MSDN Docs
Azure Networking

Point-to-Site VPN

The Point-to-Site (P2S) VPN solution enables individual devices to securely connect to an Azure Virtual WAN hub over the public internet. It is ideal for remote workers, branch offices, or development environments that need direct access to Azure resources without requiring a full site-to-site connection.

Key Features

Prerequisites

  1. An existing Azure Virtual WAN with a hub.
  2. Azure subscription with sufficient permissions (Network Contributor).
  3. Client OS: Windows 10+, macOS 10.13+, Linux (OpenVPN).
  4. For certificate authentication: a root certificate uploaded to the hub and client certificates generated.

Configuration Steps

1. Create a Virtual WAN Hub

az network vhub create \
    --resource-group MyResourceGroup \
    --name MyHub \
    --address-prefix 10.0.0.0/24 \
    --sku Standard

2. Enable Point-to-Site on the Hub

az network vhub connection create \
    --resource-group MyResourceGroup \
    --vhub-name MyHub \
    --name MyP2SConnection \
    --type P2S \
    --vpn-client-address-pool 172.16.0.0/24 \
    --vpn-client-protocol IkeV2 \
    --vpn-client-root-certificate-name MyRootCert

3. Upload Root Certificate

Generate a self‑signed root certificate (or use an enterprise CA) and upload the public key.

az network vhub vpn-client root-cert create \
    --resource-group MyResourceGroup \
    --vhub-name MyHub \
    --name MyRootCert \
    --public-cert-data "$(cat myrootcert.cer | base64)"

4. Download VPN Client Configuration

az network vhub vpn-client generate-package \
    --resource-group MyResourceGroup \
    --vhub-name MyHub \
    --output ./MyP2SConfig.zip

5. Install the VPN Client

Extract the package and import the profile into the native Windows or macOS VPN client, or use the OpenVPN client on Linux.

Sample Client Configuration (Windows)

az network vhub vpn-client show \
    --resource-group MyResourceGroup \
    --vhub-name MyHub \
    --output json

Troubleshooting

Related Topics