Update: This article discusses technology from the older classic Azure Portal models. I have created a new post for my VPN project using the new Portal here.
Welcome to my VPN World. Do you want to be part of it? Well, to join my secret VPN on Azure, you would need a special certificate that I created. Sorry, not going to give that out to just anybody! But I will share with you how I did it!
A VPN (Virtual Private Network) will allow the user to allow a client installed on their computer to communicate over the VPN. If you would like to learn more about a VPN here is the wiki article.
Today I had some Azure fun and created my own little world where only I, or those with my certificates, can access through a Virtual Private Network connection. I learned the “how-to” accomplish about 50% through a Udemy course and the other half from documentation on MSDN (and being an engineer brain)!
This was a fun challenge with results, so I want to share with you.
First the Why?
Well Why Not? I did this because I wanted to do “hands-on” practice work and show that I have done it and can do it again in the future. Without the Microsoft “Free Trial” $200 credit, my Udemy Azure course, and MSDN Documentation, I would had never had the gumption to pull this off.
Step 1 – Create a Virtual Network (Classic) in Azure
I implemented this project with a classic Virtual Network. My understanding is that there are some major differences between the new vs. classic Virtual Networks in Azure. One example is that PowerShell commands are picky and specific to one version or the other (I discovered this issue the hard way here). Because I am not a network engineer SME (yet), all the differences between new vs. classic remain a mystery and every day I learn another piece of the puzzle. I am not yet finding the areas where to create a VPN under the new portal version of a Virtual Network so I assume this can only be done using the classic VN template. UPDATE: (To create a VPN using the new Azure Portal Virtual Network check out this reference document here)
Cost Alert: I left this Virtual Network online for a few days over Thanksgiving and it cost me $0 ZERO dollars from my Free Trial Account. When you create the Virtual Network, it does not ask you to select any plan with $ so I assume… not 100% sure… this classic Virtual Network does not suck $ out of your Azure subscription account for simply existing being unused. Then after I created a “Gateway” and a Virtual Private Network for this specific classic Virtual Network, I utilized it for about an hour, disconnected my computer from the VPN, then let the resource exist overnight, the next day, Azure notified me I had ~ $1 less from my account.
Step 2 – Configure Point-to-Site VPN and Gateway
Technology changes every day and even in a few months my Udemy course instructions on how to create a VPN were not jiving with the actual portal content. Actually now, all classic VNs are managed in the new portal (if you try and manage using the classic portal it will re-direct you to manage it in the new portal but still keep the classic template properties).
In the new portal, on the classic VN that I created, I had to p-o-k-e around until I found on the “Overview” a cute diagram with the ability to create a point-to-site or a site-to-site VPN connection. I bravely clicked on the ? button that had a tool-tip… “create” … for point-to-site and it opened up a new blade with options… I kept the defaults selected, and created a gateway to allow communication in/out of my VN. Azure made it easy to create a gateway with one click. I created a dynamic routing gateway (default) and intuitively clicked my way around creating my own VPN using the default settings.
The actual Azure gateway creation process can take a very long time, maybe an hour to run in the Azure portal, so you might want to leave your PC and get a cheeseburger, play a video game, or even gleefully walk around your neighborhood while it finishes. Without the gateway creation process finishing, you cannot continue configuration further on your VPN.
After you finish your cheeseburger you can come back and check on the Overview status of your Virtual Network or check the notification. It will then ask you to upload a certificate. The VPN diagram will update and show a new gateway and the icon for “clients” will change from gray to color, which means you now have the ability to continue further in the VPN process.
Step 3 – Creating Certificates
Certificates can be tricky things. I relied a lot on this MSDN article to get a temporary development self-signed root authority certificate created to feed into my Azure VPN creation process. I created my certificates using the Visual Studio Developer Command Prompt. Run this as an administrator.
Pick an easy password to remember and sign your private key. Note: I would suggest deleting the certificates and key after you are done playing with your Azure project in both the portal and your computer store.
Here is an example of me using the Visual Studio 2017 Developer Command Prompt to create a root and self-signing cert based from the root. The Azure portal needs you to feed it the root certificate.
** Visual Studio 2017 Developer Command Prompt v15.4.5
** Copyright (c) 2017 Microsoft Corporation
C:\Users\KathleenWest\source>makecert -n “CN=TempCA” -r -sv TempCA.pvk TempCA.cer
C:\Users\KathleenWest\source>makecert -sk SignedByCA -iv TempCA.pvk -n “CN=SignedByCA” -ic TempCA.cer SignedByCA.cer -sr currentuser -ss My
Step 4 – Add your Certificates to the Store via Microsoft Management Console
The Microsoft Management Console (MMC) is an application that provides a graphical-user interface (GUI) and a programming framework in which consoles (collections of administrative tools) can be created, saved, and opened (including your certificates). To open MMC, you can search the command bar on MMC Console… (do not search on MMC). Run this as an administrator. Add your certificates to MMC, follow the MSDN documentation, and poke around on how-to do this or you can see where I added mine and follow along.
Don’t forget to complete the VPN process you need to upload the root certificate you just created to the Azure portal for the specific VPN. You also need to make sure you added them to your certificate store (see above) so the VPN can trust your client computer.
Step 5 – Download and Install the VPN client (.exe) from Azure Portal
Access your classic VN, then click on overview. At the bottom of the screen you will see a diagram and if you click on the computer icon that says Clients, it will take you to another blade for your Point-to-Site VPN Connection. I chose to download the 64-bit client.
This is a .exe program and will install the VPN connection on windows. Note you probably need to run this program as an administrator and you may get all sorts of fits from your virus scanner, etc… so disable those false alarms… this program is safe.
Step 6 – Connect to your Azure VPN in Windows
Simply searching for VPN in your search bar should bring up the VPN settings and you should see your newly personal VPN installed and ready for you to connect. Click connect.
If you cannot connect, check your certificates are installed correctly in your windows store, because this connection relies on certificate based authentication.
Step 7 – Checkout your Client Connections on Azure
You may need to refresh or re-open the overview blade for your classic Virtual Network to see the correct number of clients on your Azure VPN.
Step 8 – Congratulate Yourself
Rock on, you just created your own personal Virtual Private Network on Azure and your computer has access through a certificate!