Configure VPN to Azure Network

Microsoft Azure still lives in two worlds, the classic portal and the Resource Manager (RM) model. This is similar to AWS except AWS integrated and retired the old one. The new account I created in the Azure, has all assets in the RM model.  Microsoft is known for its UI and they are pretty good compared to AWS Management console.

That  I have all my assets in Azure in the RM model made life easier in some and slightly painful to do some such as setting up VPN. I wanted to enable VPN access and was looking to setup a Point to Site (P2S) VPN. In my earlier post on “Securing Cloud assets“, I mentioned different mechanisms (P2S, S2S, ExpressRoute etc.). Here we will see the simplest one P2S in detail. Every Azure documentation was pointing to using the PowerShell rather than the portal (UI). The documentation given here in Azure is pretty complete.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps

I got nothing against PowerShell, but for users of Microsoft products, they are used to the beautiful and elegant UI. I started the journey to do this using the portal and I was successful in doing so but for couple of cmdlets.

First things, first, I followed the instructions in this link to make sure the PowerShell is working and that it has the right version of Azure cmdlets.

https://docs.microsoft.com/en-us/powershell/azure/install-azurerm-ps?view=azurermps-4.0.0

All I had to use was login from Powershell and the rest of it until generating the root and client certificate, I did it from the portal.

Login-AzureRmAccount

To generate the root and client certificate, you need to use this cmdlet

New-SelfSignedCertificate

The link below, clearly states the process to generate and export the certificates.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#rootcert

For simplicity sake, I did not have a loadbalancer, fron-end and back-end vnets. I had only One server instance with one vnet and I created another vnet for  the VPN Gateway. Once you are done, creating the vnet Gateway using the portal, you need to goto virtual network gateway, click on the Point to Site configuration and add the root certificate (the one I generated by using the cmdlet and exported using the certificate manager)  by opening the .cer file and copy the content between “—Begin …—” and “—End…” (not including those two lines) and paste it in the portal. If the IP range is missing, please add that as well. Finally, go to the top and download the client package.

Once downloaded, install the package and then goto “Change VPN settings” in your windows 10 PC/laptop, you will see your new VPN. Click and connect and you are all set. One more important item to remember after you connect the VPN is to use the Private IP of the server to RDP and not the public IP.  You can find the private IP of the server in the network interface section in the portal or you can get it by connecting and doing ipconfig.

This is a demo, the secure way is to use the loadbalancer,  define a new port for the RDP and do port forwarding from the loadbalancer to the server. The VPN should be set to connect through the loadbalancer.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: