Azure Point-to-Site VPN with Certificate Based Authentication

in this video I’m going to show you howto set up a point to site VPN connection in Azure hello everyone I’m Travis andthis is Ciraltos a while ago I did a video on setting up a site-to-site VPNconnection between an azure vina gateway and a route and remote access servernot everyone need to see a dedicated VPN into their Azure networkthis video shields another option of using a point a site VPN to connect to ahost in Azure solely I go over how to deploy a basic gateway and enablecertificate based authentication before that please subscribe like share andclick the buzzer icon to get a notification of brand-new content mostMicrosoft business don’t expect VPN connectivity path works such as Azure roles app services and Azure SQL are accessible and oversaw fromthe public Internet some services are not accessible from the internet forexample I as servers can be deployed without publicly accessible RDP or SSHaccess or services that ought to have configured to prevent public accessprivate endpoints for example those necessitated system connectivity to theprivate v-net some organizations connect their on-premises network to the azureVNet employing point-to-point VPN or Express route communications in thisconfiguration users can access Azure sources on the private VNetdirectly from their corporate network how then do we admit structure access whenthere’s no site-to-site VPN our Express route in place the solution is point tosite associates into the azure v-net let’s start with an overview a VPNcreates a fasten passageway to pass private system traffic over a public structure apoint to site VPN is initiated by a single endpoint a workstation in thiscase and aborts at a gateway on the network and azure v-net gateway in thisexample all resources on that remote network are available to the client bydefault network controls may restriction that access nonetheless Azure point to siteVPN connection support a combination of differentmethods these sonication methods include credential either self surface or from anenterprise certificate authority radius authentication with Windows ActiveDirectory azure ad authentication this also supports MFA and Azure point tosite VPN patronages 3 VPN standards Open VPN is a SSL TLS based VPN it succeeds overstandard TCP port 443 it can be used with iOS Android Windows Linux and Macsecure socket tunneling etiquette is a proprietary SSL located VPN that connectsover TCP port 443 “its only” subsidized on Windows patients i ke v2 is a standardbased VPN it can be used with Mac consumers 10.11 or above i ke is notsupported on the basic gateway in this video I go over to point a basic gatewaywith certification located authentication using a self-signed certificate this isa good alternative for small-scale environments and exam laboratories the basic gateway is the leastexpensive but come here for some limitations such as it merely supportssecure socket tunneling etiquette that’s fine for Windows environments but it’snot if there’s a mixed patrons virtual structure gateways come in different sizesand SKUs here’s a plot of the different gateway sizes and features there’s anoption to deploy v-net gateways to availability zones for high-pitched availabilitythose gateways are marked with the AZ at the end of the SKU as you can imaginethe larger and more alternatives the Gateway to higher the rate refresh the pricinginformation from Microsoft’s website for your region the toll goes up along withthe bandwidth in the number of passages with each explanation I’ll bone data ratesalso apply a certification is needed to authenticate the connectionthis can be self-signed certifications or Enterprise credentials this examplegoes over exploiting self-signed credentials I’m going to use PowerShell to create aself-signed root certificate the beginning authorization is used to generate one ormore patron credentials the root authorization is uploaded to the Gatewayand used to authenticate purchasers let’s walk through the process the examplecoming up expects you have and Azure subscription with a v-net inplace the steps we’ll walk through include craving a beam at Gatewaycreating a root certificate creating a client certificate from that rootexporting the certificates configuring the gateway for point to siteconnections configuring the client and then finally we’ll revoke a certificateto stop a patron from entering in Here I am at the azure entrance and if you gointo virtual networks we can see I have a West v web that’s already beendeployed so that’s in place now I’m gonna set up a v-net gateway I’ll go tocreate a resource and character in structure gateway and here is virtual networkgateway I’ll click create I’ll leave the subscription as is I’ll return it a specify I’ll call it West GW next I’ll change inthe region to West US that’s the same region as the virtual networkI’ll leave the Gateway type as VPN but notice there is the option for Expressroute I’ll leave the VPN type route based andunder SKU I’ll select basic and basic is a limited feature v-not gateway but it’sa fraction of the cost of the next degree so this is what I use for my evaluation labit’s also good for demo environments for dev environments but it does paucity someof the features that the other vena gateways have there’s only onegeneration 4 basic so I’ll left open as generation 1 virtual network I willselect West V net now to ask me for a subnet wander for the gateway subnet andit merely needs a couple IP addresses so I’m gonna do a duet things I’m goingto change this to 254 and give it a trounce 27 I don’t need to apportion all2 54 of those IP addresses but if you don’t care you can leave it as defaulteither way will work I’ll create a new public IP address and I’ll call it WestGW IP and for this I’ll leave enable active active state and configure BGP asdisabled next to vote it takes I’ll leave that space forand go to review and immense so validation elapsed and now I’ll punch crate thedeployment is underway this will take 45 minutes maybe even longer depending onhow busy things are but it is not a quick deployment so I’m gonna intermission hereand I’ll be getting back formerly it’s done okay then virtual structure gateway has beendeployed it did take it close to an hour to finish the next step is to generatethe certificates I’m gonna create a route certificate and then based on thatroute certificate organize two client authorizations so the first thing I’ll dois open up PowerShell as an administrator I’m gonna movement a new selfsigned certificate require in PowerShell this is gonna create the rootcertificate and threw it in the certificate store for the userI’ll make this available on my blog so simply check the link below the video andyou should be able to find the command there and notice for this certificateI’m exerting West for the purposes of the honour just so I can tell the difference because Ialready have a certificate for my central being a gateway in the centralregion you can name these anything you want so now that that’s done I’ll createthe firstly client credential so this will be West p2s client cert one andthere’s the thumbprint the next I’ll compose the second one you notice thishas a different thumbprint so with one beginning certification you can create multipleclient certificates and pas them out to different customers that style they’re not allusing the same buyer cert that’s important because if you have to revokesomebody’s certificate you can exactly cancel the one client certificatewithout feigning the rest of the clients the next step is to open up theusers certificate store this is the user store not the regional machine storage let mejust clear some of this out of here there we gonow if I go to personal authorizations “youre seeing” I have three credentials hereI’ve got the purge cert and then to buyer certs I’ve got a duo other againthose are for other things but only notice these ones that start with Westso the first thing I’m going to do is export the beginning credential we’ll go onright sound all assignments export I’ll click NextI’m not going to export the private key I’ll adopt base6 4 encoding for a dotCER record then I’m gonna browsing to the desktop I’ll call this West rootcertificate and save formerly I’m done click finish and the export was successful I’musing multiple observers so you can’t see it there but it is exported so with thisI’m just going to quickly export that root certificate so I can get the certand upload it to the v-neck Gateway but you could also export the self signright cert with a private key to back it up someplace safe that space this computergoes away you can add that root certificate to another computer andgenerate more clients Hertz now I’m going to export the first consumer cert this one we’re going to do somedifferent settings we are going to export the private key I’m going to usepersonal information exchange the dot P FX suffixI’ll leave the include all certificates and enable certification privacy I’ll giveit a password don’t lose the password and Alexto the desktop again I’ll do the same thing for the second cert I’ll exportthe private key include all credentials in the direction and enable certificateprivacy I’ll cause it a password we’ll entitle thisone West client sir – there we go now I have those three credentials on thedesktop I move them over to the second one so we can see them and on the firstone I’m going to open with notepad and I’ll follow everything between beginscertificate and cease credential make sure you get every character next we’regonna add this to the Gateway so let’s go back to the portal I’m going to go tothe resource and in the Gateway I’m going to point to site configurationconfigure now it will ask for an address puddle this is the IP address pool thatclients will get when it’s connected the address pool is the dynamically assignedIP addresses for the customer make sure it doesn’t overlap with the IP space onthe V net or any other subnet the client may try to access such as on-premisesnetwork if you have a VPN or Express route between the V net and youron-premises Network for this I’m going to use 172 speck 16.1 0/24 for the namei’ll call it West ret cert and under public credential data just gonna pastein the information we simulated from notepad so that’s the certificate andthen sounds Save I’ll wait for that to finish saving ifthis was a different SKU I’d have options for tunnel type andsonication type when setting up the VPN connection this is a basic skew thoughso the options are restraint it looks like that finished let’sdownload the VPN client it will take a minute or so to build that patient anddownload it there becomes so this is finished the gateways deployed and thecertificates ought to have uploaded let’s set up the client next have you got avirtual machine trot on this I’m gonna open up I’m going to copy the toclient certificates over I don’t need the root authorization for this I’m alsogoing to copy over that buyer I could log in from this machine and download itfrom the portal but I’m just going to copy it over the first step is to unzipthis buyer three folders in there ones generic andthat’s an XML document with puts for the client I’m gonna go back and there’sa version for 32 and 64 -bit I’m going to go to the AMD 64 explanation and lope theclient and this will set up the customer solely for the v-net we deployed before I go on to the next step I’m justgonna open up the VPN connection and here is West v-net so now I can doubleclick on it and connect okay so here it’s saying that a certificate could notbe found okay I knew that would happen because wedidn’t install the certificates so let’s go into West buyer certificate one I’mjust gonna doubled click on that I’m going to import it for the current usereverything’s default I have to enter in that password we use to secure thecertificate and the rest is default settings and I’ll click yes to installthe cert now if they come back and try to connect again I’ll click connectcontinue and now it’s establishing a communication and I’m connected so I’mgonna go to the portal I have a VM running in West us connected to that Vnet with an IP address of 10. 1 0.4 so let’s try to RDP to that I’ll click connect there goes Hoos goback to that VM you can see it has no populace IP address so I’m accessing thisby its private IP address without exposing the RDP port to the Internetlet me just minimize that if I unplug you can see it stops rightaway if I connect again it will reconnect there leads so we use the firstcertificate for this let’s go into the user certificate store we go to personalcertificates if I open the certificate by double-clicking on it and go into thedetails I’m looking for a thumbprint so I’m gonna transcript this thumbprint then resurgence to the portal go to my virtual networks West v-net go to my Gatewaypoint to site configuration I’m gonna call this consumer cert one andadd that thumbprint now it doesn’t like that because I have infinites in it but Ican pluck them out I will point out you can also pull that from PowerShell sonow it has the thumbprint and I’ll click Save also notice we can see theallocated IP address so that’s the one client connected I’ll make that finishsaving okay so that’s said and done finished saving and these saves do take a coupleminutes to run through merely be aware of that now we have the thumbprint forclient cert one and the revoked credentials and let’s go back we’reconnected it didn’t detach but not let’s undo and try reconnecting well I’m gonna authenticate infilledbecause the certificate is not valid so good that worked so now this patron canno longer connect so let’s do this let’s delete this and import the secondcertificate so refresh over here now we can see that patrons are two isinstalled let me connect now this was attempting to reconnect in thebackground let’s see if it reconnects and again this is just an RDP connectionto a server back on the V net I’m just utilize this to test connectivity you cansee it made so that’s it that’s how you initiate the certificates add thecertificate to a purchaser and to the Vienna gateway download theconfiguration file install the client connect to the VPN endpoint and revokethe certificate that’s it for the demo I hope you witnessed this video helpful don’tforget to Like subscribe and click the bell icon for new content thanks forwatching

You May Also Like