Archive for June, 2017

Configure VPN to Azure Network

June 1, 2017

Microsoft Azure still lives in two worlds, the classic portal and the Resource Manager (RM) model. This is similar to AWS except AWS integrated and retired the old one. The new account I created in the Azure, has all assets in the RM model.  Microsoft is known for its UI and they are pretty good compared to AWS Management console.

That  I have all my assets in Azure in the RM model made life easier in some and slightly painful to do some such as setting up VPN. I wanted to enable VPN access and was looking to setup a Point to Site (P2S) VPN. In my earlier post on “Securing Cloud assets“, I mentioned different mechanisms (P2S, S2S, ExpressRoute etc.). Here we will see the simplest one P2S in detail. Every Azure documentation was pointing to using the PowerShell rather than the portal (UI). The documentation given here in Azure is pretty complete.

I got nothing against PowerShell, but for users of Microsoft products, they are used to the beautiful and elegant UI. I started the journey to do this using the portal and I was successful in doing so but for couple of cmdlets.

First things, first, I followed the instructions in this link to make sure the PowerShell is working and that it has the right version of Azure cmdlets.

All I had to use was login from Powershell and the rest of it until generating the root and client certificate, I did it from the portal.


To generate the root and client certificate, you need to use this cmdlet


The link below, clearly states the process to generate and export the certificates.

For simplicity sake, I did not have a loadbalancer, fron-end and back-end vnets. I had only One server instance with one vnet and I created another vnet for  the VPN Gateway. Once you are done, creating the vnet Gateway using the portal, you need to goto virtual network gateway, click on the Point to Site configuration and add the root certificate (the one I generated by using the cmdlet and exported using the certificate manager)  by opening the .cer file and copy the content between “—Begin …—” and “—End…” (not including those two lines) and paste it in the portal. If the IP range is missing, please add that as well. Finally, go to the top and download the client package.

Once downloaded, install the package and then goto “Change VPN settings” in your windows 10 PC/laptop, you will see your new VPN. Click and connect and you are all set. One more important item to remember after you connect the VPN is to use the Private IP of the server to RDP and not the public IP.  You can find the private IP of the server in the network interface section in the portal or you can get it by connecting and doing ipconfig.

This is a demo, the secure way is to use the loadbalancer,  define a new port for the RDP and do port forwarding from the loadbalancer to the server. The VPN should be set to connect through the loadbalancer.