How to create a simple Azure VPN Gateway solution for your home office access of your Cloud and On-premises environments over encrypted tunnel
Azure VPN Gateway is a service that can be used by organizations to set up remote access for their users or employees to securely access organization computing environments from the comfort of a home office without exposing the systems to the public internet.
Azure VPN Gateway acts a communication bridge between your virtual machine on your virtual network and your On-premises network. Employees connected to On-premises network would be able to access your cloud resources via the VPN gateway. VPN Gateway also enables communication between private cloud and public cloud to communicate with each other.
The steps that i used to create Azure VPN Gateway solution for my home office remote access to Azure
Create a Virtual Network
Create a Virtual Machine
Create Azure VPN Gateway
Generate, download and extract Azure certificate
Configure Azure VPN Gateway
Download Azure VPN Client after configuring the VPN Gateway
Install the Client certificate
Install the VPN Client
Connect to Azure VPN
Test the connection
To simply the solution I only created the solution using one virtual network.
- Navigate to your Azure console and on the search bar, search for “Virtual networks” and then create the Virtual network
Follow the wizard to create resource group or use existing resource group. Select the region that you want to create your Virtual network.
For IP address space you can use the assigned default IP address for the Virtual Network (VNet) and default subnet IP
For security and tagging screen, leave the default settings and then Review and create your virtual network.
2. Create a new virtual machine and do not associate it with any public IP address. Note : To simplify my solution, I created only one virtual machine in the same region as my Virtual network. You can set the settings similar to what i have set below. For SSH key, you can use existing key if you have an existing SSH key stored locally in your system, otherwise create a new SSH key. Also for public inbound port rules, set it to none since we don’t want the VM to be accessed over the public internet.
For the Disks screen, leave the settings to much default settings. On the networking screen, select the Virtual network you created in previous step above and leave the Subnet as default Subnet. Do not associate any public IP with your virtual machine, therefore select none. Keep the remaining configuration as default.
Don’t make any changes to the following screens : Management, Advanced and Tags. Next, Review and create the virtual machine.
3. Create a Virtual network gateway in the same region as the VNet and your VM. Set the Gateway type as VPN and VPN type as Route-based. For the SKU which define how much connection a given gateway can handle, set it to VpnGW1. For the Gateway subnet address range, use the default subnet address range. A new IP address will be created for the network gateway and you should give it a name.
Next, skip the tag screen and then, Review and create your virtual network gateway. Azure should start to provision your virtual network gateway.
4. Next we need to generate a certificate so that we can configure the VPN Gateway so that clients can connect remotely via the VPN Gateway. Go here for information on how you generate a client certificate. You will use the certificate to configure the VPN gateway so that clients can connect to the gateway.
5. Once you have generated the client certificate, Download the certificate and extract it , once you extract it, you will see the following files, Client Certificate and Root Certificate. You will use the data inside the Root Certificate to configure Azure VPN Gateway. The Client Certificate will be installed on our computer so that we can remotely connect and authenticate with our on Azure VPN.
6. Use the root certificate data to Configure Azure VPN Gateway. Go to the VPN Gateway you created and under the settings menu options, select “Point-to-site configuration” and then select “configure now”. Add your IP address pool that the client can use to connect remotely. For Tunnel type, select the “IKEv2 and SSTP (SSL)” option and the select Authentication type as “Azure certificate”. Next copy the data from the root certificate as shown below and name it as “P2SRootCert” and save your changes. After saving, the “Download VPN client” button shown below will be activated/enabled.
7. Download the VPN Client, you will use it later to install Azure VPN client on your computer. Note: If you were an organization, this is the client that you would install in all your users or employees computer so they can remotely connect to Azure.
8. Install the Client certificate locally on a client computer. The Client certificate will be used to authenticate your local client to your Azure VPN environment using the root certificate data that you added to your Azure VPN Gateway. Double click on the “clientcert” file and follow the wizard to install the Client certificate.
8. Install the VPN Client that you downloaded from Azure. Note: I implemented my VPN Gateway solution using Windows 11 device. I did not try the solution on previous version of windows or a Mac device. For Mac, there is a procedure available on Azure documentation.
10. After successful installation of VPN client, go to your start menu or window search bar and search for the VPN and then go to windows VPN settings. You will see that the VPN you installed is listed
11. Click the “Connect” button associated with the VPN client you installed and Connect to Azure VPN. Follow the wizard steps, if you see message, asking if you want to update routing table click “Continue” and say “Yes”.
Once you are connected, your windows VPN settings should show that you are connected to your Azure VPN.
12. Next, test that you can connect to the virtual machine that you have in Azure. Go back to Azure console, copy the private IP address of your virtual machine.
13. Open a terminal window, e.g. Git bash, and try and ping the virtual machine on Azure. You should be able to successfully ping the VM on Azure using a private IP address.
14. Continue testing the connection by SSH tunneling into your VM, using the following commands ssh azureuser@<YOUR_VM_PRIVATE_IP> -i <YOUR_SSH_KEY> . The connection will be successful as shown below.
15. Test that you can run updates on the VM on Azure or install Apache web server.
Conclusion :
Azure VPN Gateway offer a simple solution to setup a secure remote connection to your Azure cloud environment and your On-premises resources.