Site-to-Site VPN is the most common method organizations use to connect on-premises network to Azure vNet. This VPN connection is initiated in your edge firewall or router level. But what if you connecting from remote location such as home? We can use point-to-site method to do that. In this method it will use certificates to do the authentication between end point and azure virtual network.
So,
let’s go ahead and see how we can do that,
Create Resource Group
In this exercise, I like to use separate resource group for virtual network and other components.
Create Virtual Network
Now we need to create new virtual network. We can create virtual network using,
New-AzureRmVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET -AddressPrefix 192.168.0.0/16 -Location "East US"
In above, REBEL-VNET is the virtual network name. it uses 192.168.0.0/16 IP address range.
Create Subnets
Under the virtual network I am going to create a subnet for my servers. To create subnet use,
$vn = Get-AzureRmVirtualNetwork -ResourceGroupName REBELVPNRG -Name REBEL-VNET
Add-AzureRmVirtualNetworkSubnetConfig -Name REBEL-SVR-SUB -VirtualNetwork $vn -AddressPrefix 192.168.100.0/24
Set-AzureRmVirtualNetwork -VirtualNetwork $vn
Create Gateway Subnet
Before we create VN gateway, we need to create gateway subnet for it. so gateway will use ip addresses assigned in this subnet.
To do that,
Create Virtual Network Gateway
Now we have all the things needed to create new VN gateway. To do that,
In here, REBEL-VPN-GW is the gateway name. I have selected REBEL-VNET as the virtual network. I am also creating public ip called REBEL-PUB1. This is only supported with dynamic mode. This doesn’t mean it is going to change randomly. It will only happen when gateway is deleted or read.
Create Self-sign root & client certificate
If your organization using internal CA, you always can use it to generate relevant certificates for this exercise. If you do not have internal CA, we still can use self-sign certs to do the job.
As first step I am going to create root certificate. In Windows 10 machine I can run this to create root cert first.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=REBELROOT" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
This will create root cert and install it under current user cert store.
Then we need to create client certificate. We can do this using
New-SelfSignedCertificate -Type Custom -DnsName REBELCLIENT -KeySpec Signature `
-Subject "CN=REBELCLIENT" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
This will create cert called REBELCLIENT and install in same store location.
Now we have certs in place. But we need to export these so we can upload it to Azure.
To export root certificate,
To export client certificate,
Note – Only root cert will use in Azure VPN, client certificate can install on other computers which need P2S connections.
Configure Point-to-Site Connection
Next step of this configuration is to configure the point-to-site connection. In here we will define client ip address pool as well. It is for VPN clients.
Note : when you paste certificate data, do not copy -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- text.
Testing VPN connection
Now we have finished with configuration. As next step, we need to test the connection. To do that log in to the same pc where we generate certificates. If you going to use different PC, first you need to import root cert & client certificate we exported.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.