Let’s create a secure connection between our local environment and our Azure Roles (i.e. Virtual Machines, Cloud Service Roles). To do this we will use an Azure Virtual Network and a Point-to-Site VPN connection. In this post, I will use a Virtual Machine as the role that I wish to establish a secure connection with.
Create a Virtual Network
Head to the preview Azure portal (https://portal.azure.com/), tap the New button, find the Networking tab and choose Virtual Network.
Name your virtual network and tap the Address Space tab. You’ll need to specify the address space at which the virtual network will delegate IP addresses within. For further partitioning, name the subnet and specify the subnet address space.
Finalize this part of the configuration by selecting a resource group, your subscription and the location of your virtual network.
Create a Virtual Machine
Next up, click the New button and find an OS image of your choice in the Compute tab. I’ll be using a Windows Server 2012 R2 Datacenter image.
Configure your virtual machine as you’d like, the important part is to head into Optional Configuration and locate the Network settings. Pick your virtual network and subnet.
Additionally, I will pick an internal IP address (within the subnet address space) for my virtual machine – as I’d like to access it using a static IP address in my local environment.
I will not configure any public endpoints for the virtual machine as it will be accessed through the VPN connection only.
Once your configuration is set, create the virtual machine and wait for it to be ready.
Create a Point-to-Site VPN Gateway
Alright, let’s go ahead and create the VPN gateway, tap into the page of your virtual network in the preview Azure portal. If you click the VPN connections tile, you’ll be able to configure a Point-to-Site VPN (and gateway).
Choose Point-to-Site as for the connection type and define the address spaces to be used for the VPN clients. Also mark the checkbox for creating the gateway immediately – with that the gateway configuration page becomes available. Adjust the gateway subnet and size property to your liking.
It will take a couple of minutes for your gateway to become ready… move on to create the VPN certificates in the meantime.
Create Point-to-Site VPN connection certificates
We will be using certificates for the VPN connection authentication. A great tool for making certificates is makecert.exe (https://msdn.microsoft.com/en-us/library/bfsktky3%28v=vs.110%29.aspx).
Using makecert.exe, run the following command to generate a root certificate:
makecert.exe -sky exchange -r -n “CN=[root certificate name]” -pe -a sha1 -len 2048 -ss My “[root certificate name].cer”
Also, generate a client certificate on your machine:
makecert.exe -n “CN=[client certificate name]” -pe -sky exchange -m 96 -ss My -in “[root certificate name]” -is my -a sha1
Grab the generated [root certificate name].cer file and head to the page of your virtual network in the preview Azure portal. Tap the VPN connections tile and then the Point-to-Site tile. In the upper menu, you’ll find a button named Manage Certificate – tap it!
On the page, tap the Upload button and upload your [root certificate name].cer file.
With that you should be able to connect to the virtual network. Download the VPN Client (32/64 bit) file and run it to install the VPN connection on your machine, make sure to have the client certificate installed.
You can export the client certificate (using mmc.exe) if you need additional machines to connect with the virtual network resources. Remember to store the root certificate somewhere safe.
This is a great way of securing Azure resources that may only be accessed in a controlled manner.