Configuring a Point-to-Site Connection to a VNet using Azure Portal
A Point-to-Site (P2S) VPN create a secure connection to an Azure virtual network from individual computer via Secure Socket Tunneling Protocol (SSTP) tunnel over the Internet. A P2S VPN is an important when you have a small number of clients computers that you need to connect to an Azure virtual network from any location from the Internet. You do not need a dedicated VPN device or an on-premises public facing IP address. From the Azure infrastructure standpoint, you must configure a VPN gateway associated with the target Azure virtual network, same as a site-to-site VPN. P2S creates the VPN connection over SSTP (Secure Socket Tunneling Protocol), or IKEv2. SSTP depends on certificates to authenticate and encrypt connection between clients and the Azure VPN gateway. You can either use an internal or non-Microsoft certification authority (CA) or generated self-signed certificates. Lastly, you need to add an IP address range for VPN client computers. In the VPN connection process, a VPN client automatically receives an IP address from this range.
The following steps use to configure a point-to-site connection using the Azure Portal:
1. Create an Azure Resource Group.
2. Create a Virtual Network and Add a Gateway Subnet.
3. Create a Virtual Network Gateway and Add a Public IP address for Azure VPN Gateway.
4. Generate root and client certificates.
5. Add the client address pool.
6. Upload the root certificate public certificate data
7. Download VPN Client and Install on local machine
8. Connect to Azure
9. Verify the VPN Connection
Step 1: Creating an Azure Resource Group
1. Open your Azure Management Portal at https://portal.azure.com.
2. In the portal, click on Resource groups. On the Resource groups blade, click on Add.
3. On the Resource groups blade, type the following values, and then click on the Create button:
- Resource group name: MSSERVERPRO-ASA-RG01
- Subscription: Use the default subscription
- Resource group location: Select your preferred location ( Here, I select Southeast Asia)
4. The Resource Group has been successfully created.
Step 2: Create a Virtual Network and Add a Gateway Subnet
1. In the Hubmenu on the left side of the portal page, click New. On the New blade, click Networking. On the Networking blade, click Virtual network.
2. On the Create virtual network blade, specify the following settings, and then click Create:
- Name: MSP-ASA-VN01
- Address space: 10.5.0.0/16
- Subscription: select the Azure subscription in which you want to create a virtual network
- Resource group:
- Use existing resource group: MSSERVERPRO-ASA-RG01
- Location: Southeast Asia (The Azure region that is closest to the location and that is available in your subscription)
- Subnet name: BackEnd
- Subnet address range: 10.5.10.0/24
After the virtual network provisioning is complete, you can configure it further by creating additional subnets such as Gateway Subnet and add additional address space and create subnets.
Create a Gateway Subnet:
Before connecting your virtual network to a gateway, you first need to create the gateway subnet for the virtual network to which you want to connect.
1. With the virtual network created, in the Azure portal, click All resources. Click the MSP-ASA-VN01 virtual network in the All resources If the subscription you selected already has several resources in it, you can enter MSP-ASA-VN01 in the Filter by name…box to easily access the VNet.
2. The MSP-ASA-VN01 blade opens and displays information about the VNet. Click Subnetsblade to display a list of the subnets within the VNet. The only subnet that exists is BackEnd, the subnet you created in step 2.
3. In the MSSERVERPRO-VNet – Subnets blade, click + Gateway Subnet to create a Gateway subnet and specify the Address range (CIDR block) and click OKto create the Gateway subnet.
Step 3: Create a Virtual Network Gateway and Add a Public IP address for Azure VPN Gateway
In this step, you can create the Azure Virtual Network Gateway for your Virtual Network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
1. In the Hub menu on the left side of the portal page, click New. On the Newblade, click Networking. On the Networking blade, click Virtual network gateway.
2. First you need to give Virtual Network Gateway name: MSP-ASA-GW01. Then extend the Virtual network blade and connect your gateway to the gateway network we previously created in the Virtual Network.
3. Now you need to create a public IP for your gateway. Extend the Public IP address blade and click on Create new.
4. Another blade open and you need to give the new Public IP address a name for the resource and need to save with OK.
5. After you have created the Public IP address, you need to select gateway type you want to use. To deploy a site-to-site VPN based on IPsec, select the gateway type VPN. In the VPN type, select Route-based Most configurations require a Route-based (dynamic routing) VPN type. Then select the gateway SKU from the dropdown.
6. Click Create to begin creating virtual network gateway. The settings are validated and the gateway deploys. Provisioning a virtual network gateway may take up to 45 minutes.
Step 4: Create a self-signed root certificates
Use the New-SelfSignedCertificate cmdlet to create a self-signed root certificate.
1. Download the file from the given below link, https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site#clientcert
2. On Windows 10 computer, open a Windows PowerShell console with elevated privileges. Then you can use the New-SelfSignedCertificate cmdlet to run the following command which will create a root certificate. The following example creates a self-signed root certificate named ‘P2SRootCert’ that is automatically installed in ‘Certificates-Current User\Personal\Certificates’. You can view the certificate by opening msc, or Manage User Certificates.
Root certificate has been successfully created.
Export the public key (.cer)
Point-to-Site (P2S) connections require the certificate public key .cer file (not the private key) to be uploaded to Azure. The following steps help you export the .cer file for your self-signed root certificate:
1.To export the public key of the newly generated certificate, open Manage User Certificates.
2. Navigate to the self-signed root certificate, typically in ‘Certificates – Current User\Personal\Certificates’ store, and right-click the certificate, and then Click All Tasks, and then click Export. This opens the Certificate Export Wizard.
3. On the Certificate Export Wizard, click Next.
4.On the Certificate Export Private key page, Select No, do not export the private key, and then click Next.
5. On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.
6. On the File to Export, Browse to the location to which you want to export the certificate. For File name, name the certificate file. Then, click Next.
7. Click Finish to export the certificate. You see The export was successful. Click OK to close the wizard.
Create Client Certificate and Export
In a point-to-site VPN, each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. If the client certificate is not installed, authentication fails. You can generate a client certificate from the self-signed root certificate, and then export and install the client certificate.
To generate the client certificate, run the following command from the existing elevated windows PowerShell console:
Step 5: Add the client address pool
The client address pool is a range of private IP addresses range for the VPN client computers. The clients that connect over a Point-to-Site VPN receive an IP address from this range. Use a private IP address range that does not overlap with the on-premises location that you connect from, or the VNet that you want to connect to.
1. Once the virtual network gateway has been created, navigate to the Settings section of the virtual network gateway page. In the Settings section, click Configuration where you change the VPN Gateway performance.
2. In the Virtual network gateway Settings section, click Point-to-site configuration and then click on Configure now to open Address pool.
3. On the Point-to-Site-Configuration page, add the private IP address range that you want to use. Click Save to validate and save the setting.
Step 6: Upload the root certificate public certificate data
After the gateway has been created, you upload the public key information for the root certificate to Azure. Once the public certificate data is uploaded, Azure can use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. You can upload additional trusted root certificates- up to a total of 20.
1. Certificates are added on the Point-to-site configuration page in the Root certificates.
2. Make sure that you exported the root certificate as a Base-64 encoded X.509 (.cer) file. You need to export the certificate in this format so you can open the certificate with text editor.
3. Open the certificate with a text editor, such as Notepad. When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns or line feeds. You may need to modify your view in the text editor to ‘Show Symbol/Show all characters’ to see the carriage returns and line feeds. Copy only the following section as one continuous line:
4. In the Root certificates section, type the Name for the certificate in NAME field and in the PUBLIC CERTIFICATE DATA field, paste the certificate data, and then click on Save. Now this settings has successfully save.
Step 7: Download VPN client and Install on local machine:
Now let’s go back to windows machine again. Here you are going to Download VPN client and install on local machine. And going to save this in the documents folder Go to 64-bit one. Try to install it.
1. At the top of the Point-to-site configuration page, click on Download VPN client to download VPN client software. It takes a few minutes for the client configuration package to generate. I am going to save this in the documents folder.
Let’s go to document folder and unzipped it.
Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a 64-bit processor architecture, choose the ‘VpnClientSetupAmd64‘ installer package. Double-click the package to install it.
If you see a SmartScreen popup, click More info, then Run anyway.
In the User Account Control dialog box, click Yes.
Click Yes to install a VPN Client software.
Step 8: Connect to Azure
On the client computer, navigate to Network Settings and click VPN. The VPN connection shows the name of the virtual network that it connects to.
Click Connect to start the P2S connection to the Azure VNet.
On the Connection status page, click Connect to start the connection.
Step 9: Verify the VPN Connection:
VPN Client Section:
VPN client has received the client IP address what you have defined in the address pool in the Point-to-site configuration.
In the Azure portal Section:
In the Point-to-site configuration section, same the client receive IP address is shown in Allocated IP Addresses.
From VPN connected client, ping and RDP connection to the Azure virtual machine internal ip address.
In this article, you have configured a Point-to-Site connection to a VNet using generating self-signed certificate. In the production environment, it’s highly recommend to use your PKI infrastructure or non-Microsoft certification authority (CA). I hope this help.
it was very nice article but at the last step when you connect to virtual maching you have used the ip address instead of FQDN.
in our case we can access the server with IP address but not using FQDN – how to configure it?