How to configure Azure Point to site VPN to access site running on IIS in azure VM.

Question

How to configure Azure Point to site VPN to access site running on IIS in azure VM.

Richmond Eric-Okolai 20

I have successfully configured an azure point to site VPN with tunnel type “IKEv2 and OpenVPN(SSL)” and authentication methodThe reason for this configuration is to securely access the site running on IIS in a Virtual machine. The site has a public domain bound to it.

The issue is once I connect to the point to site and try to reach the site over the public domain which is binder to the site, I cannot reach it but when I try to access the site over the private IP of the VM, it goes through

what do I need to do, to still be able to access my site over the public domain while connected to the point to site VPN?

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-05T06:29:13.97+00:00

Hi, Richmond. It sounds like a DNS issue to me. Are you able to resolve other websites?

You may need to set the DNS servers into the azurevpnconfig file, then reimport.
Richmond Eric-Okolai 1 Reputation point

2023-07-05T07:12:22.1533333+00:00

Hello @Luke Murray I am able to resolve other sites correct. I think it is worth noting that using the public to access the VM while connected to the point to site still does not work except using the private IP as I mentioned
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-05T07:29:08.32+00:00

Does it work if you add an alias to the public IP and try accessing it by using the DNs name?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-06T07:38:45.4733333+00:00
@Richmond Eric-Okolai

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are not able to access your VM using Public domain does not work while you are connected to P2S.

We would require more details on how DNS is configured in your case.

Are you using the same domain to connect via Public as well via Private?

Or are they different domains?

Before Connecting to the VPN, Run

nslookup <domain name>

ping <domain name>

If you have two different domains (for private and public), please run nslookup and ping for both the domains and share the result.

After connecting to the VPN, Run

nslookup <domain name>

ping <domain name>

If you have two different domains (for private and public), please run nslookup and ping for both the domains and share the result.

Also, after connecting to the VPN.

Modify the host file entry to resolve the Public IP

And see if this works.

Cheers,

Kapil.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-07T12:24:45.4566667+00:00

@Richmond Eric-Okolai

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-10T09:30:37.7333333+00:00

@Richmond Eric-Okolai

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Richmond Eric-Okolai 20 Reputation points

2023-07-10T09:34:19.5166667+00:00

Hello @KapilAnanth-MSFT I will provide the details requested as the issue still persists. I just need some time to put it all together
Richmond Eric-Okolai 20 Reputation points

2023-07-10T16:39:28.0666667+00:00

Hello @Luke Murray sorry for the really late response.

I have a site running on IIS in a virtual machine. The site has a custom domain attached to it. The custom domain was bought on azure so all my DNS entries are managed with azure DNS zones

Now I Want the site to only be accessible when connected to the point to site VPN I have configured still using the custom domain I purchased.

Does this scenarion still work with the solution you provided?

If I were to using the configuration file to point to DNS servers, would that be the IP address of the Azure DNS zone nameservers?
Richmond Eric-Okolai 20 Reputation points

2023-07-10T19:22:51.8+00:00

Hello @Luke Murray thanks for your response.

I have not Setup the Azure DNS Resolver and I had created a private DNS zone but couldn't really figure how utilize it in what i was trying to achieve. It is my first time trying this setup
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-10T19:28:16.9333333+00:00

No worries, the DNS Resolver should fill in the gap.
Richmond Eric-Okolai 20 Reputation points

2023-07-10T19:36:30.1533333+00:00

Hello @Luke Murray I would like confirm one thing from the guide. the part that says in order to deploy the DNS resolver, a private endpoint is needed, is it possible to use a private endpoint on a VM? I ask because to the best of my knowledge I thought only PaaS services could use private endpoints.

Please let me know if I am wrong
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-10T19:44:14.0666667+00:00

Hmm, you shouldn't need that - you should just be to add your DNS Resolver to your VNET, then link your Private DNS zone to the resolver.

Then make sure your DNS setting of the P2S VPN is using the resolver.

You can use private link and DNS resolver, to allow connectivity to PaaS services as well, via Private Link.
Richmond Eric-Okolai 20 Reputation points

2023-07-10T19:58:42.4366667+00:00

Hello @Luke Murray In the Azure VPN config file, would I require the DNS suffix tag? also how can I replicate the same settings in an Open VPN config file, as I plan to connect with an android phone as well seeing as how OpenVpn tunnel is what is recommended by Microsoft
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-10T20:06:25.5233333+00:00

You shouldn't need the DNS suffix, although it could be worth adding if you have more responses responding on the same private DNS zone. I would try testing without it, then adding it in if needed.

Not entirely sure, how OpenVPN will behave sorry, but there's some options on StackExchange here..
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-11T06:34:27.53+00:00
@Richmond Eric-Okolai

From your summary,

I take it that you have a site, let's say www.contoso.com hosted in an IIS VM.

And you have a domain "contoso.com" in Azure DNS Zone

Now, you only want the site to be accessed by users connected to your P2S VPN.

Points to Note:

Important thing to note is that P2S VPN provides connectivity to the VMs via it's private IP

That's the only thing about it

It cannot block other users accessing your site from Internet - this will always be open

Public DNS Zone is different from a Private DNS Zone in Azure

And you should be using Private DNS Zone for your architecture

Next Steps

To close the VM access from Internet

If you don't want any users to access the VM via Internet (without P2S VPN), please remove the Public IP from the VM

If you want certain users to access the VM via Internet (without P2S VPN), you have to use NSGs to block/allow based on source IPs

Now, when you say you have purchased a custom Domain and moved to Azure

I believe you have created a Public DNS Zone and this DNS Zone resolves your website "www.contoso.com" to the IIS VM's Public IP

If that's the case, you should also create a Private DNS Zone

And add an entry "www"

And make this resolve to the Private IP of the VM and not the Public IP of the VM

This Private DNS Zone will not be resolvable from the P2S Client (for now), and I shall provide a work around later.

For now, to make sure the steps so far is correct

Make sure you blocked the Internet access for your site using NSG

Connect to the P2S gateway

From your local machine, edit the host configuration file to reflect
www.contoso.com <Private IP of your VM>

Try to access www.contoso.com and it should go via Private Network/IP from the P2S Client.

Thanks,

Kapil
Richmond Eric-Okolai 20 Reputation points

2023-07-11T07:08:56.5533333+00:00

Hello @Luke Murray everything worked as expected with your guidance. I am deeply grateful for the information you shared. Thank you!

and @KapilAnanth-MSFT thank you for your response as well. I would like to ask, how can i set as specific DNS server in an OpenVPN config file Just like one can do in the Azure VPN client config file
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-12T05:27:08.9566667+00:00

@Richmond Eric-Okolai

I am glad you were able to get this resolved.

For OpenVPN, I don't think custom DNS server and domains are supported.

Only Azure VPN Client/Configuration supports this and this is the recommended approach as well.

Cheers,

Kapil.

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Richmond Eric-Okolai 20 Reputation points

2023-07-12T06:55:54.25+00:00

Hello @KapilAnanth-MSFT Thanks for your response.

I was able to configure the custom DNS server as well on the client config file of OpenVPN using the values below. It was added just before the <ca> tag in the file

register-dns

block-outside-dns

dhcp-option DNS <IP address from Azure DNS resolver inbound Endpoint>

dhcp-option DOMAIN <Domain suffix of the intended domain>

This is what is needed to set the custom DNS server

Accepted answer

0 additional answers

Your answer

Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-05T06:29:13.97+00:00

Hi, Richmond. It sounds like a DNS issue to me. Are you able to resolve other websites?

You may need to set the DNS servers into the azurevpnconfig file, then reimport.
Richmond Eric-Okolai 1 Reputation point

2023-07-05T07:12:22.1533333+00:00

Hello @Luke Murray I am able to resolve other sites correct. I think it is worth noting that using the public to access the VM while connected to the point to site still does not work except using the private IP as I mentioned
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-05T07:29:08.32+00:00

Does it work if you add an alias to the public IP and try accessing it by using the DNs name?
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-06T07:38:45.4733333+00:00

@Richmond Eric-Okolai

Welcome to the Microsoft Q&A Platform. Thank you for reaching out & I hope you are doing well.

I understand that you are not able to access your VM using Public domain does not work while you are connected to P2S.

We would require more details on how DNS is configured in your case.

Are you using the same domain to connect via Public as well via Private?

Or are they different domains?

Before Connecting to the VPN, Run

nslookup <domain name>

ping <domain name>

If you have two different domains (for private and public), please run nslookup and ping for both the domains and share the result.

After connecting to the VPN, Run

nslookup <domain name>

ping <domain name>

If you have two different domains (for private and public), please run nslookup and ping for both the domains and share the result.

Also, after connecting to the VPN.

Modify the host file entry to resolve the Public IP

And see if this works.

Cheers,

Kapil.
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-07T12:24:45.4566667+00:00

@Richmond Eric-Okolai

Can you please update us if the action plan provided was helpful?

Should there be any follow-up questions or concerns, please let us know and we shall try to address them.

Thanks,

Kapil
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-10T09:30:37.7333333+00:00

@Richmond Eric-Okolai

May I know if you got a chance to review my previous comment?

Please let me know if you are facing any challenges or if there are any follow-up questions, I shall be glad to address them.

Thanks,

Kapil
Richmond Eric-Okolai 20 Reputation points

2023-07-10T09:34:19.5166667+00:00

Hello @KapilAnanth-MSFT I will provide the details requested as the issue still persists. I just need some time to put it all together
Richmond Eric-Okolai 20 Reputation points

2023-07-10T16:39:28.0666667+00:00

Hello @Luke Murray sorry for the really late response.

I have a site running on IIS in a virtual machine. The site has a custom domain attached to it. The custom domain was bought on azure so all my DNS entries are managed with azure DNS zones

Now I Want the site to only be accessible when connected to the point to site VPN I have configured still using the custom domain I purchased.

Does this scenarion still work with the solution you provided?

If I were to using the configuration file to point to DNS servers, would that be the IP address of the Azure DNS zone nameservers?
Richmond Eric-Okolai 20 Reputation points

2023-07-10T19:22:51.8+00:00

Hello @Luke Murray thanks for your response.

I have not Setup the Azure DNS Resolver and I had created a private DNS zone but couldn't really figure how utilize it in what i was trying to achieve. It is my first time trying this setup
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-10T19:28:16.9333333+00:00

No worries, the DNS Resolver should fill in the gap.
Richmond Eric-Okolai 20 Reputation points

2023-07-10T19:36:30.1533333+00:00

Hello @Luke Murray I would like confirm one thing from the guide. the part that says in order to deploy the DNS resolver, a private endpoint is needed, is it possible to use a private endpoint on a VM? I ask because to the best of my knowledge I thought only PaaS services could use private endpoints.

Please let me know if I am wrong
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-10T19:44:14.0666667+00:00

Hmm, you shouldn't need that - you should just be to add your DNS Resolver to your VNET, then link your Private DNS zone to the resolver.

Then make sure your DNS setting of the P2S VPN is using the resolver.

You can use private link and DNS resolver, to allow connectivity to PaaS services as well, via Private Link.
Richmond Eric-Okolai 20 Reputation points

2023-07-10T19:58:42.4366667+00:00

Hello @Luke Murray In the Azure VPN config file, would I require the DNS suffix tag? also how can I replicate the same settings in an Open VPN config file, as I plan to connect with an android phone as well seeing as how OpenVpn tunnel is what is recommended by Microsoft
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-10T20:06:25.5233333+00:00

You shouldn't need the DNS suffix, although it could be worth adding if you have more responses responding on the same private DNS zone. I would try testing without it, then adding it in if needed.

Not entirely sure, how OpenVPN will behave sorry, but there's some options on StackExchange here..
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-11T06:34:27.53+00:00

@Richmond Eric-Okolai

From your summary,

I take it that you have a site, let's say www.contoso.com hosted in an IIS VM.

And you have a domain "contoso.com" in Azure DNS Zone

Now, you only want the site to be accessed by users connected to your P2S VPN.

Points to Note:

Important thing to note is that P2S VPN provides connectivity to the VMs via it's private IP

That's the only thing about it

It cannot block other users accessing your site from Internet - this will always be open

Public DNS Zone is different from a Private DNS Zone in Azure

And you should be using Private DNS Zone for your architecture

Next Steps

To close the VM access from Internet

If you don't want any users to access the VM via Internet (without P2S VPN), please remove the Public IP from the VM

If you want certain users to access the VM via Internet (without P2S VPN), you have to use NSGs to block/allow based on source IPs

Now, when you say you have purchased a custom Domain and moved to Azure

I believe you have created a Public DNS Zone and this DNS Zone resolves your website "www.contoso.com" to the IIS VM's Public IP

If that's the case, you should also create a Private DNS Zone

And add an entry "www"

And make this resolve to the Private IP of the VM and not the Public IP of the VM

This Private DNS Zone will not be resolvable from the P2S Client (for now), and I shall provide a work around later.

For now, to make sure the steps so far is correct

Make sure you blocked the Internet access for your site using NSG

Connect to the P2S gateway

From your local machine, edit the host configuration file to reflect
www.contoso.com <Private IP of your VM>

Try to access www.contoso.com and it should go via Private Network/IP from the P2S Client.

Thanks,

Kapil
Richmond Eric-Okolai 20 Reputation points

2023-07-11T07:08:56.5533333+00:00

Hello @Luke Murray everything worked as expected with your guidance. I am deeply grateful for the information you shared. Thank you!

and @KapilAnanth-MSFT thank you for your response as well. I would like to ask, how can i set as specific DNS server in an OpenVPN config file Just like one can do in the Azure VPN client config file
KapilAnanth-MSFT 49,616 Reputation points Microsoft Employee Moderator

2023-07-12T05:27:08.9566667+00:00

@Richmond Eric-Okolai

I am glad you were able to get this resolved.

For OpenVPN, I don't think custom DNS server and domains are supported.

Only Azure VPN Client/Configuration supports this and this is the recommended approach as well.

Cheers,

Kapil.

Please Accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer.
Richmond Eric-Okolai 20 Reputation points

2023-07-12T06:55:54.25+00:00

Hello @KapilAnanth-MSFT Thanks for your response.

I was able to configure the custom DNS server as well on the client config file of OpenVPN using the values below. It was added just before the <ca> tag in the file

register-dns

block-outside-dns

dhcp-option DNS <IP address from Azure DNS resolver inbound Endpoint>

dhcp-option DOMAIN <Domain suffix of the intended domain>

This is what is needed to set the custom DNS server

Answer 1

Luke Murray 11,436 MVP Volunteer Moderator

To use your own domain name, you will need:

Azure DNS Resolver
Private DNS zone (assume you would already have this) that is linked to the resolver.

Then the DNS IP gets directed to the Azure DNS Resolver, which does a lookup on the Private DNS Zone.

I setup something very similar here: https://luke.geek.nz/azure/azure-point-to-site-vpn-and-private-dns-resolver/

Richmond Eric-Okolai 20 Reputation points

2023-07-11T07:13:55.4+00:00
To use your own domain name, you will need:

Azure DNS Resolver

Private DNS zone (assume you would already have this) that is linked to the resolver.

Then the DNS IP gets directed to the Azure DNS Resolver, which does a lookup on the Private DNS Zone.

I setup something very similar here: https://luke.geek.nz/azure/azure-point-to-site-vpn-and-private-dns-resolver/
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-11T07:16:34.0933333+00:00

Glad you got it sorted!
Luke Murray 11,436 Reputation points MVP Volunteer Moderator

2023-07-12T04:04:39.2+00:00
Hi, @Richmond Eric-Okolai are you able to mark this answer as accepted?

Also in regards to the OpenVPN config file I found this:

https://superuser.com/questions/637579/setting-dns-servers-using-openvpn-client-config-file

Try adding the config file:

dhcp-option DNS <dns_server_ip_address> (add to client config)

Share via

How to configure Azure Point to site VPN to access site running on IIS in azure VM.

0 additional answers

Your answer