I this post, I’ll describe how to create a point-to-site VPN connection to Azure. I’ll create the virtual network, the virtual network gateway and configure the point-to-site connection using the Azure portal. I’ll also create a self-signed certificate for the VPN gateway and the Windows 10 client.
Connecting your client via VPN to Azure is by sure useful, if you want to access your Azure resources that are not public available (e.g. virtual machines). Another use case that I had several times was to test the connection of an AppService or Azure function to my on-premise resources. When I was able to access my local client, it also meant that the connection from the app service to the virtual network works and that the basic network configuration of the VPN gateway was okay (without the need to create a virtual machine).
The required steps to connect your client via VPN to Azure are:
- Create Virtual network
- Create VPN gateway
- Configure Point-to-Site VPN
- Create certificate for VPN gateway
- Create certificate for Client
- Connect & Test
Let’s assume you have to read data from your on-premise network e.g. from a SAP, ERP or other system. It could also be that you want to have access to your virtual machines in your virtual network.
How to connect to your on-premise environment? Simple answer is: via VPN or ExpressRoute! But that’s just a part of the job, you also have to connect the App service to your virtual network at first. If the web app is in the virtual network, you have access to all resources in the network – virtual machines for example. If the virtual network is connected to your on-premise network, you can also access those resources. This blog post is about how to connect the app service to your virtual network and how to design the network. The VPN connection is not part of this blog post.
The connection between App Service, virtual network and on-premise network needs the following resources:
- App Service + Web App/API App/Logic App/Function/…
- Virtual network
- Virtual network gateway
- Point-to-Site VPN from Web App etc. to the virtual network gateway
- Local network gateway
- Site-to-Site VPN from Azure virtual network gateway to the local network gateway (VPN device)
There is a new feature available in Azure. It’s currently in public preview and it was announced in the end of July (https://azure.microsoft.com/en-us/updates/public-preview-vnet-peering-for-azure-virtual-network/). It’s called VNet Peering and it allows you to connect two azure virtual networks in the same region. You can even connect a classic virtual network with a resource manager virtual network. The configuration of the peering is available in the new portal.
This is really awesome because it helps us to connect a resource manager virtual machine with the Azure active directory domain services. I already blogged about configuring the domain services (Configure Azure Active Directory Domain Services) and stated, that this works only with classic virtual networks. This could be an issue if we create all virtual machines in the resource manager mode. So let’s have a look on vnet peering and how to work with it: