Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

🏠 Back to Blog

VPN

What is a VPN?

  • A VPN (Virtual Private Network) is a service that allows you to connect to the internet via an encrypted tunnel to ensure your online privacy and protect your sensitive data.

Azure Point to Site VPN

  • Azure Point-to-Site VPN is a secure connection between a virtual network in Azure and a client computer. VPN is used to connect the client to the Azure virtual network.
  • The VPN connection is encrypted and provides secure access to on-premises resources.
  • The VPN client is installed on the client computer and is used to connect to the Azure virtual network.
  • The VPN client is used to connect to the Azure virtual network.
  • The Virtual Network Gateway is used to connect the on-premises network to the Azure virtual network.
  • P2S VPN Connections require that you configure 3 configuration settings in Azure (in addition to a VNG, etc.):
    • Address Pool: The IP address range that will be assigned to the VPN clients.
      • The address range that you choose must not overlap with the vNet’s address range.
      • If multiple protocols are configured for the tunnel type, and SSTP is one of those protocols, the address pool will be split between the configured protocols.
    • Tunnel Type: The tunnel type that will be used for the VPN connection. Options are SSTP, IKEv2, and OpenVPN.
      • OpenVPN is SSL-based and operates on port 443.
        • OpenVPN is supported on all platforms, but a client will usually need to be downloaded and installed.
        • OpenVPN is required if you want clients to authenticate with Azure Active Directory credentials.
      • SSTP is SSL-based and operates on port 443. It is a Microsoft-proprietary protocol.
      • IKEv2 is IPsec-based and operates on UDP ports 4500 and 500 and IP protocol number 50.
        • Android, Linux, iOS, MacOS, and Windows 10 (and above) come pre-installed with clients that support IKEv2.
        • Windows client will try IKEv2 first when negotiating a connection. They fall back to SSTP.
    • Authentication Type: The authentication type that will be used for the VPN connection. Options are Azure Certificate, Azure AD, and Radius.
      • Azure Certificate: The client must have a client certificate installed to connect to the Azure Virtual Network Gateway.
        • The client certificate must be installed in the ‘Local Machine’ certificate store on the client computer.
        • The Virtual Network Gateway must have the public key of the client certificate uploaded to the Azure Virtual Network Gateway. Or the public key of the root certificate that signed the client certificate.
      • Azure AD: The client must have an Azure Active Directory account to connect to the Azure Virtual Network Gateway.
        • Allows users to connect to the VPN using their Azure AD credentials.
        • Native Azure AD authentication is only supported for OpenVPN connections that use the Azure VPN Client for Windows 10 or later and MacOS clients.
        • The main advantage here is we can benefit from additional identity and security capabilities provided by Azure AD, such as MFA.
      • Radius: The client must have a Radius account to connect to the Azure Virtual Network Gateway. Clients authentication against a RADIUS server hosted in Azure or on-premises.
        • The Virtual Network Gateway forwards authentication requests to/from the client and RADIUS server. Connectivity is important!
        • The RADIUS server can be implemented to integrate with Azure Entra ID or any other external identity system. No need to upload root certificates and revoke client certificates in Azure.
  • P2S connections require a route-based VPN Type.

Azure Site to Site VPN

  • Azure Site-to-Site VPN is a secure connection between an on-premises network and an Azure virtual network.
  • The VPN connection is encrypted and provides secure access to on-premises resources.
  • The VPN connection is established between the on-premises network and the Azure virtual network.
  • The Virtual Network Gateway is used to connect the on-premises network to the Azure virtual network.

Virtual Network Gateway

  • A Virtual Network Gateway is used to send encrypted traffic between an Azure virtual network and an on-premises location over the public internet.

  • Virtual Network Gateway supports the following hybrid connection options:

    • Site to Site VPN connection over IPSec (IKE v1 and IKE v2) - This option can be used to connect an on-premises network to an Azure virtual network.
    • Point to Site VPN connection over SSTP (Secure Socket Tunneling Protocol) - This option can be used to connect a client computer to an Azure virtual network.
    • VNet to VNet VPN connection over IPSec (IKE v1 and IKE v2) - This option can be used to connect two Azure virtual networks.

  • When implementing the VPN Gateway to connect two vNets, there are two connection types you can choose from:

    • vNet-to-vNet: If the source and targets vNets are in the same Azure subscription, choose this option.
    • Site-to-Site (IPsec): If the source and target vNets are not in the same Azure subscription, choose this option.

Virtual Network Gateway SKUs

Virtual Network Gateway SKUs

Virtual Network Gateway Pricing

| SKU | Price |
| --- | --- |
| Basic | $0.04/hour |
| VpnGw1 | $0.19/hour |
| VpnGw2 | $0.49/hour |
| VpnGw3 | $1.25/hour |
| VpnGw4 | $2.10/hour |
| VpnGw5 | $3.65/hour |

Virtual Network Gateway Certificate Authentication

  • Azure Virtual Network Gateway supports certificate authentication for Point-to-Site VPN connections.
  • The VPN client must have a client certificate installed to connect to the Azure Virtual Network Gateway.
  • The client certificate must be installed in the ‘Local Machine’ certificate store on the client computer.
# Create a self-signed root certificate
$params = @{
    Type = 'Custom'
    Subject = 'CN=P2SRootCert'
    KeySpec = 'Signature'
    KeyExportPolicy = 'Exportable'
    KeyUsage = 'CertSign'
    KeyUsageProperty = 'Sign'
    KeyLength = 2048
    HashAlgorithm = 'sha256'
    NotAfter = (Get-Date).AddMonths(24)
    CertStoreLocation = 'Cert:\CurrentUser\My'
}
$cert = New-SelfSignedCertificate @params

# Create a self-signed client certificate
$params = @{
       Type = 'Custom'
       Subject = 'CN=P2SChildCert'
       DnsName = 'P2SChildCert'
       KeySpec = 'Signature'
       KeyExportPolicy = 'Exportable'
       KeyLength = 2048
       HashAlgorithm = 'sha256'
       NotAfter = (Get-Date).AddMonths(18)
       CertStoreLocation = 'Cert:\CurrentUser\My'
       Signer = $cert
       TextExtension = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
   }
   New-SelfSignedCertificate @params

Azure Active Directory Authentication

  • Azure Virtual Network Gateway supports Azure Active Directory authentication for Point-to-Site VPN connections.
  • The VPN client must have an Azure Active Directory account to connect to the Azure Virtual Network Gateway.
  • You must register an Azure AD application and grant permissions to the application to use the Azure Virtual Network Gateway.
  • You must set the authentication type to ‘Azure Active Directory’ in the Azure Virtual Network Gateway configuration.
    • You must provide the Tenant ID, Audience (client Id of app), and Issuer of the Azure AD application in the Azure Virtual Network Gateway configuration.
  • Download and install the Azure VPN Client from the MS Store
  • Sign in with your Azure AD account to connect to the Azure Virtual Network Gateway.

Radius Authentication

  • Azure Virtual Network Gateway supports Radius authentication for Point-to-Site VPN connections.
  • The VPN client must have a Radius account to connect to the Azure Virtual Network Gateway.
  • You must configure the Radius server settings in the Azure Virtual Network Gateway configuration.
  • You must provide the Radius server IP (primary and secondary) and Radius server secret (primary and secondary)

Local Network Gateway

  • A Local Network Gateway is a representation of the on-premises location. It contains the public IP address of the on-premises location and the address space.

Gateway Subnet

  • The gateway subnet is used to deploy the virtual network gateway. The gateway subnet must be named ‘GatewaySubnet’ to work properly.
  • The size of the gateway subnet must be at least /29 or larger.
  • Nothing must be deployed in the gateway subnet. It is used by the gateway services only.

Route based vs. Policy based VPN

  • Policy-based VPN - This type of VPN uses a policy defined on the VPN to determine where to send traffic. The policy defines an access list of traffic that should be sent through the VPN tunnel.

    • Limitations:
      • There is no support for dynamic routing protocols such as BGP.
      • It can only be used to establish site-to-site VPN connections.
      • It only supports 1 tunnel when implemented with the basic gateway.
      • If you have a legacy on-prem VPN device that does not support route-based VPNs, you will likely need to create a policy-based VPN.

  • Route-based VPN - This type of VPN uses a routing table to determine where to send traffic. The routing table is used to determine the next hop for the traffic.

    • Only route-based gateway SKUs support active/active mode.
    • Point-to-site connections require a route-based VPN gateway.

    Route-based VPN

Troubleshoot VPNs

  • There are several diagnostic logs you can reference when troubleshooting VPN Connections and Virtual Network Gateways
    • Gateway Diagnostic Log: This log contains diagnostic logs for the gateway, including configuration changes and maintenance events.
    • Tunnel Diagnostic Log: This log contains tunnel state change events. This log is useful to view the historical connectivity status of the tunnel.
    • Route Diagnostic Log: This log contains routing logs, including changes to static routes and BGP events
    • IKE Diagnostic Log: This log contains IKE control messages and events on the gateway.
    • P2S Diagnostic Log: This log contains point-to-site control messages and events on the gateway.