Schedule VPN Gateway deploy

Question

Schedule VPN Gateway deploy

Davide Ghisalberti 21

Hi all! I'm configuring a Point-to-Site VPN access for my VMs on Azure. So far so good, everything works. My concern it's about the pricing of the SKU 'VpnGw1'

On the online calculator I can see the prices for GBs and tunnels, and a configurable pricing for "Gateway hour". I thought (wrongly) that this pricing was related to effective gateway usage, but it's instead related to the 'existance' of the gateway object in my subscription (e.g. I create the gateway at 3.00 pm and delete it at 6.00 pm, I pay for three hours regardless I've used it or not).

It seems odd because I can't understand how to schedule the gateway object to be created when I want to use it (for example, only for business hours/days).
There is a way to configure a schedule for creating and destroying this object, and to configure it in a way that my VPN clients are not aware of that? For example I don't want to distribute every day a configuration package or certificate or information to be configured by my clients, I just want my gateway to be active from 9 to 5/Monday to Friday

Thanks in advice for the help!

0 comments

Answer accepted by question author

Andreas Baumgarten 132.1K MVP Volunteer Moderator

The way it would work is:

Create the required certificates and store this somewhere for automated deployment
Create a script to deploy the VPN Gateway using the existing certificate
Deploy the VPN Gateway via script on a schedule (for example every day at 8:00 AM)
Delete the VPN Gateway via script on a schedule (for example at 6:00 PM)

Repeat steps 3 - 4

As long as you are using the same certificate and public IP of the VPN Gateway it should work without modifications on the client.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Davide Ghisalberti 21 Reputation points

2021-01-14T15:47:45.213+00:00

Hi. For completion, the answer seems to be partially incorrect:

As long as you are using the same certificate and public IP of the VPN Gateway it should work without modifications on the client.

After my testing I can say that even by meeting these conditions, the client needs to update the VPN configuration because 'ServerAddress' and 'ServerSecrets' changes each time a VPN Gateway object is re-created (even by maintaining the same public IP, certificate and resources' name.)

1 additional answer

Your answer

Davide Ghisalberti 21 Reputation points

2021-01-14T15:47:45.213+00:00

Hi. For completion, the answer seems to be partially incorrect:

As long as you are using the same certificate and public IP of the VPN Gateway it should work without modifications on the client.

After my testing I can say that even by meeting these conditions, the client needs to update the VPN configuration because 'ServerAddress' and 'ServerSecrets' changes each time a VPN Gateway object is re-created (even by maintaining the same public IP, certificate and resources' name.)

Answer 1

Andreas Baumgarten 132.1K MVP Volunteer Moderator

If you delete and redeploy the VPN Gateway everyday the public IP will maybe change as well.

Anyway ... With PowerShell it's possible to deploy a VPN Gateway:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps

And this can be scheduled on premises with the task scheduler in Windows.
Or a runbook in Azure Automation can be used with a schedule.

----------

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

Davide Ghisalberti 21 Reputation points

2020-12-16T08:31:56.327+00:00

Thanks that's interesting. However I can't understand if with this script for deploying and deleting the Gateway would have the consequence to re-generate and re-distribute certificates and VPN Client configuration *.exe files.
I see that I can generate my root certificate once and then re-upload it each time I create my Gateway; I can't understand if I need to generate and distribute each time the configuration setup, it would be a stopper (it would mean to distribute each day a new setup)

Thanks!
Andreas Baumgarten 132.1K Reputation points MVP Volunteer Moderator

2020-12-16T09:25:20.003+00:00

You don't have to create a new certificate every time. If the certificate exists (for instance stored on the on-premises computer or Azure Storage if you use Azure Automation) and is valid you can just re-use this cert every time.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten
Davide Ghisalberti 21 Reputation points

2020-12-16T14:07:51.863+00:00
Ok so if I understood correctly, I could:

prepare my IP and VNet configuration objects on Azure and keep those there

Generate my root and client certificates, and store the root on Azure Storage

Prepare the automation script to create the Gateway

Launch it

After I've deployed the Gateway for the first time, I'll generate the *.exe for client configuration

From there, I'll distribute and install the client certificates and the *.exe configuration to my users. Finally, when the Gateway is up and running, my users can connect to the VPN without doing anything else.

Please confirm if my suppositions are correct, and then I'll give it a try and close the thread, thank you a lot!

Share via

Schedule VPN Gateway deploy

1 additional answer

Your answer