Posted by on Apr 9, 2015 in #Azure | 0 comments

Let’s create a secure connection between our local environment and our Azure Roles (i.e. Virtual Machines, Cloud Service Roles). To do this we will use an Azure Virtual Network and a Point-to-Site VPN connection. In this post, I will use a Virtual Machine as the role that I wish to establish a secure connection with.

Create a Virtual Network

Head to the preview Azure portal (https://portal.azure.com/), tap the New button, find the Networking tab and choose Virtual Network.

newnetwork

Name your virtual network and tap the Address Space tab. You’ll need to specify the address space at which the virtual network will delegate IP addresses within. For further partitioning, name the subnet and specify the subnet address space.

vnetconf

Finalize this part of the configuration by selecting a resource group, your subscription and the location of your virtual network.

Create a Virtual Machine

Next up, click the New button and find an OS image of your choice in the Compute tab. I’ll be using a Windows Server 2012 R2 Datacenter image.

newvm

Configure your virtual machine as you’d like, the important part is to head into Optional Configuration and locate the Network settings. Pick your virtual network and subnet.

vmnetworkconf

Additionally, I will pick an internal IP address (within the subnet address space) for my virtual machine – as I’d like to access it using a static IP address in my local environment.

vmnetworkconf2

I will not configure any public endpoints for the virtual machine as it will be accessed through the VPN connection only.

Once your configuration is set, create the virtual machine and wait for it to be ready.

Create a Point-to-Site VPN Gateway

Alright, let’s go ahead and create the VPN gateway, tap into the page of your virtual network in the preview Azure portal. If you click the VPN connections tile, you’ll be able to configure a Point-to-Site VPN (and gateway).

newstp

Choose Point-to-Site as for the connection type and define the address spaces to be used for the VPN clients. Also mark the checkbox for creating the gateway immediately – with that the gateway configuration page becomes available. Adjust the gateway subnet and size property to your liking.

newstp2

It will take a couple of minutes for your gateway to become ready… move on to create the VPN certificates in the meantime.

Create Point-to-Site VPN connection certificates

We will be using certificates for the VPN connection authentication. A great tool for making certificates is makecert.exe (https://msdn.microsoft.com/en-us/library/bfsktky3%28v=vs.110%29.aspx).

Using makecert.exe, run the following command to generate a root certificate:

makecert.exe -sky exchange -r -n “CN=[root certificate name]” -pe -a sha1 -len 2048 -ss My “[root certificate name].cer”

Also, generate a client certificate on your machine:

makecert.exe -n “CN=[client certificate name]” -pe -sky exchange -m 96 -ss My -in “[root certificate name]” -is my -a sha1

Grab the generated [root certificate name].cer file and head to the page of your virtual network in the preview Azure portal. Tap the VPN connections tile and then the Point-to-Site tile. In the upper menu, you’ll find a button named Manage Certificate – tap it!

ptsvpncert

On the page, tap the Upload button and upload your [root certificate name].cer file.

ptsvpncert2

With that you should be able to connect to the virtual network. Download the VPN Client (32/64 bit) file and run it to install the VPN connection on your machine, make sure to have the client certificate installed.

vpnclient

You can export the client certificate (using mmc.exe) if you need additional machines to connect with the virtual network resources. Remember to store the root certificate somewhere safe.

This is a great way of securing Azure resources that may only be accessed in a controlled manner.

success

Tada!

-Simon Jäger