Azure VPN Gateway

Azure VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Made by

Massdriver

Official

Yes

Azure VPN Gateway

Azure VPN Gateway is a network gateway that connects your on-premises networks to Azure through site-to-site VPNs in a secure and scalable manner, ensuring encrypted communication over the public internet.

Design Decisions

  1. DNS Resolver: A DNS resolver is essential for resolving DNS requests within the virtual network. The configuration includes the DNS resolver and its corresponding inbound endpoint.
  2. Certificates: The module provides the options for two types of VPN authentication - Certificate-based authentication and Azure Active Directory (AAD) authentication. For Certificate-based authentication, certificates are generated and stored in Azure Key Vault.
  3. CIDR Allocation: The module automatically allocates CIDR blocks for the GatewaySubnet to ensure that there is no IP address conflict within the virtual network.
  4. Scalability: The Azure VPN Gateway is configured for scalability with options for different SKUs and generations.
  5. Automation: The module uses automated methods to determine and assign CIDR ranges for various subnets, reducing the chance of errors.

VPN Profile

To start using the VPN after it's deployed, download the VPN profile. You can download the profile from the Azure Console or using PowerShell.

Azure Console

  1. In the Azure portal, go to the virtual network gateway for the virtual network to which you want to connect.

  2. On the virtual network gateway page, select Point-to-site configuration to open the Point-to-site configuration page.

  3. At the top of the Point-to-site configuration page, select Download VPN client. This doesn't download VPN client software, it generates the configuration package used to configure VPN clients. It takes a few minutes for the client configuration package to generate. During this time, you may not see any indications until the packet has generated.

PowerShell

$profile=New-AzVpnClientConfiguration -ResourceGroupName "local-dev-vnet-0001" -Name "local-dev-vpn-0001" -AuthenticationMethod "EapTls"
$profile.VPNProfileSASUrl
  • ResourceGroupName is the resource group of the virtual network (copy package name from your VNet bundle)
  • Name is the name of the virtual network gateway (copy package name from your VPN bundle)

Azure VPN Client

Make sure to consent to using Azure VPN in your tenant.

Runbook

VPN Gateway Not Connecting

If the VPN Gateway is not connecting, verify the provisioning state and connection status.

Check VPN gateway status

az network vnet-gateway show --name <gateway-name> --resource-group <resource-group>

Expected output should show provisioningState as Succeeded.

DNS Resolution Issues

If you are facing DNS resolution issues within the virtual network, check the status of the DNS resolver and its inbound endpoint.

Check private DNS resolver status

az network private-dns resovler show --name <resolver-name> --resource-group <resource-group>

Check inbound endpoint status

az network private-dns resolver inbound-endpoint show --name <inbound-endpoint-name> --resource-group <resource-group>

Both commands should return provisioningState as Succeeded.

Certificate Issues for VPN Authentication

If there are issues related to certificate-based authentication:

List certificates in Key Vault

Use the Azure CLI to list and verify the VPN certificates in the Key Vault.

az keyvault certificate list --vault-name <key-vault-name>

Verify that the certificates vpn-root-certificate are listed and correctly configured.

Get certificate details

az keyvault certificate show --vault-name <key-vault-name> --name vpn-root-certificate

Ensure that the certificate data is correct and has not expired.

VPN Client Configuration Errors

If VPN clients are unable to connect:

Check client configuration settings in Azure

az network vnet-gateway vpn-client show --resource-group <resource-group> --name <gateway-name>

Validate VPN Configuration script output

# Assuming you have downloaded the VPN client configuration script
bash <vpn-client-script>.sh

Ensure that the configuration script runs without errors and the returned configuration matches the expected settings.

VLAN/IP Allocation Conflicts

If there are VLAN/IP allocation conflicts:

Check all subnets within the VNet

az network vnet subnet list --resource-group <resource-group> --vnet-name <vnet-name>

Review the address prefixes for any overlaps.

Check available CIDRs within the address space

# Use the utility available CIDR tool provided in the module, if available
utility-available-cidr --from-cidrs <address-space> --used-cidrs <used-cidrs> --mask <mask>

Expected output should provide a valid, non-overlapping CIDR range.

Ensure that all subnets and address spaces are appropriately allocated without conflicts.

VariableTypeDescription
gateway.auth_typestringThe authentication type to use for the VPN connection. If using Microsoft Entra ID, be sure to authorize the Azure VPN app in your Azure account here. The authentication type cannot be changed after deployment.
gateway.generationstringThe generation for the VPN gateway. Learn more.
network.autobooleanEnabling this will automatically select an available CIDR range for your database. Unchecking will require you to specify the CIDR.