Configure a Point-to-Site VPN Connection to an Azure VNet

This post shows how to create a point-to-site (P2S) VPN connection to an Azure virtual network (VNet). 

Background

In my previous post, I showed how to create a virtual network configuration XML file and to create several environments (dev, stage, and prod) that are each deployed into a separate subnet.  It’s kind of a goofy network architecture because typically you see VNets configured that model the tiers of a single application (front tier, middle tier, backend tier).  However, it suits my use case and enables me to show how to create a point-to-site virtual network that enables me to communicate with all of the environments through a single connection.

I am showing point-to-site in this post because that’s what I use for demos while I am on the road.  If you travel for work or work remotely, you likely use an agent that you run in order to connect to the corporate network.  That agent establishes a secure connection to the corporate network, enabling you to access resources even from public locations.  That’s exactly what a point-to-site network is, it includes an installer that will add a VPN connection.  Here you can see that I have a VPN connection to Microsoft IT VPN that allows me to VPN into the Microsoft corporate network, and another VPN connection named “DevOps-demo-dev-southcentral” that enables me to connect to an Azure virtual network.

image

When I click Connect on that VPN connection, the agent appears.

image

I then click Connect, and I am securely connected to the virtual network in Azure.  I can now access any resources within that virtual network as though they were part of my local network. 

There are two other types of connectivity to Azure:  site-to-site VPN and ExpressRoute.  A site-to-site VPN allows you to create a secure connection between your on-premises site and the virtual network by using a Windows RRAS server or configuring a gateway device.  ExpressRoute lets you create private connections between Azure and your on-premises or co-located infrastructure without going over the internet.  For more information on choosing between a VPN and ExpressRoute, see ExpressRoute or Virtual Network VPN - What's right for me?

Create the Network

In my previous post, Creating Dev and Test Environments with Windows PowerShell, I showed an example of an XML configuration file for an Azure virtual network.  I used a simple network with three subnets.  One of the elements in that XML file is an additional gateway subnet.  When you create a virtual network, you can choose to configure a point-to-site VPN.

image

When you configure the subnets, you can then add a gateway subnet.

image

I’m lazy and I cheated.  I created the network using this wizard, and then exported the virtual network.  Who likes authoring XML documents directly, anyway?

image

Exporting your new network results in an XML file that looks like this:

NetworkConfig.xml

  1. <NetworkConfiguration xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns="https://schemas.microsoft.com/ServiceHosting/2011/07/NetworkConfiguration">
  2.   <VirtualNetworkConfiguration>
  3.     <Dns />
  4.     <VirtualNetworkSites>
  5.       <VirtualNetworkSite name="kirketestvnet-southcentral" Location="South Central US">
  6.         <AddressSpace>
  7.           <AddressPrefix>10.0.1.0/24</AddressPrefix>
  8.         </AddressSpace>
  9.         <Subnets>
  10.           <Subnet name="Subnet-1">
  11.             <AddressPrefix>10.0.1.0/27</AddressPrefix>
  12.           </Subnet>
  13.           <Subnet name="Subnet-2">
  14.             <AddressPrefix>10.0.1.32/27</AddressPrefix>
  15.           </Subnet>
  16.           <Subnet name="Subnet-3">
  17.             <AddressPrefix>10.0.1.64/26</AddressPrefix>
  18.           </Subnet>
  19.           <Subnet name="GatewaySubnet">
  20.             <AddressPrefix>10.0.1.128/29</AddressPrefix>
  21.           </Subnet>
  22.         </Subnets>
  23.         <Gateway>
  24.           <VPNClientAddressPool>
  25.             <AddressPrefix>10.0.0.0/24</AddressPrefix>
  26.           </VPNClientAddressPool>
  27.           <ConnectionsToLocalNetwork />
  28.         </Gateway>
  29.       </VirtualNetworkSite>
  30.     </VirtualNetworkSites>
  31.   </VirtualNetworkConfiguration>
  32. </NetworkConfiguration>

If you have an existing network and want to add a point-to-site VPN to it, simply export the XML configuration, add the gateway subnet and the VPNClientAddressPool nodes, and then import the configuration file.

Create the Gateway

Now that you’ve created the virtual network and the gateway subnet, it’s time to create the gateway itself.  In the Azure Management Portal (https://manage.windowsazure.com), go to the dashboard view of your VNet and click “Create Gateway”. 

image

While the gateway is being created, the status will look similar to this:

image

This process takes some time to complete (expect around 30 minutes).  In the meantime, start on the next step: creating certificates.

Creating Certificates

The communication between on-premises and Azure is secured using a self-signed root certificate.  If you are reading this blog, there is a high likelihood that you are a developer with Visual Studio installed.  If not, install Microsoft Visual Studio Express 2013 for Windows Desktop, which is free of charge.  In Windows 8, go to the Start screen, open the charm bar, and click settings.  Enable the “Show administrative tools” option.

image

Now go to the all apps view and look for the Visual Studio Tools folder.

image

In that folder you will find the Visual Studio 2013 command prompt (thankfully, this is much easier to locate in Visual Studio 2015!)

image

Right-click and run as Administrator.

Now that we have the command prompt open, we can create two certificates using the following commands:

Create Certificates

  1. makecert -sky exchange -r -n "CN=DevOpsDemoRootCert" -pe -a sha1 -len 2048 -ss My "DevOpsDemoRootCert.cer"
  2.  
  3. makecert.exe -n "CN=DevOpsDemoClientCert" -pe -sky exchange -m 96 -ss My -in "DevOpsDemoRootCert" -is my -a sha1

Once you’ve created the certificates, upload the root certificate to the management portal.

image

image

The result shows the certificate has been uploaded.

image

The client certificate depends on the root certificate.  We will export the client certificate and choose whether we want to use a password or a group to provide access to the certificate.  Open certmgr.msc.

image

Navigate to Certificates – Current User / Personal / Certificates.  Right-click on the client certificate that you just created and choose export. 

image

Follow the directions to export the client certificate, including the private key.  The result will be a .pfx file, you will distribute that .pfx file to each machine where the client will be installed.

Right-click on the .pfx file and choose Install.  Leave the installation location as Current User, and provide the password when prompted.

image

image

image

image

image

Click finish, and the certificate is now installed.

Create the VPN Client Configuration Package

Go back to the Azure Management Portal.  You may need to refresh the page to get the most current status.  Once the gateway is created, it looks like this:

image

Now click on the link to download the 32-bit or 64-bit client VPN package.

image

When you download, the file name will be a GUID.  Feel free to save as whatever file name you want.

image

Right-click the .EXE file and choose Properties.  On the Properties page, choose Unblock.

image

Now double-click the .EXE to run it.  You are asked if you want to install the VPN client.

image

Test It Out

Now that everything is wired together, the last thing to try is to actually VPN in.  Connect to the VPN client.

image

Now that we’re connected, run a simple ping test and see that it fails.

image

It fails because the Windows firewall in the VM itself is blocking the communication.  When we created the VM, a public endpoint for Remote Desktop connections was created.  That would connect us through the cloud service name, in my case it is kirketestDEV.cloudapp.net.  However, we are already connected to the network, so we don’t have to use that endpoint.  Just open a new remote desktop connection and connect to the IP address of the machine, 10.0.1.4.

image

We connect to the VM using Remote Desktop and enable the Windows Firewall inbound rule for ICMP ping.  

image

Now go back to the console window and try the ping test again.  It works!

image

We were able to set up a point-to-site connection to our VNet.  I frequently use this approach while demonstrating virtual networks when I am on the road traveling because I can connect to the network from anywhere, even hotel or conference wireless connections.  I can now introduce the idea of a VPN connection and show exactly what to expect. 

Clean Up

I am using my MSDN subscription for this, which gives me $150 worth of Azure credits per month.  When we created the dynamic routing gateway (the process that took 30 minutes), that created a network resource that is billable.  Looking at the VPN Gateway Pricing page, I can see that the cost for the dynamic routing gateway is $0.036 US per hour, which is around $27 per month. 

image

While that still leaves me with plenty of room for other projects, I may not want or need that gateway in my MSDN subscription all month if I am just using it for a demo.  Just go back to the virtual network’s dashboard and delete the gateway.  Of course, the next time you need it you will have to create the gateway again and suffer the 30 minute wait, but that’s kind of a small operational price to pay for something that is so incredibly cool and convenient.

For More Information

ExpressRoute or Virtual Network VPN - What's right for me?

Configure a Virtual Network with a Site-to-Site VPN Connection

Configure a Point-to-Site VPN connection to an Azure Virtual Network.

VPN Gateway Pricing