Creating a Point to Site VPN Connection to an Azure Virtual Network

In an earlier blog post on Creating an Azure VM with an Empty Data Disk, I created an Azure virtual machine in an Azure virtual network. In this blog post, I will create a Point to Site (P2S) VPN Connection to an Azure Virtual Network (Vnet). I will follow these steps:

  1. Generate and export certificates for Point-to-Site using PowerShell
  2. Run a PowerShell script to create the Vnet, add the VPN, and upload the public key information
  3. Connect to the Vnet from my desktop using a VPN connection
  4. Update the PowerShell script in my previous blog to create the VM in the front end subnet

My goal is to install an IBM Domino server on the data drive of the VM and then replicate Notes databases to it. I want to use a VPN connection to secure the data transfer.

Below is an architecture diagram of what I want to create (with some pending pieces).

Generate and Export Certificates for Point-to-Site using PowerShell

I followed the instructions on this website to generate and export certificates for Point-to-Site VPN using PowerShell.

I used example 1 in the second step to generate a client certificate.

I exported the root certificate public key (.cer) to a folder named AzureVPN on my C: drive.

I update the PowerShell script in the next section to reference the root certificate that I exported.

PowerShell Script

I used the PowerShell script posted in this Microsoft document Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell. I recommend that readers open this document as it contains details that I will not include. For example, the document contains the details on generating the certificates. I made some minor changes to the script. For example, I added comments and Write-Host statements. I moved a few more declarations to the top of the script.

I still need to configure a DNS server or just remove the -DnsServer
10.2.1.3
configuration from the script. I hope to come back to this at a later date.

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go
# Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
# https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
# Declare the variables
$VNetName  = "VNetDomino1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$resourceGroup = "myDominoRG1"
$location = "Central US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

# Declare the variable for your certificate name, replacing the value with your own
$P2SRootCertName = "rootcertificate.cer"

# Replace the file path with your own
$filePathForCert = "C:\AzureVPN\rootcertificate.cer"

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet.
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
# The IP addresses of the subnets you specify must be fully contained within the IP address range for the Virtual Network it resides in.
# Subnet address spaces must not overlap within the Virtual Network.
Write-Host "Create the subnet configurations for the virtual network"  -ForegroundColor Green
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
# Only the front end server is accessible via the Internet
# This is where I will put my staging Domino VM
# Permit RDP access to selected front end VMs (ideally have RDP access to one VM only that is shut down until needed)
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
# Note: I am not using the back end subnet yet
# Only the front end server can talk to the back end servers, and only on agreed upon ports.
# The back end servers cannot receive or send traffic from/to the public internet.
# The back end servers cannot talk to each other.
# Permit RDP access to the back end VMs from within the Vnet only.
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

# Create the virtual network with three subnets
# DNS server setting is optional (and I need to configure the DNS server).
Write-Host "Create the virtual network"  -ForegroundColor Green
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3

# Specify the variables for the virtual network you created
Write-Host "Specify the variables for the virtual network you created"  -ForegroundColor Green
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup

# The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -VirtualNetwork $vnet

# Request a dynamically assigned public IP address
Write-Host "Request a dynamically assigned public IP address"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $resourceGroup -Location $location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

# Configure and create the virtual network gateway for your VNet
# Use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE
Write-Host "Configure and create the virtual network gateway for your VNet"  -ForegroundColor Green
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $resourceGroup `
-Location $location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"

# Add the VPN client address pool
Write-Host "Add the VPN client address pool"  -ForegroundColor Green
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $resourceGroup -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

# Run the cmdlets
Write-Host "Run the cmdlets"  -ForegroundColor Green
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64

# Upload the public key information to Azure
Write-Host "Upload the public key information to Azure"  -ForegroundColor Green
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname $GWName -ResourceGroupName $resourceGroup -PublicCertData $CertBase64

# NOTE: To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 
Write-Host "Finished!"  -ForegroundColor Green  


Connect to the Vnet from My Desktop

I get the public IP address of my Vnet: 104.43.209.61

I open the Point-to-site configuration for the VNet1GW virtual network gateway in Azure.

I click on Download VPN Client.

I click on Open.

Windows Explorer opens with three folders displayed. I open the WindowsAmd64 folder.

Note: You may have to copy the downloaded VPN zipped folder to another folder on your drive so that you can Run as Administrator.

I right-click on the VpnClientSetupAmd64 software and select Run as administrator.

I click Yes on the VNetDomino1 screen.

The VNetDomino1 VPN connection appears in the Network Settings \ VPN list.

 

I install the VpnServerRoot certificate stored in the Generic folder.

The Certificate Import Wizard screen appears. I leave the default settings as is and click Next. I repeat on the following screens.

I click OK on the final screen.

I return to Settings and select the VNetDomino1 connection.

I click on the connection and select Advanced Options. I click Edit and update the settings.

I save the settings.

I click on Connect.

I click on Connect on the next screen that appears.

The Connection Manager needs elevated privileges. I click on Continue.

The VPN connects!

I open the VPN configuration to see the settings.

I did have some trouble getting this VPN connection to work. But the steps above seem to be the final solution.

Update the PowerShell Script in My Previous Blog

I need to remove the creation of the public IP address, resource group, virtual network, subnet, and put the VM in the front end subnet.

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go

# Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell
# https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
# Declare the variables
$VNetName  = "VNetDomino1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$resourceGroup = "myDominoRG1"
$location = "Central US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"

# Declare the variable for your certificate name, replacing the value with your own
$P2SRootCertName = "rootcertificate.cer"

# Replace the file path with your own
$filePathForCert = "C:\AzureVPN\rootcertificate.cer"

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and GatewaySubnet.
# https://docs.microsoft.com/en-us/azure/virtual-network/virtual-network-vnet-plan-design-arm
# The IP addresses of the subnets you specify must be fully contained within the IP address range for the Virtual Network it resides in.
# Subnet address spaces must not overlap within the Virtual Network.
Write-Host "Create the subnet configurations for the virtual network"  -ForegroundColor Green
$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
# Only the front end server is accessible via the Internet
# This is where I will put my staging Domino VM
# Permit RDP access to selected front end VMs (ideally have RDP access to one VM only that is shut down until needed)
$besub = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
# Note: I am not using the back end subnet yet
# Only the front end server can talk to the back end servers, and only on agreed upon ports.
# The back end servers cannot receive or send traffic from/to the public internet.
# The back end servers cannot talk to each other.
# Permit RDP access to the back end VMs from within the Vnet only.
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix
 
# Create the virtual network with three subnets
# DNS server setting is optional (and I need to configure the DNS server).
Write-Host "Create the virtual network"  -ForegroundColor Green
New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup -Location $location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3
 
# Specify the variables for the virtual network you created
Write-Host "Specify the variables for the virtual network you created"  -ForegroundColor Green
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $resourceGroup
# The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -VirtualNetwork $vnet
 
# Request a dynamically assigned public IP address
Write-Host "Request a dynamically assigned public IP address"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $resourceGroup -Location $location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip
 
# Configure and create the virtual network gateway for your VNet
# Use an Azure VPN gateway to provide a secure tunnel using IPsec/IKE
Write-Host "Configure and create the virtual network gateway for your VNet"  -ForegroundColor Green
New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $resourceGroup `
-Location $location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"
 
# Add the VPN client address pool
Write-Host "Add the VPN client address pool"  -ForegroundColor Green
$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $resourceGroup -Name $GWName
Set-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool
 
# Run the cmdlets
Write-Host "Run the cmdlets"  -ForegroundColor Green
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
 
# Upload the public key information to Azure
Write-Host "Upload the public key information to Azure"  -ForegroundColor Green
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname $GWName -ResourceGroupName $resourceGroup -PublicCertData $CertBase64
 
# NOTE: To resolve names in a peered virtual network, deploy your own DNS server, or use Azure DNS private domains. 
Write-Host "Finished!"  -ForegroundColor Green 

Connecting to the Virtual Machine via RDP

Below is the network interface configuration for the virtual machine.

I open the virtual machine record in Azure.

I click on .

The RDP connection record opens.

I keep the settings as is and click on .

I click Open.

I click on Connect.

Connecting to …

The connection is made and I enter credentials. These are the same credentials I entered when the PowerShell script ran to create the VM.

I click Yes to continue.

The RDP connection is made and the Windows Server desktop is displayed.

I can see both drives (C and D) in Files Explorer.

Setting the D: Drive for Permanent Storage.

I initialize the D: drive.

I then follow the step-by-step instructions here to use the D: drive as a data drive on a Windows VM.

The VM now has three drives. The Temporary Storage drive is used for paging files. The Data Volume drive will be used for running the Domino server (i.e. permanent storage).

I wish that this drive configuration was easier to perform. In the future, I will use an ARM template after getting this configuration right.

Next Steps

I need to install the Domino server software, add the server to my domain, and replicate Notes databases to it. I won’t post a blog on how to do that. I suspect that it only interests a handful of people. 😉

Resources

My previous blog post on Creating an Azure VM with an Empty Data Disk.

Click here to read more about planning virtual networks.

Click here to watch a YouTube video presenting a step by step tutorial on creating an Azure VPN point to site setup. This video was published in December, 2016; but it was very helpful to me. However, I followed a slightly different process and included links to the websites that had the steps that I followed.

Click here to read the source document titled “Connect an on-premises network to Azure using a VPN gateway” that contains the Microsoft Visio network diagram.

Click here for steps on how to generate and export certificates for Point-to-Site VPN using the Azure portal.

Click here for steps on how to add a second root certificate to give VPN access to a second computer. First generate a new root certificate. Then follow steps 9 to 11.

Creating an Azure VM with an Empty Data Disk

I was trying to create an Azure virtual machine to run a Domino server online with the following features:

  • Use PowerShell only
  • Latest version of Windows Server
  • Set auto-shutdown
  • Set user credentials on Windows Server
  • Add an empty second disk
  • A virtual network
  • A network security group with predefined rules
  • A public IP address to connect to
  • A storage account for logging and other files
  • Add OMS ID and Key (just in case)
  • Everything in one resource group and location
  • Configuration settings at the top of the script
  • Add comments
  • Write to the screen during processing

I experienced a lot more issues than I ever planned for. I thought that a complete PowerShell script must be available online. However, I could not find one. Thus, I am publishing the one that I created.

The PowerShell Code

Login-AzureRmAccount
Get-AzureRmSubscription | Sort-Object subscriptionName | Select-Object SubscriptionName
Select-AzureRmSubscription -SubscriptionName Pay-As-You-Go

# Declare the variables
$resourceGroup = "myDominoRG1"
$location = "Central US"
$vmName = "myDominoVM1"
$subnetName = 'SubNetDomino1'
$vnetName = "VNetDomino1"
$nsgName = "NSGDomino1"
$VMSize = "Basic_A2"
$storageType = 'Premium_LRS'
$dataDiskName = $vmName + '_datadisk1'
$strNum = 128
[int]$diskSizeInGB = [convert]::ToInt32($strNum, 10)
# Storage Account Name (must be lowercase)
$myStorageName = "mydominostorage1"

# set autoshutdown time for VM
$shutdown_time = "1700"
$shutdown_timezone = "Central Standard Time"

# OMS ID and OMS key
# Leave as is if you do not have an OMS ID and OMS key
$omsId = ""
$omsKey = ""

# Create user object
Write-Host "Create user object"  -ForegroundColor Green
$cred = Get-Credential -Message "Enter a username and password for the virtual machine."

# Create a resource group
Write-Host "Create a resource group"  -ForegroundColor Green
New-AzureRmResourceGroup -Name $resourceGroup -Location $location

# Create a storage account for this resource group
Write-Host "Create a storage account"  -ForegroundColor Green 
New-AzureRMStorageAccount -ResourceGroupName $resourceGroup -Location $Location -AccountName $myStorageName -SkuName Standard_LRS

# Create a subnet configuration
Write-Host "Create a subnet configuration"  -ForegroundColor Green
$subnetConfig = New-AzureRmVirtualNetworkSubnetConfig -Name $subnetName -AddressPrefix 192.168.1.0/24

# Create a virtual network
Write-Host "Create a virtual network"  -ForegroundColor Green
$vnet = New-AzureRmVirtualNetwork -ResourceGroupName $resourceGroup -Location $location `
  -Name $vnetName -AddressPrefix 192.168.0.0/16 -Subnet $subnetConfig

# Create a public IP address and specify a DNS name
Write-Host "Create a public IP address and specify a DNS name"  -ForegroundColor Green
$pip = New-AzureRmPublicIpAddress -ResourceGroupName $resourceGroup -Location $location `
  -Name "mypublicdns$(Get-Random)" -AllocationMethod Static -IdleTimeoutInMinutes 4

# Create an inbound network security group rule for port 3389
Write-Host "Create an inbound network security group rule for port 3389"  -ForegroundColor Green
$rdpRule = New-AzureRmNetworkSecurityRuleConfig -Name "myRDPRule" -Description "Allow RDP" `
    -Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority "140" `
    -SourceAddressPrefix * -SourcePortRange * `
    -DestinationAddressPrefix * -DestinationPortRange 3389 

# Create an inbound network security group rule for port 80
Write-Host "Create an inbound network security group rule for port 80"  -ForegroundColor Green
$httprule = New-AzureRmNetworkSecurityRuleConfig -Name "myHTTPRule" -Description "Allow HTTP" `
    -Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority "100" `
    -SourceAddressPrefix "Internet" -SourcePortRange * `
    -DestinationAddressPrefix * -DestinationPortRange 80

# Create an inbound network security group rule for port 1352
Write-Host "Create an inbound network security group rule for port 1352"  -ForegroundColor Green
$notesrule = New-AzureRmNetworkSecurityRuleConfig -Name "myIBMNotesRule" -Description "Allow IBM Notes" `
    -Access "Allow" -Protocol "Tcp" -Direction "Inbound" -Priority "120" `
    -SourceAddressPrefix "Internet" -SourcePortRange * `
    -DestinationAddressPrefix * -DestinationPortRange 1352

# Create a network security group
Write-Host "Create a network security group"  -ForegroundColor Green
$nsg = New-AzureRmNetworkSecurityGroup -ResourceGroupName $resourceGroup -Location $location `
  -Name $nsgName -SecurityRules $rdpRule,$httprule,$notesrule

# Create a virtual network card and associate with public IP address and NSG
Write-Host "Create a virtual network card and associate with public IP address and NSG"  -ForegroundColor Green
$nic = New-AzureRmNetworkInterface -Name myNic -ResourceGroupName $resourceGroup -Location $location `
  -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

# Create a virtual machine configuration
Write-Host "Create a virtual machine configuration"  -ForegroundColor Green
$vmConfig = New-AzureRmVMConfig -VMName $vmName -VMSize $VMSize | `
Set-AzureRmVMOperatingSystem -Windows -ComputerName $vmName -Credential $cred | `
Set-AzureRmVMSourceImage -PublisherName MicrosoftWindowsServer -Offer WindowsServer -Skus 2016-Datacenter -Version latest | `
Add-AzureRmVMNetworkInterface -Id $nic.Id
Write-Host "Add an empty data disk to the virtual machine configuration"  -ForegroundColor Green
#$vmConfig = Add-AzureRmVMDataDisk -VM $vmConfig -Name $dataDiskName -CreateOption Empty -ManagedDiskId $dataDisk1.Id -Lun 1
$vmConfig = Add-AzureRmVMDataDisk -VM $vmConfig -Name $dataDiskName -DiskSizeInGB $diskSizeInGB -CreateOption Empty -Lun 1

# Create a virtual machine
Write-Host "Create a virtual machine using the virtual machine configuration"  -ForegroundColor Green
New-AzureRmVM -ResourceGroupName $resourceGroup -Location $location -VM $vmConfig

# Set the auto-shutdown time
Write-Host "Set the auto-shutdown time for the virtual machine"  -ForegroundColor Green
$properties = @{
    "status" = "Enabled";
    "taskType" = "ComputeVmShutdownTask";
    "dailyRecurrence" = @{"time" = $shutdown_time };
    "timeZoneId" = $shutdown_timezone;
    "notificationSettings" = @{
        "status" = "Disabled";
        "timeInMinutes" = 30
    }
    "targetResourceId" = (Get-AzureRmVM -ResourceGroupName $resourceGroup -Name $vmName).Id
}

New-AzureRmResource -ResourceId ("/subscriptions/{0}/resourceGroups/{1}/providers/microsoft.devtestlab/schedules/shutdown-computevm-{2}" -f (Get-AzureRmContext).Subscription.Id, $resourceGroup, $vmName) -Location (Get-AzureRmVM -ResourceGroupName $resourceGroup -Name $vmName).Location -Properties $properties -Force

# Setting up WinRM access

# Initialize the data disk

# Install and configure the OMS agent
If ($omsId -ne "") {
    Write-Host "Install and configure the OMS agent"  -ForegroundColor Green
    $PublicSettings = New-Object psobject | Add-Member -PassThru NoteProperty workspaceId $omsId | ConvertTo-Json
    $protectedSettings = New-Object psobject | Add-Member -PassThru NoteProperty workspaceKey $omsKey | ConvertTo-Json

    Set-AzureRmVMExtension -ExtensionName "OMS" -ResourceGroupName $resourceGroup -VMName $vmName `
        -Publisher "Microsoft.EnterpriseCloud.Monitoring" -ExtensionType "MicrosoftMonitoringAgent" `
        -TypeHandlerVersion 1.0 -SettingString $PublicSettings -ProtectedSettingString $protectedSettings `
        -Location $location
}
Write-Host "Finished!"  -ForegroundColor Green

Final Result

One resource group contains all of the resources created by the PowerShell script.

The network security group contains the correct security rules.

A public Internet address is configured.

The virtual machine is configured correctly and it started.

A second data disk was added to the virtual machine.

Update [July 11, 2018]: Follow the step-by-step instructions here to use the D: drive as a data drive on a Windows VM.

Resources

I referenced a number of resources to create this script. Below are a few of the important ones.

Create a fully configured virtual machine with PowerShell

https://docs.microsoft.com/en-us/azure/virtual-machines/scripts/virtual-machines-windows-powershell-sample-create-vm?toc=%2fpowershell%2fmodule%2ftoc.json

Create an Operations Management Suite monitored VM with PowerShell

https://docs.microsoft.com/en-us/azure/virtual-machines/scripts/virtual-machines-windows-powershell-sample-create-vm-oms?toc=%2fpowershell%2fmodule%2ftoc.json

Add-AzureRmVMDataDisk

https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/add-azurermvmdatadisk

New-AzureRmVM

https://docs.microsoft.com/en-us/powershell/module/azurerm.compute/new-azurermvm?view=azurermps-6.3.0

Attach a data disk to a Windows VM using PowerShell

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/attach-disk-ps

 

Next Steps

Initialize the data disk and install the Domino server software. As it is now, the second data disk can be used for any purpose.

I want to have a data disk in storage that has the Domino server software installed; but not configured. Then I can attach it to the VM. That would save time for multiple virtual machines.

I want to use a VPN connection to the virtual network. The public IP address should be VPN gateway. The virtual machines would not be exposed to the Internet directly. All connections would go through the VPN gateway.

I should be using an Azure Resource Manager (ARM) template. I want to deploy the resources consistently and repeatedly.