Point-to-site (P2S) VPN Configuration with Virtual WAN

Point-to-site (P2S) VPN allows you to connect your individual devices (like laptops or desktops) to your Azure Virtual WAN hub. This is ideal for remote users or for connecting to resources in a secure and flexible manner without the need for complex network infrastructure on the client side.

Prerequisites

An Azure subscription.
An existing Azure Virtual WAN resource.
A Virtual Hub deployed within your Virtual WAN.

Key Components of P2S VPN

Virtual Hub VPN Gateway: A VPN gateway is deployed within the Virtual Hub to handle P2S connections.
Address Pool: A private IP address range from which clients will receive IP addresses upon establishing a VPN connection.
Authentication: Support for certificate-based or Azure AD authentication.

Steps to Configure P2S VPN

1. Configure the VPN Gateway

Navigate to your Virtual Hub in the Azure portal. Under the Security + networking section, select VPN (site-to-site/P2S). If a VPN gateway doesn't exist, you'll be prompted to create one. Ensure you select "Virtual WAN" as the VPN type.

Configure the following settings for the P2S VPN connection:

Gateway scale unit: Choose an appropriate scale unit based on your expected throughput.
VPN client address pool: Specify a private IP address range (e.g., 172.16.201.0/24) that does not overlap with any existing networks.
Authentication type: Select either Azure Active Directory or Root certificate.
If using certificate-based authentication, upload your root certificate public key.

Azure Virtual WAN P2S Gateway Configuration

2. Configure P2S Authentication Settings

Certificate-based Authentication

If you chose certificate-based authentication, you need to generate client certificates. You can use tools like makecert.exe or PowerShell. Upload the public key of your root certificate to the VPN gateway configuration in Azure.

# Example PowerShell command to create a self-signed root certificate
            New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=AzureVpnRootCert" -KeyUsage CertSign, CRLSign -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256 -Properties $null -CertStoreLocation "Cert:\CurrentUser\My"

Azure Active Directory Authentication

For Azure AD authentication, ensure your Azure AD tenant is configured. You'll need to register an application in Azure AD and grant the necessary API permissions. The P2S configuration will require the Tenant ID, Audience, and Issuer URL from your Azure AD setup.

3. Generate and Download VPN Client Configuration

Once the gateway is configured, select Download VPN client from the P2S VPN page. This will generate a ZIP file containing the necessary configuration files for Windows, macOS, and Linux clients. This package includes:

Installer executables.
Configuration profiles.
Root certificates.

4. Install and Connect the VPN Client

On the client device:

Extract the contents of the downloaded ZIP file.
Run the appropriate installer (e.g., VpnClientSetup.exe for Windows).
Follow the on-screen prompts to install the VPN client profile.
Once installed, connect to the VPN using the built-in Windows VPN client or the Azure VPN Client application.

Important: Ensure the VPN client IP address pool does not overlap with your on-premises network or any other VNets connected to the Virtual Hub.

Troubleshooting P2S VPN Connections

Verify that the client certificate is correctly installed and trusted on the client machine.
Check firewall rules on the client and any intermediate network devices.
Ensure the VPN client address pool is correctly configured and doesn't conflict with existing IP ranges.
Review the VPN gateway logs in Azure Monitor for detailed error information.

For large deployments, consider using Azure AD authentication for centralized user management and easier scalability.