Create an Azure Point to Site VPN using Azure AD Authentication.
In this quick guide, we will run through the process of creating an Azure Point to Site VPN with Azure AD Authentication. These type of VPN requests are becoming more and more frequent as users are working from home.
To get started, I will create a new Resource group, this can be done by launching Azure CLI as a Global Admin.
Then run the following to create a new Resource group.
New-AzureRmResourceGroup -Name RSG-THATLAZYADMIN-VPNG -Location “southafricanorth”
Next steps is to create a Virtual Network, we will create this using the Portal and I will show the CLI command as well.
PowerShell to create new Virtual Network.
New-AzureRmVirtualNetwork -ResourceGroupName THATLAZYADMIN-VPNG -Name THATLAZY-VNET -AddressPrefix 10.1.0.0/16 -Location “southafricanorth”
To create a new Virtual network using the Portal, open the newly created resource group and click on the + sign to add a service.
In the market Place search box, type Virtual network.
Click on Create on the Virtual Network Page,
Select a Resource Group and provide a name for the new Virtual network, then click Next: IP Addresses
Provide an IP range,
Then click on + Add Subnet, to add a new subnet to the Virtual Network.
Provide a name for the Subnet and create a subnet range, this range will be used for the servers.
Click on Ok and the bottom of the Subnet page. Back on the IP Address page, click on Review and Create at the bottom of the page the validate the configuration and create the new Virtual network with Subnet specified.
Click on Create to start the creation process.
On the next steps we need to head over to the newly created VNET and add an additional Subnet for the Gateway.
On the new VNET page, click on Subnets on the left hand pane.
On the Subnets page, click on + Add Gateway Subnet
Provide an IP range for the gateway, you can reduce the IP range for the gateway Subnet. Click on Ok to complete the subnet creation.
On the next step we need to create a new Virtual Network Gateway, to create the gateway, click on the + Add on the Resource group. And type Gateway.
Click on Create to start the process.
Provide the following details to create the gateway.
- Subscription Name – “Valid Subscription”
- Resoure Group – RSG-THATLAZYADMIN-VPNG
- Region – South African North
- Gateway Type set this to VPN
- VPN Type set this to Route-based
- SKU – VpnGw1
- Generation – Generation 1
- Virtual Network – Select the newly created Virtual Network (THATLAZY-VNET)
- Subnet – The Gateway Subnet will automatically pull through and will be greyed out.
On the next section, you will need to create a new Public IP for the Gateway.
Then click on Review and Create
Next step is to configure the Point to Site VPN, Navigate to the newly created VPN Gateway.
On the VPN gateway page, click on Point to Site Configuration under the Settings heading on the left-hand side.
Under Point to Site Configuration , Click on Configure Now.
On the Configuration page, provide the following.
- Address Pool – 18.104.22.168/24
- Tunnel Type – OpenVPN (SSL)
- Azure Active Directory
Under the Azure Directory , you will need to provide the following:
This can be found under Azure Active Directory > properties and copy the Directory ID
Once you have copied the ID, head back to the P2S configuration page.
Under the Active Directory Settings add the following.
Tenant: https://login.microsoftonline.com < Azure AD ID>
Audience: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 (use this value)
Issuer: https://sts.windows.net/<Azure AD ID>/ (remember to add the trailing / behind the Azure AD ID)
Click on Save on top.
On the next step we need to authorise the Azure VPN App to look up against the Azure AD.
Open Azure Admin Portal as a Global Administrator then copy the following into a browser and press enter. https://portal.azure.com
you will see the following prompt to provide admin approval, click on accept to provide the Azure VPN app the needed permission to Azure AD for Authentication.
After a minute or two , when you head over to the Azure Active Directory portal , click on Enterprise Applications and then you will see the Azure VPN listed under apps.
Once the above has been completed , head back to the Point to Site configuration page and click on Download VPN Client.
A zip file with the VPN setup will download which you can double click and run.
Now that the configuration files has been downloaded , let head over to the Microsoft Store to Download the Azure VPN Client.
Click on get to start the process.
Once the install is done , click on Launch
At the bottom of the VPN, click on the + sign to start a new configuration.
Click on Import
Navigate to the downloaded configuration xml file and click on Open.
All the configuration information will pull through and then click on Save.
Click on Connect to test the connection.
A login prompt will open up, provide your organisation AD login details.
After signing with the correct user AD credentials Azure VPN will show connected.
You can also see on the right hand side the VPN Ip range which was configured.
Hope this guide helps those in needed of setting up for remote work.