PowerShell:Azure Point to Site Connectivity Step By Step

Point-to-site connectivity is the recommended way to connect to the Azure Virtual network from a remote location for example while traveling or working from the home office.Point-2Site

Point-to-Site native Azure certificate authentication connections use the following.

  • A route-based VPN gateway.
  • The public key (.cer file) for a root certificate, which is uploaded to Azure. Once the certificate is uploaded, it is considered a trusted certificate and is used for authentication.
  • A client certificate is generated from the root certificate. The client certificate is installed on each client computer that will connect to the VNet. This certificate is used for client authentication.
  • A VPN client is configured to connect to Azure VNet.

Point-to-site VPN supports two authentication mechanisms:

  • Certificate-based authentication. This authentication is the use of a Digital Certificate to identify a user, machine, or device before granting access to a resource, network, application, etc. In the case of user authentication, it is often deployed in coordination with traditional methods such as username and password. 

Public-key cryptography, or asymmetric cryptography, is an encryption scheme that uses two mathematically related, but not identical, keys – a public key and a private key. Unlike symmetric key algorithms that rely on one key to both encrypt and decrypt, each key performs a unique function. The public key is used to encrypt and the private key is used to decrypt. We can either use an internal or public certification authority (CA) or generate self-signed certificates. There are two steps involved here: 

  1. Upload the public key of the root (representing your public key infrastructure [PKI] deployment or a self-signed one) to Azure. Since we are protecting the VPN Gateway we need to associate it with the target virtual network containing the VPN gateway.
  2. Generate client certificates (typically one per user), either by relying on the same CA that you requested the root certificate from or by generating self-signed client certificates that reference the self-signed root certificate. Install the client certificates with their respective private keys in the private certificate store on client computers. Effectively, the VPN tunnel relies on the implicit trust between the client certificates on VPN client computers and the root certificate uploaded to the Azure VPN gateway.
  • RADIUS-based authentication to Active Directory or another RADIUS-capable identity provider. In this configuration, the Azure VPN gateway relays authentication requests and responses between the RADIUS server and VPN clients.

Planning for Point to Site Authentication:

  1. IP Addressing: When you create a virtual network in the Azure portal and select the option to enable point-to-site connectivity, you will be required to configure address space for IP addresses that you want to assign to cross-premises clients connecting through a point-to-site connection. This address space must be from the private range 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16. You must ensure that the range you select here does not overlap with other virtual networks or networks on your local site.                                                    Also, you will have to configure the virtual network address space that the virtual network you are creating will use. This network address space also should not overlap with the address space that you use in your on-premises environment.
  2. Gateway subnet: Each point-to-site VPN requires that you configure a dynamic routing gateway. A point-to-site VPN requires a gateway subnet that can host. Only the virtual network gateway uses the gateway subnet. 
  3. Certificate: Each P2S connectivity implementation requires two certificates
    • Root Certificate: You must first create a root certificate and upload it to the Azure management portal.
    • Client Certificate: Create client certificates used for authentication. This certificate will be deployed to client machines to connect to the Azure network

Here are the steps involved to achieve the working solution by using PowerShell:

1. Start Azure PowerShell and sign in to your subscription.

Connect-AzAccount

2. If there are multiple subscriptions associated with your account, select the target subscription in which you are going to create a virtual network and configure a point-to-site VPN.(in the example below I have used Visual Studio Subscription but you can use your own).

Get-AzSubscription
Select-AzSubscription -SubscriptionName "Visual Studio Enterprise"

3. Set variables to be used in the PowerShell script so we can use them in the following example. This way you can change the config in one place and run it.

#Virtual network name
$VNetName  = "P2SVNet1"

#Front-End Subnet Name
$FESubName = "FrontEndSubnet"

#Backend Subnet Name
$BESubName = "BackendSubnet"

#Gateway Subnet Name
$GWSubName = "GatewaySubnet"

#First Virtual network prefix name
$VNetPrefix1 = "192.168.0.0/16"

#Second Virtual network prefix name
$VNetPrefix2 = "10.254.0.0/16"

#Front-End Subnet Prefix
$FESubPrefix = "192.168.1.0/24"

#Back-End Subnet Prefix
$BESubPrefix = "10.254.1.0/24"

#Gateway Subnet Prefix
$GWSubPrefix = "192.168.200.0/26"

#The machines which connects to the Azure network wil use this address from this pool
$VPNClientAddressPool = "172.16.201.0/24"

#Resource Group
$RG = "TestRG"

#Location of Resource group
$Location = "East US"

#Gateway name
$GWName = "VNet1Gateway"

#Gateway IP Address
$GWIPName = "VNet1GatewayIP"

#Gateway IPconfig name
$GWIPconfName = "GatewayIPConfig"

4. Create a new resource group

New-AzResourceGroup -Name $RG -Location $Location

5. Create a Virtual network config for

  • Frontend subnet
  • Backend subnet and
  • Gateway subnet.
$fesub = New-AzVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
$besub = New-AzVirtualNetworkSubnetConfig -Name $BESubName -AddressPrefix $BESubPrefix
$gwsub = New-AzVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

6. Create a virtual network and specify a DNS server (optional) and save the config in the variable to use later.

New-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3

$vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG
$subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet

When you go to Azure Portal and see it shows the Address space below:

Portal also shows the subnets created above

7. Create a public IP address and save it in the variable

$pip = New-AzPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic

$ipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

After executing the above command Azure Portal also shows the Public IP address as below:

8. Create a Virtual Network Gateway and save them into variables for later use. Add the client address pool so that when VPN clients will connect they will use the IP address of the pool.

 New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG `
-Location $Location -IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -VpnClientProtocol "IKEv2"


$Gateway = Get-AzVirtualNetworkGateway -ResourceGroupName $RG -Name $GWName
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $Gateway -VpnClientAddressPool $VPNClientAddressPool

You can validate in the Azure Portal that the Virtual network gateway is created successfully as below:

9. Generate Root Certificate. if you want to generate self-signed certificate you can use the below-mentioned cmdlet. This cmdlet also stores the certificate in the private certificate store. Then save the certificate name in the variable.

#self signed cert
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=P2SRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

#Store the certificate name in the variable
$P2SRootCertName = "rootcertificate.cer"

10. Generate client certificate. We have generated the self-signed client certificate.

#client cert
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

11.In case you need to install the same certificate on another machine use the below-mentioned cmdlet.

#Step1: Export the client certificate:


$mypwd = ConvertTo-SecureString -String "1234" -Force -AsPlainText
#Please note the thubprint of the certificate5F98EBBFE735CDDAE00E33E0FD69050EF9220254 and this will be specific to the certificate. In case you do not know it use the commandlet
Get-ChildItem -Path “Cert:\CurrentUser\My”

Export-PfxCertificate -Cert cert:\currentuser\my\5F98EBBFE735CDDAE00E33E0FD69050EF9220254 -FilePath c:\myexport.pfx -ChainOption EndEntityCertOnly -NoProperties -Password $mypwd

#Step2: Export the client certificate:

#Now import it nito another machine in this example I have used the path c:\mypfx but you can use any other patch

Get-ChildItem -Path c:\mypfx\my.pfx | Import-PfxCertificate -CertStoreLocation Cert:\CurrentUser\My -Exportable

12. Upload the root certificate public key to the Azure Virtual Network Gateway.

$filePathForCert = "C:\rootcertificate.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64

Add-AzVpnClientRootCertificate -VpnClientRootCertificateName $P2SRootCertName -VirtualNetworkGatewayname "VNet1Gateway" -ResourceGroupName "TestRG" -PublicCertData $CertBase64

After exporting the certificate it will look like this

11. Configure VPN Client by downloading VPN client from the Virtual network gateway.

11.1 Download the VPN Client

11.2 Unzip the downloaded folder and it will look like this

11.3 If you are using windows then use the Windows folders depending upon the 86-bit or 64-bit version of the windows otherwise use a generic folder for non-windows OS. In the case of Windows 10, we will have to use WindowsAmd64 and it will look like this.

12. Once the VPN client is installed by running the setup it will look like this.If you go to a VPN screen like this.

Once you click the client connection it will look like this:

13. Click connect button and VPN dialog box will appear.

Once you click the connect button this dialog box will disappear and it will show you the connected button like this.

14. Test and Verify if we are connected to the Azure network by going to the command prompt and type ipconfig/all. This wil show that you are connected to the Vnet.That means you have successfully connected to the Azure VNet.

I hope this post was helpful!!

Leave a Reply

Your email address will not be published. Required fields are marked *