Azure Documentation

Create a Point-to-Site VPN Gateway using PowerShell

This guide walks you through the steps to create a Point-to-Site (P2S) VPN gateway in Azure using PowerShell. P2S VPN allows individual client computers to connect to your virtual network remotely.

Prerequisites

An Azure subscription.
Azure PowerShell module installed and configured, or Azure Cloud Shell.
Basic understanding of Azure networking concepts and PowerShell scripting.

Steps

1. Install Azure PowerShell Module (if not already installed)

Open PowerShell as an administrator and run the following command:

1 Install-Module -Name Az -AllowClobber -Scope CurrentUser

2. Connect to your Azure Account

1 Connect-AzAccount

This will prompt you to sign in to your Azure account.

3. Set Variables

Define variables for your resource group, location, virtual network, and gateway subnet.

1 $ResourceGroupName = "YourResourceGroupName"
2 $Location = "EastUS" # e.g., "EastUS", "WestEurope"
3 $VpnGatewayName = "YourVpnGatewayName"
4 $VpnGatewaySku = "VpnGw1" # e.g., "VpnGw1", "VpnGw2", "VpnGw1AZ"
5 $VirtualNetworkName = "YourVirtualNetworkName"
6 $GatewaySubnetPrefix = "10.1.255.0/27" # Must be named "GatewaySubnet"
7 $VirtualNetworkGatewayType = "Vpn"
8 $VpnType = "RouteBased"
9 $PublicIpAddressName = "YourPublicIpName"

Tip: Ensure that the GatewaySubnetPrefix you choose does not overlap with any existing subnets in your virtual network. It must be named exactly "GatewaySubnet".

4. Create a Resource Group (if it doesn't exist)

1 New-AzResourceGroup -Name $ResourceGroupName -Location $Location

5. Create a Virtual Network (if it doesn't exist)

This example creates a simple virtual network. Adjust the address space and subnet prefixes as needed.

1 $GatewaySubnet = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix $GatewaySubnetPrefix
2 $VNet = New-AzVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroupName -Location $Location -AddressPrefix "10.1.0.0/16" -Subnet $GatewaySubnet

6. Create a Public IP Address for the VPN Gateway

1 $PublicIp = New-AzPublicIpAddress -Name $PublicIpAddressName -ResourceGroupName $ResourceGroupName -Location $Location -AllocationMethod "Dynamic"

7. Create the VPN Gateway Configuration

1 $VpnGatewayIpConfig = New-AzVirtualNetworkGatewayIpConfig -Name "vpngw" -SubnetId $VNet.Subnets[0].Id -PublicIpAddressId $PublicIp.Id

8. Create the Virtual Network Gateway

This step can take a significant amount of time (30-45 minutes or more).

1 New-AzVirtualNetworkGateway -Name $VpnGatewayName -ResourceGroupName $ResourceGroupName -Location $Location -IpConfigurations $VpnGatewayIpConfig -GatewayType $VirtualNetworkGatewayType -VpnType $VpnType -GatewaySku $VpnGatewaySku

Important: Creating a VPN gateway is a time-consuming process. You can monitor its progress in the Azure portal.

9. Configure P2S VPN client settings

Generate a root certificate (if you don't have one) or import an existing one.

1 # Example: Generate a self-signed root certificate
2 New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=AzureP2SRootCert" -KeyUsage CertSign, CRLSign -KeyLength 2048 -KeyAlgorithm RSA -OutOfBand
3 $rootCert = Get-ChildItem -Path Cert:\CurrentUser\My\$(Get-ChildItem -Path Cert:\CurrentUser\My\|Where-Object ${\n.Subject -eq "CN=AzureP2SRootCert" }).Thumbprint
4 Export-Certificate -Cert $rootCert -FilePath "C:\AzureP2SRootCert.cer"

Note: For production environments, it is highly recommended to use a certificate issued by a trusted Certificate Authority (CA).

Add the trusted root certificate to the VPN gateway:

1 $vpnGateway = Get-AzVirtualNetworkGateway -ResourceGroupName $ResourceGroupName -Name $VpnGatewayName
2 Add-AzVpnClientRootCertificate -VirtualNetworkGatewayName $VpnGatewayName -ResourceGroupName $ResourceGroupName -PublicCertData $(File.ReadAllBytes("C:\AzureP2SRootCert.cer"))

Configure the P2S address pool and tunnel type:

1 $VpnClientAddressPool = "192.168.2.0/24" # Your P2S client IP address pool
2 $VpnClientProtocol = "IkeV2" # Or "SSTP" or "Both"
3 Set-AzVirtualNetworkGatewayVpnClientConfiguration -VirtualNetworkGatewayName $VpnGatewayName -ResourceGroupName $ResourceGroupName -VpnClientAddressPool $VpnClientAddressPool -VpnClientProtocol $VpnClientProtocol

10. Generate and Download VPN Client Configuration Package

This package contains the necessary configuration files and executables to connect your clients to the VPN gateway.

1 Get-AzVpnClientPackage -ResourceGroupName $ResourceGroupName -VirtualNetworkGatewayName $VpnGatewayName -PackageType "VpnClient" -OutputDirectory "./vpnclient"

The client configuration files will be downloaded to a folder named vpnclient in your current directory.

Next Steps

Distribute the downloaded VPN client configuration package to your users.
Instruct users on how to install and connect using the client package.
Review Azure VPN gateway documentation for advanced configurations and troubleshooting.