Search This Blog

Friday, September 9, 2016

Step-by-step: Create a Point-to-Site VPN to Azure VNET using Azure Portal

Today I found out that setting up a Point-to-Site connection to Azure VNET at this point is not straightforward and is not documented accurately at this point.
So let's assume we have set up a VNET in Azure and added a Virtual Network Gateway to it. Not much magic there, you can do it from GUI.
Hardest part comes when you need to enable Point-to-Site connections on the gateway.

So here is step-by-step:
1. First in Azure Portal go to Virtual Network Gateways, select desired gateway and then choose Point-To-Site Configuration.
2. Specify address pool for VPN clients, no specific requirements there, just make sure network range doesn't conflict with other networks.
3. You have to create and upload Root certificate, but there is no Upload button in Portal, so we will have to do this with Powershell, but first lets create the Root certificate.
4. Here is a documentation how to create certificates
5. First download the Software Development Kit for Windows to get the MakeCert utility. For Windows 10 you can download it here
6. Install only the Windows Software Development Kit component, others are not necessary.
7. Create the Root certitificate with following command
makecert -sky exchange -r -n "CN=TestVNETP2S" -pe -a sha1 -len 2048 -ss My "TestVNETP2S.cer"

This will create a certificate in Current User's store.

8. Export the certificate in Base-64 format without private key. And in my case save it as C:\Temp\TestVNETP2S.cer:

9. Upload the certificate using Powershell. First connect to your Azure tenant and then perform following commands:

$Text = Get-Content -Path C:\Temp\TestVNETP2S.cer

$CertificateText = for ($i=1; $i -lt $Text.Length -1 ; $i++){$Text[$i]}

$rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName "C:\Temp\TestVNETP2S.cer:" -PublicCertData ($CertificateText | out-string) -VirtualNetworkGatewayName $gw.Name -ResourceGroupName Network

where $gw.Name is you gateway's name.
After this you will see in Azure Portal that Root certificate has been uploaded.

10. Create a client authentication certificate using command:
makecert.exe -n "CN=YourName" -pe -sky exchange -m 96 -ss My -in "TestVNETP2S" -is my -a sha1

This will create another certificate in your Current User's certificate store. This certificate will be used for authentication when starting VPN client. 

11. Download the VPN client, again starting from Powershell

Get-AzureRmVpnClientPackage -ResourceGroupName $RG -VirtualNetworkGatewayName $GWName -ProcessorArchitecture Amd64

This command will output the download link, which you can paste in browser and download the VPN installation package.
This package will setup the VPN connection in Windows.

12. And finally you can connect to VPN and access your resources in Azure VNET.