Azure VPN and Point to Site Connection

Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet.

You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network. Multiple connections can be created to the same VPN gateway.

When you create multiple connections, all VPN tunnels share the available gateway bandwidth.

A VPN gateway is a type of virtual network gateway.

A virtual network gateway is composed of two or more Azure-managed VMs that are automatically configured and deployed to a specific subnet you create called the GatewaySubnet. The gateway VMs contain routing tables and run specific gateway services.

A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.

A P2S connection is established by starting it from the client computer.

This solution is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that need to connect to a VNet.

Lets explore VPN + P2S — —

Step 1 : Create a VNET referring below link -

Configure P2S server configuration - certificate authentication: Azure portal - Azure VPN Gateway

Step 2 : Create VNET Gateway referring below link -

Tutorial - Create & manage a VPN gateway - Azure portal - Azure VPN Gateway

Step 3: Lets Authorize Azure VPN application to proceed further referring below link -

Configure Azure AD tenant and settings for P2S VPN connections: Azure AD authentication: OpenVPN …

Grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Go to Azure Active Directory. In the left pane, click Enterprise applications. You’ll see Azure VPN listed.

Step 4: Lets Configure authentication for the gateway

Locate the tenant ID of the directory that you want to use for authentication from Tenant Properties

For Azure Active Directory values, use the following guidelines for Tenant, Audience, and Issuer values. Replace {AzureAD TenantID} with your tenant ID.

• Tenant: TenantID for the Azure AD tenant. Enter the tenant ID that corresponds to your configuration. Make sure the Tenant URL does not have a \ at the end.
• Azure Public AD: https://login.microsoftonline.com/{AzureAD TenantID}
• Audience: The Application ID of the “Azure VPN” Azure AD Enterprise App.
• Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4
• Issuer: URL of the Secure Token Service. Include a trailing slash at the end of the Issuer value. Otherwise, the connection may fail.
• https://sts.windows.net/{AzureAD TenantID}/

Step 5 : Download the Azure VPN Client profile configuration package

At the top of the Point-to-site configuration page, click Download VPN client — see above screenshot.

1. Extract the downloaded zip file.
2. Browse to the unzipped “AzureVPN” folder.
3. Make a note of the location of the “azurevpnconfig.xml” file.

The azurevpnconfig.xml contains the setting for the VPN connection. You can also distribute this file to all the users that need to connect via e-mail or other means. The user will need valid Azure AD credentials to connect successfully.

Step 6: Download the Azure VPN Client (For windows) referring below link —

Configure Azure VPN Client - Azure AD authentication - Windows - Azure VPN Gateway

Step 7: Import VPN client profile configuration files referring below link —

Configure Azure VPN Client - Azure AD authentication - Windows - Azure VPN Gateway

For Azure AD authentication configurations, the azurevpnconfig.xml is used.

The file is located in the AzureVPN folder of the VPN client profile configuration package.

Just Import it, hit Save and then at home screen hit connect — — Bingo you get connected.

Logs shows successful connection to VNET Gateway.

Step 8 : Lets review VPN properties

Shows Azure VPN user list

Shows Sign in activity of users

Shows connected session

Step 9 : If you want to control who can sign-in, then lets review sign-in settings

On the Azure VPN — Properties page, configure sign-in settings.

1. Set Enabled for users to sign-in? to Yes.

This setting allows all users in the AD tenant to connect to the VPN successfully.

2. Set User assignment required? to Yes.

If you want to limit sign-in to only users that have permissions to the Azure VPN.

Refer -

Enable MFA for VPN users: Azure AD authentication - Azure VPN Gateway

Step 10 : Lets set-up Conditional Access refer be;low link -

Enable MFA for VPN users: Azure AD authentication - Azure VPN Gateway

Conditional Access allows for fine-grained access control on a per-application basis. In order to use Conditional Access, you should have Azure AD Premium 1 or greater licensing applied to the users that will be subject to the Conditional Access rules.

1. Navigate to the Enterprise applications — All applications page and click Azure VPN.

• Click Conditional Access.
• Click New policy to open the New pane.

2. On the New pane, navigate to Assignments -> Users and groups. On the Users and groups -> Include tab:

• Click Select users and groups.
• Check Users and groups.
• Click Select to select a group or set of users to be affected by MFA.
• Click Done.

In the Enable policy section:

• Select On.
• Click Create.

That’s about Azure VPN and Point to Site Connection……Lets keep learning together .. Lets sail together.