Creating a Point to Site VPN connection to an Azure Resource Manager Virtual Network

I have been helping out on the MSDN forums and came across a post where a user was struggling to create a Point to Site (P2S) VPN connection to an Azure Resource Manager (ARM) Virtual Network – https://social.msdn.microsoft.com/Forums/azure/en-US/567b968e-aa50-4ee4-b554-af09c54a40e0/routing-in-azure-between-pointtosite-and-sitetosite-networks?forum=WAVirtualMachinesVirtualNetwork. At the time of writing it is not possible using the portal. I had a look at the ARM PowerShell commands and found the command
Set-AzureRmVirtualNetworkGatewayVpnClientConfig 
but failed to find any documentation. I set about the task of working out how to do this.

Gateway Subnet
The Virtual Network Gateway must connect to a subnet named GatewaySubnet. I created this using the portal. Yes, I know I could do this in PowerShell, but I often use the portal for a quick fix.

Certificates

Certificates are used to authenticate clients. You must have a root certificate and client certificate(s) that have been created using the root certificate. The root certificate is uploaded to Azure and the client certificate imported into the installed in the User’s personal store on the client machine.

The documentation that exists for creating a P2S VPN connection to a service manager virtual network details how to create these using makecerthttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/. This is the method I used, although if you have an Enterprise Certification Authority it would make sense to use that.

To upload the root certificate to Azure it must be exported in Base64 format:

If you then open the exported certificate in notepad you will see similar to the following:

The Add-AzureRmVpnClientRootCertificate PowerShell command requires the characters between the BEGIN and END certificate markers in a single string with no carriage returns.

The PowerShell

Here’s the PowerShell I used to create the gateways and P2S connection. Note it can take over 20 minutes for the gateway to successfully create. Be patient! At the end of the script the URL to download the VPN client is stored in the variable $packageUrl

# Must create a subnet called GatewaySubnet for the gateway to connect to prior to creating the gateway

$vnetname = "TestNetwork"

$rgname = "TestRG"

$region = "North Europe"

$clientpool = "192.168.10.0/24"

$RootCertName = "MyRootCert.cer"

$publicCertData = "<Replace_With_Your_Base64_Cert_Data>" #Export cert as Base64, and put data into single line.

#$publicCertData = "MIIDFDCCAgCgAwIBAgIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAMB8xHTAbBgNVBAMTFFBvaW50VG9Qb2ludFJvb3RDZXJ0MB4XDTE1MDEwNjA5MTMzOVoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUUG9pbnRUb1BvaW50Um9vdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDONIScIVcbFGK/WojhRLyVtSFPhc67tKj2yDCUoaRyT8kfPAm5lvNL1WP5qWurd1ydbK/8hPGHWhkomeac6IEPd9IxmOHY3n6WfcAeCq6BcTDtvUdGSFEtB3gor0wZAIwehhmlAC9ZrdLdDRy3us1AxwJfxcoTZ4EbxKaM1HZGMTOE+2bvkvG+IshQULPScTVieLKLSZSYf57CdFl6OpoYScsrsuQuHNpSWb0kFwJwq83hWtjbojTkQyblcdI9jWG7nD0gb6Fe/BOkN8TtJ/il48X1eE5m3IpCKyU/RTzrumrtG1huwvYDqr1WzGOR5FJGtZtQxZjsg9BRepaOWB2DAgMBAAGjVDBSMFAGA1UdAQRJMEeAEGE1PUv6Gv4noBNem2xCw8ChITAfMR0wGwYDVQQDExRQb2ludFRvUG9pbnRSb290Q2VydIIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAA4IBAQAEJCytWDQ9UzNl/vwT/xI+nkB/lRtRhUOKqsuCxa45PNQg6OFN4WwS+zaAZcg0UiJA324Bf4o8ivRXDML107smcakLJXPMJ7clvKga6QlG++6NwyRV6FIJnG8chxJlbxZNNVu2xmi0DZ2uqlzv8KNsLWkHuB6DjkVX82QYmPz9jjT3gTjtCML7bvJND0GTb2pEw4SAQD/h+tRaaaYETeUzQl0+wqk69/i7jQ8tKhZD5Xw38/SNU5gKp5bD4ofjFew6rfGhaPWPqRinsJ/PBYbE02rBU86NlTZ5Yvsg6sWvHTb+NVYbD0mJ7fPpKuFnNLAqyNC0kXBvfvOeCKV9U9hg"

#Login to Azure RM

Login-AzureRMAccount

# Get the Virtual Network

$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $rgname

#Create IP for the gateway

$GWIP = New-AzureRmPublicIpAddress -AllocationMethod Dynamic -ResourceGroupName $rgname -Location $region -Name GWIP1

#Get the gateway subnet

$GWSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet

# Create GW Config

$GWIPConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name GWIPConfig -SubnetId $gwsubnet.Id -PublicIpAddressId $GWIP.Id

#Create Gateway

$gw = New-AzureRmVirtualNetworkGateway -Location $region -Name GW1 -ResourceGroupName $rgname -GatewayType Vpn -IpConfigurations $GWIPConfig -VpnType RouteBased

# Create client VPN config

Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool

# Create Root Cert

$rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $RootCertName -PublicCertData $publicCertData -VirtualNetworkGatewayName $gw.Name -ResourceGroupName $rgname

#Get URL for VPN client - download the exe from here

$packageUrl = Get-AzureRmVpnClientPackage -ResourceGroupName $rgname -VirtualNetworkGatewayName $gw.Name -ProcessorArchitecture Amd64

19 Comments

  1. Ahmed IG

    Hey, thanks for the post.
    Am wondering how will the above change in case you have the VPN connection for only allowing web apps in the same subscription to connect to the Virtual network. In other words, I dont feel that I need a certificate or a public IP to have this. Am still struggling to know what should I leave out, and whether will the VPN connection work without the Public IP or not.

    What do you think?

    Reply
    1. Marcus (Post author)

      Hopefully I addressed this in the next post. 🙂

      Reply
  2. Jason

    Thanks, this helped me out a lot!

    Reply
    1. Marcus (Post author)

      Glad I could help!

      Reply
  3. Mile

    Hi
    Is there a way to add a point 2 site connection to an existing gateway using Resource Manager?

    Reply
    1. Marcus (Post author)

      Yes, you can use PowerShell to get the existing gateway and follow the script from “# Create client VPN config”. Hope that helps.

      Reply
      1. Mile

        Thanks for the reply. If I have a couple of site2site connections on this gateway, i should be able to add a point2site using the instructions at which point the client’s connecting to the cloud should be able to access services across the 2 site2sites as well?

        Reply
        1. Marcus (Post author)

          Hi Mike. I’ve not actually tried that, but I don’t see why not. I’m not sure if the P2S client VPN connection adds routes to the other S2S local sites. you might have to add some custom routes on the clients. Give it a try and let me know!

          Reply
  4. Tommy

    This is a excellent post, thank you, however when I run “Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool
    Set-AzureRmVirtualNetworkGatewayVpnClientConfig : A virtual network gateway SKU of Standard or higher is required for BGP support on virtual network gateway”
    Have you seen this before? I am a bit confused as I get this when trying to upload the root certificate as well. Trying to avoid upgrading the SKU to standard unless I really have to and I didn’t think BGP was supported on any Azure gateway anyway…

    Reply
    1. Marcus (Post author)

      Hi Tommy, afraid I haven’t seen that before. It could be that your IP range being provided has an issue. If you still have issues I would suggest posting full details here https://social.msdn.microsoft.com/Forums/en-US/home?forum=WAVirtualMachinesVirtualNetwork and send me a tweet @techdiction and I will take a look.

      Reply
    2. Marcus Carvalho

      Looks like newer PS module is broken, works with older versions.

      Reply
      1. Marcus (Post author)

        I'll give it a go when I have some time, maybe early next week.

        Reply
    3. Tim Mak

      I have BGP disabled on VNET GW, but I have the same error. If VNET gateway pricing plan is "Basic", you have this error. If I upgrade VNET GW SKU to "Standard" pricing plan, command Set-AzureRmVirtualNetworkGatewayVpnClientConfig is working. Support for P2S VPN is declared for "Basic" VNET gateway plan too, but is not working for Resource Manager VNET GW. Why??? To resize VPN Gateway SKU to Standard plan you can run: $Gateway = Get-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG Resize-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway -GatewaySku Standard Keep in mind that the Basic an Standard GW have different prices. https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/

      Reply
  5. Kwee

    Great post.  Followed the steps and everything appeared to go through, however, I am not sure where/how to retrieve the root and client certificates.  The package only creates the connection on the client but fails to launch because it could not find a corresponding certificate.  Please help.  Thanks.

     

    Reply
  6. Juan M Lopez

    Everything work fine, but when I try to dowloand de exe from the URL HTTP 404 error shows, can anyone knows why?

    Reply
  7. Jon Gateley

    This helped me immensly setting up a VPN gateway so we could integrate a web app with one of our Azure virtual networks.  Only amendment oin our environment I had to make to the above script was add in the cmdlet New-AzureRMVPNClientRootCertificate just below the first $publicCertData variable.

     

    $publicCertData = "<cert-data>" #Export cert as Base64, and put data into single line.
     
    $p2srootcert = New-AzureRmVpnClientRootCertificate -Name $RootCertName -PublicCertData $publicCertData

    # Get the Virtual Network

    Reply
  8. Andrew Snodgrass

    Marcus… Nice post.

    Most intelligent process I've seen on how to do this in resource manager mode.

    Follow up question, and please bear with me, as networking is not my speciality.

    The VPN works and I'm connected.

    ipconfig /all shows me just what I expect in the ppp area.

     

    However, I can't see any of my servers in the vnet, which I expected to see.

    A simple domain controller and and RDS VM.

    They were all created, prior to constructing the gateway.

    Any suggestions?

    Thanks…

    Reply
  9. Marcus (Post author)

    When you say "can't see" what do you mean? Ensure DNS is working as expected if using machine names.

    Reply
  10. Rob

    Thanks, so much easier to do than trawling through the official documentation.

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *