELETE ALL RESOURCES AFTER PRACTICE
Point-to-Site Configuration
In the virtual network gateway resource, navigate to and click point-to-site-configuration under settings section in the left menu. Click on Configure now. You should see something like this:
Use the details below to complete the configuration:
- Address pool (can be any valid address range of your choice): 10.1.3.0/27
- Tunnel type: OpenVPN(SSL)
- Authentication type: Azure Active Directory
- Tenant ID: https://login.microsoftonline.com/<YOUR_TENANT_ID>/ (for your tenant id go to Microsoft Entra ID -> Properties)
- Audience (same for everyone): 41b23e61-6c1e-4545-b367-cd054e0ed4b4
- Issuer: https://sts.windows.net/<YOUR_TENANT_ID>/
Click Save
Note:
The trailing " / " is required
Saving can take up to 30 minutes
Authorize the Azure VPN application
Make sure you are signed into to your azure portal as a Global administrator.
Copy the link below.
Replace <YOUR_TENANT_ID> with your Azure tenant ID.
https://login.microsoftonline.com/<YOUR_TENANT_ID>/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
You will be prompted to sign in again, sign in with the global administrator user. You should then see this
Click "Accept"
Download VPN Client Configuration
When the P2S configuration is done saving, refresh the page and click the Download VPN Client button
A zipped file is downloaded, Extract the content to a folder. The contents are as shown below
Install the Azure VPN client
Download and install the Azure VPN client from Microsoft Store (for windows PC) and Mac App Store (For Mac)
Import VPN Client Configuration
Open the Azure VPN client and click the plus sign on the bottom left
Click on Import
Navigate to the Extracted content fronme step 7 and select the file AzureVPN/azurevpnconfig.xml
.
After Importing, Click Save.
Connect to the VPN
When you click the connect button, you will be prompted to login to your azure account for authentication.
Create Virtual Machine
Now that we have our network infrasture setup, we can go ahead and create a virtual machine that will be in the virtual network. I will be creating a windows VM, here are the details i used to create the vm:
Basics Tab
-** resource group**: RGTEST1
- Name: my-secure-vm
- Image: Windows Server 2019 Datacenter - x64 Gen2
- Size: Standard_B2s - 2 vcpus, 4 GiB memory
- Username: adminUser
- Password: ******************
- Public Inbound Ports: Allow Seleted Ports
- Select Inbound Ports: RDP (3389)
Networking Tab
- Virtual network: my-secure-vnet (the vnet we created ealier)
- Public IP: None (We won't be needing a public facing IP address for this vm)
⚠️ Price Alert: Creating a VM is NOT free
DELETE ALL RESOURCES AFTER PRACTICE
Click Create
Go to the newly creted VM resource and get the Private IP address
Logging into VM with Private IP
- Connect your virtual network with Azure VPN Client
- Open Remote Desktop Connection
- Input the Private IP
- Input Username and Password that we set when creating the VM
Conclusion
Throughout this guide, we've navigated the process of setting up a Point-to-Site (P2S) VPN connection in Azure. From understanding the concept of P2S VPNs to configuring the necessary resources in Azure and connecting remote devices securely, we've covered the essentials. By implementing this solution, you can ensure secure access to your Azure infrastructure for your remote workforce, enabling seamless collaboration and productivity from any location.
Top comments (0)