Create an Azure Point to Site VPN using Azure AD Authentication

0
307
views

Create an Azure Point to Site VPN using Azure AD Authentication.

In this quick guide, we will run through the process of creating an Azure Point to Site VPN with Azure AD Authentication. These type of VPN requests are becoming more and more frequent as users are working from home.

Point-to-Site-diagram

To get started, I will create a new Resource group, this can be done by launching Azure CLI as a Global Admin.

A picture containing drawing, shirt, table
Description automatically generated

Then run the following to create a new Resource group.

New-AzureRmResourceGroup -Name RSG-THATLAZYADMIN-VPNG -Location “southafricanorth”

Next steps is to create a Virtual Network, we will create this using the Portal and I will show the CLI command as well.

PowerShell to create new Virtual Network.

New-AzureRmVirtualNetwork -ResourceGroupName THATLAZYADMIN-VPNG -Name THATLAZY-VNET -AddressPrefix 10.1.0.0/16 -Location “southafricanorth”

To create a new Virtual network using the Portal, open the newly created resource group and click on the + sign to add a service.

A screenshot of a cell phone
Description automatically generated

In the market Place search box, type Virtual network.

A screenshot of a cell phone
Description automatically generated

Click on Create on the Virtual Network Page,

A screenshot of a social media post
Description automatically generated

Select a Resource Group and provide a name for the new Virtual network, then click Next: IP Addresses

A screenshot of a cell phone
Description automatically generated

Provide an IP range,

A screenshot of a cell phone
Description automatically generated

Then click on + Add Subnet, to add a new subnet to the Virtual Network.

A close up of a logo
Description automatically generated

Provide a name for the Subnet and create a subnet range, this range will be used for the servers.

A screenshot of a cell phone
Description automatically generated

Click on Ok and the bottom of the Subnet page. Back on the IP Address page, click on Review and Create at the bottom of the page the validate the configuration and create the new Virtual network with Subnet specified.

A screenshot of a cell phone
Description automatically generated

Click on Create to start the creation process.

A screenshot of a cell phone
Description automatically generated

On the next steps we need to head over to the newly created VNET and add an additional Subnet for the Gateway.

On the new VNET page, click on Subnets on the left hand pane.

A screenshot of a cell phone
Description automatically generated

On the Subnets page, click on + Add Gateway Subnet

A screenshot of a cell phone
Description automatically generated

Provide an IP range for the gateway, you can reduce the IP range for the gateway Subnet. Click on Ok to complete the subnet creation.

A screenshot of a cell phone
Description automatically generated

On the next step we need to create a new Virtual Network Gateway, to create the gateway, click on the + Add on the Resource group. And type Gateway.

Click on Create to start the process.

A screenshot of a social media post
Description automatically generated

Provide the following details to create the gateway.

  • Subscription Name – “Valid Subscription
  • Resoure GroupRSG-THATLAZYADMIN-VPNG
  • Region South African North
  • Gateway Type set this to VPN
  • VPN Type set this to Route-based
  • SKU VpnGw1
  • Generation Generation 1
  • Virtual Network Select the newly created Virtual Network (THATLAZY-VNET)
  • Subnet The Gateway Subnet will automatically pull through and will be greyed out.

A screenshot of a cell phone
Description automatically generated

On the next section, you will need to create a new Public IP for the Gateway.

Then click on Review and Create

A screenshot of a cell phone
Description automatically generated

Next step is to configure the Point to Site VPN, Navigate to the newly created VPN Gateway.

On the VPN gateway page, click on Point to Site Configuration under the Settings heading on the left-hand side.

A screenshot of a cell phone
Description automatically generated

Under Point to Site Configuration , Click on Configure Now.

A screenshot of a cell phone
Description automatically generated

co

On the Configuration page, provide the following.

  • Address Pool 172.10.1.0/24
  • Tunnel TypeOpenVPN (SSL)
  • Azure Active Directory

Under the Azure Directory , you will need to provide the following:

Tenant ID:

This can be found under Azure Active Directory > properties and copy the Directory ID

A screenshot of a cell phone
Description automatically generated

Once you have copied the ID, head back to the P2S configuration page.

Under the Active Directory Settings add the following.

Tenant: https://login.microsoftonline.com < Azure AD ID>

Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 (use this value)

Issuer: https://sts.windows.net/<Azure AD ID>/ (remember to add the trailing / behind the Azure AD ID)

A screenshot of a cell phone
Description automatically generated

Click on Save on top.

A close up of a logo
Description automatically generated

On the next step we need to authorise the Azure VPN App to look up against the Azure AD.

Open Azure Admin Portal as a Global Administrator then copy the following into a browser and press enter. https://portal.azure.com

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

you will see the following prompt to provide admin approval, click on accept to provide the Azure VPN app the needed permission to Azure AD for Authentication.

A sign on the side of a mountain
Description automatically generated

After a minute or two , when you head over to the Azure Active Directory portal , click on Enterprise Applications and then you will see the Azure VPN listed under apps.

Once the above has been completed , head back to the Point to Site configuration page and click on Download VPN Client.

A zip file with the VPN setup will download which you can double click and run.

Now that the configuration files has been downloaded , let head over to the Microsoft Store to Download the Azure VPN Client.

Go to : https://www.microsoft.com/en-us/p/azure-vpn-client/9np355qt2sqb?activetab=pivot:overviewtab

A screenshot of a social media post
Description automatically generated

Click on get to start the process.

Once the install is done , click on Launch

A screenshot of a social media post
Description automatically generated

At the bottom of the VPN, click on the + sign to start a new configuration.

A screenshot of a cell phone
Description automatically generated

Click on Import

A screenshot of a computer screen
Description automatically generated

Navigate to the downloaded configuration xml file and click on Open.

A screenshot of a cell phone
Description automatically generated

All the configuration information will pull through and then click on Save.

A screenshot of a cell phone
Description automatically generated

Click on Connect to test the connection.

A screenshot of a cell phone
Description automatically generated

A login prompt will open up, provide your organisation AD login details.

A screenshot of a cell phone
Description automatically generated

After signing with the correct user AD credentials Azure VPN will show connected.

A screenshot of a cell phone
Description automatically generated

You can also see on the right hand side the VPN Ip range which was configured.

A close up of text on a black background
Description automatically generated

Hope this guide helps those in needed of setting up for remote work.

Happy Sharing.

#ThatLazyAdmin

Sharing is caring!

LEAVE A REPLY

Please enter your comment!
Please enter your name here