Azure Point-to-Site VPN

Overview

Azure Point-to-Site (P2S) VPN allows you to create a secure connection to your Azure virtual network from an individual client computer. It is ideal for telecommuters who need to connect to Azure virtual networks from remote locations, such as from home or a conference.

Core Functionality

1. VPN Gateway Configuration: Set up a VPN gateway in the Azure portal. Configure the gateway for Point-to-Site connections, specifying the appropriate tunnel type (e.g., OpenVPN, SSTP, or IKEv2) and authentication method (e.g., certificate, Microsoft Entra ID, or RADIUS).
2. Client Configuration: Download and install the Azure VPN Client on the remote workers’ devices. Configure the client with the necessary VPN profile settings, which can be obtained from the VPN gateway configuration.
3. Authentication: Ensure that the chosen authentication method is supported by the VPN client. For example, if using Microsoft Entra ID, configure the VPN client to authenticate using Azure Active Directory credentials.
4. Connection Establishment: Remote workers can establish a secure connection to the Azure virtual network by starting the VPN client on their devices. The VPN client will authenticate the user and establish the connection.
5. Monitoring and Management: Use Azure Monitor to track the performance and health of the VPN connections. Set up alerts to notify you of any issues, ensuring proactive management of the remote access solution.

Pricing

Azure Point-to-Site VPN offers a cost-effective solution for remote access, with a pay-as-you-go pricing model. You only pay for the resources you use, making it a budget-friendly option.

Protocol options

OpenVPN | an SSL/TLS based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. OpenVPN can be used to connect from Android, iOS (versions 11.0 and above), Windows, Linux, and Mac devices (macOS versions 10.13 and above).

Secure Socket Tunneling Protocol (SSTP) |, a proprietary TLS-based VPN protocol. A TLS VPN solution can penetrate firewalls, since most firewalls open TCP port 443 outbound, which TLS uses. SSTP is only supported on Windows devices. Azure supports all versions of Windows that have SSTP and support TLS 1.2 (Windows 8.1 and later).

IKEv2 VPN | a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).

Authentication options

Azure certificate | uses a certificate present on the connecting device that is used to authenticate the user. The certificate is generated from a trusted root certificate and then installed on teh deivce. You can use an enterprise PKI or a self-signed certificate. The certificate is validated on teh VPN gateway when the connection is established. The root certificate must be prsent on the VPN gateway.

Azure Active Directory user | uses a user profile in the Azure Active Directory. Native Azure AD authentication is only supported by OpenVPN for Windows 10/11 and requires the use of the Azure VPN client. using this allows adds the availability of Azure AD conditional access and MFA.

Acitve Directory user | allows the user to use their traditional Active Directory service. It requires a new or existing RADIUS service that is integrated with the domain. The RADIUS service can be on-prem or in Azure. During the connection the VPN gateway acts as a pass through and forwards authentication messages back and forth between the connecting device and the RADIUS server. This means the RADIUS server and VPN gateway must be able to communicate. So for simplicity locate the RADIUS server in Azure otherwise you’ll need a site-to-site VPN for the RADIUS server to be connected to the VPN gateway. The RADIUS server can also use ADDSCS (certificate services) allowing the use of corporate certificates via RADIUS and not the VPN gateway. Lastly, the RADIUS server can also use external IDP systems so you could add MFA.

Resources

Azure Point-to-Site VPN Overview

Configure VPN gateway for Point-to-Site connections