Creating a Point to Site VPN Connection to an Azure Virtual Network


In an earlier blog post on Creating an Azure VM with an Empty Data Disk, I created an Azure virtual machine in an Azure virtual network. In this blog post, I will create a Point to Site (P2S) VPN Connection to an Azure Virtual Network (Vnet). I will follow these steps:

  1. Generate and export certificates for Point-to-Site using PowerShell
  2. Run a PowerShell script to create the Vnet, add the VPN, and upload the public key information
  3. Connect to the Vnet from my desktop using a VPN connection
  4. Update the PowerShell script in my previous blog to create the VM in the front end subnet

My goal is to install an IBM Domino server on the data drive of the VM and then replicate Notes databases to it. I want to use a VPN connection to secure the data transfer.

Below is an architecture diagram of what I want to create (with some pending pieces).

Generate and Export Certificates for Point-to-Site using PowerShell

I followed the instructions on this website to generate and export certificates for Point-to-Site VPN using PowerShell.

I used example 1 in the second step to generate a client certificate.

I exported the root certificate public key (.cer) to a folder named AzureVPN on my C: drive.

I update the PowerShell script in the next section to reference the root certificate that I exported.

PowerShell Script

I used the PowerShell script posted in this Microsoft document Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell. I recommend that readers open this document as it contains details that I will not include. For example, the document contains the details on generating the certificates. I made some minor changes to the script. For example, I added comments and Write-Host statements. I moved a few more declarations to the top of the script.

I still need to configure a DNS server or just remove the -DnsServer
10.2.1.3
configuration from the script. I hope to come back to this at a later date.

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go
# Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
# https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
# Declare the variables
$VNetName  = "VNetDomino1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$resourceGroup = "myDominoRG1"
$location = "Central US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

# Declare the variable for your certificate name, replacing the value with your own
$P2SRootCertName = "rootcertificate.cer"

# Replace the file path with your own
$filePathForCert = "C:\AzureVPN\rootcertificate.cer"

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet.
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
# The IP addresses of the subnets you specify must be fully contained within the IP address range for the Virtual Network it resides in.
# Subnet address spaces must not overlap within the Virtual Network.
Write-Host "Create the subnet configurations for the virtual network"  -ForegroundColor Green
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
# Only the front end server is accessible via the Internet
# This is where I will put my staging Domino VM
# Permit RDP access to selected front end VMs (ideally have RDP access to one VM only that is shut down until needed)
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
# Note: I am not using the back end subnet yet
# Only the front end server can talk to the back end servers, and only on agreed upon ports.
# The back end servers cannot receive or send traffic from/to the public internet.
# The back end servers cannot talk to each other.
# Permit RDP access to the back end VMs from within the Vnet only.
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

# Create the virtual network with three subnets
# DNS server setting is optional (and I need to configure the DNS server).
Write-Host "Create the virtual network"  -ForegroundColor Green
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3

# Specify the variables for the virtual network you created
Write-Host "Specify the variables for the virtual network you created"  -ForegroundColor Green
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup

# The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -VirtualNetwork $vnet

# Request a dynamically assigned public IP address
Write-Host "Request a dynamically assigned public IP address"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $resourceGroup -Location $location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

# Configure and create the virtual network gateway for your VNet
# Use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE
Write-Host "Configure and create the virtual network gateway for your VNet"  -ForegroundColor Green
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $resourceGroup `
-Location $location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"

# Add the VPN client address pool
Write-Host "Add the VPN client address pool"  -ForegroundColor Green
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $resourceGroup -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

# Run the cmdlets
Write-Host "Run the cmdlets"  -ForegroundColor Green
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64

# Upload the public key information to Azure
Write-Host "Upload the public key information to Azure"  -ForegroundColor Green
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname $GWName -ResourceGroupName $resourceGroup -PublicCertData $CertBase64

# NOTE: To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 
Write-Host "Finished!"  -ForegroundColor Green  


Connect to the Vnet from My Desktop

I get the public IP address of my Vnet: 104.43.209.61

I open the Point-to-site configuration for the VNet1GW virtual network gateway in Azure.

I click on Download VPN Client.

I click on Open.

Windows Explorer opens with three folders displayed. I open the WindowsAmd64 folder.

Note: You may have to copy the downloaded VPN zipped folder to another folder on your drive so that you can Run as Administrator.

I right-click on the VpnClientSetupAmd64 software and select Run as administrator.

I click Yes on the VNetDomino1 screen.

The VNetDomino1 VPN connection appears in the Network Settings \ VPN list.

 

I install the VpnServerRoot certificate stored in the Generic folder.

The Certificate Import Wizard screen appears. I leave the default settings as is and click Next. I repeat on the following screens.

I click OK on the final screen.

I return to Settings and select the VNetDomino1 connection.

I click on the connection and select Advanced Options. I click Edit and update the settings.

I save the settings.

I click on Connect.

I click on Connect on the next screen that appears.

The Connection Manager needs elevated privileges. I click on Continue.

The VPN connects!

I open the VPN configuration to see the settings.

I did have some trouble getting this VPN connection to work. But the steps above seem to be the final solution.

Update the PowerShell Script in My Previous Blog

I need to remove the creation of the public IP address, resource group, virtual network, subnet, and put the VM in the front end subnet.

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go

# Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
# https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
# Declare the variables
$VNetName  = "VNetDomino1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$resourceGroup = "myDominoRG1"
$location = "Central US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

# Declare the variable for your certificate name, replacing the value with your own
$P2SRootCertName = "rootcertificate.cer"

# Replace the file path with your own
$filePathForCert = "C:\AzureVPN\rootcertificate.cer"

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet.
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
# The IP addresses of the subnets you specify must be fully contained within the IP address range for the Virtual Network it resides in.
# Subnet address spaces must not overlap within the Virtual Network.
Write-Host "Create the subnet configurations for the virtual network"  -ForegroundColor Green
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
# Only the front end server is accessible via the Internet
# This is where I will put my staging Domino VM
# Permit RDP access to selected front end VMs (ideally have RDP access to one VM only that is shut down until needed)
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
# Note: I am not using the back end subnet yet
# Only the front end server can talk to the back end servers, and only on agreed upon ports.
# The back end servers cannot receive or send traffic from/to the public internet.
# The back end servers cannot talk to each other.
# Permit RDP access to the back end VMs from within the Vnet only.
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
 
# Create the virtual network with three subnets
# DNS server setting is optional (and I need to configure the DNS server).
Write-Host "Create the virtual network"  -ForegroundColor Green
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3
 
# Specify the variables for the virtual network you created
Write-Host "Specify the variables for the virtual network you created"  -ForegroundColor Green
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup
# The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -VirtualNetwork $vnet
 
# Request a dynamically assigned public IP address
Write-Host "Request a dynamically assigned public IP address"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $resourceGroup -Location $location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip
 
# Configure and create the virtual network gateway for your VNet
# Use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE
Write-Host "Configure and create the virtual network gateway for your VNet"  -ForegroundColor Green
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $resourceGroup `
-Location $location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"
 
# Add the VPN client address pool
Write-Host "Add the VPN client address pool"  -ForegroundColor Green
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $resourceGroup -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool
 
# Run the cmdlets
Write-Host "Run the cmdlets"  -ForegroundColor Green
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
 
# Upload the public key information to Azure
Write-Host "Upload the public key information to Azure"  -ForegroundColor Green
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname $GWName -ResourceGroupName $resourceGroup -PublicCertData $CertBase64
 
# NOTE: To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 
Write-Host "Finished!"  -ForegroundColor Green 

Connecting to the Virtual Machine via RDP

Below is the network interface configuration for the virtual machine.

I open the virtual machine record in Azure.

I click on .

The RDP connection record opens.

I keep the settings as is and click on .

I click Open.

I click on Connect.

Connecting to …

The connection is made and I enter credentials. These are the same credentials I entered when the PowerShell script ran to create the VM.

I click Yes to continue.

The RDP connection is made and the Windows Server desktop is displayed.

I can see both drives (C and D) in Files Explorer.

Setting the D: Drive for Permanent Storage.

I initialize the D: drive.

I then follow the step-by-step instructions here to use the D: drive as a data drive on a Windows VM.

The VM now has three drives. The Temporary Storage drive is used for paging files. The Data Volume drive will be used for running the Domino server (i.e. permanent storage).

I wish that this drive configuration was easier to perform. In the future, I will use an ARM template after getting this configuration right.

Next Steps

I need to install the Domino server software, add the server to my domain, and replicate Notes databases to it. I won’t post a blog on how to do that. I suspect that it only interests a handful of people. 😉

Resources

My previous blog post on Creating an Azure VM with an Empty Data Disk.

Click here to read more about planning virtual networks.

Click here to watch a YouTube video presenting a step by step tutorial on creating an Azure VPN point to site setup. This video was published in December, 2016; but it was very helpful to me. However, I followed a slightly different process and included links to the websites that had the steps that I followed.

Click here to read the source document titled “Connect an on-premises network to Azure using a VPN gateway” that contains the Microsoft Visio network diagram.

Click here for steps on how to generate and export certificates for Point-to-Site VPN using the Azure portal.

Click here for steps on how to add a second root certificate to give VPN access to a second computer. First generate a new root certificate. Then follow steps 9 to 11.

3 thoughts on “Creating a Point to Site VPN Connection to an Azure Virtual Network

  1. Great post, thanks for writing this up!

    The last paragraph about adding a new computer seems over-complex – you should not need to add a new VPN root certificate for every machine (though perhaps there’s an Azure VPN limitation I’m not aware of). You can use the existing root certificate to sign the new client certificate, which is required for a new machine.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s