Preface:

In this article, we are going to create Azure Load Balancer. An Azure load balancer is a service in Azure that provides high availability and load balancing between identical Azure workloads such as Virtual machines and web applications. Azure load balancer operates at layer 4 which is the transport layer of the OSI model, whereas application gateway is on layer 7 which is the Application layer. The application layer is capable of identifying the loads like protocols HTTP and HTTPS, whereas the transport layer is application unaware but capable of identifying the loads with the protocols TCP/UDP.

There are four components in Azure load balancers that are mandatory in configuring load-balanced Azure network resources and some optional components which will improve the security and performance running the load balancers.

The first and foremost component used to configure the IP address pool to access the load-balanced resources is the Frontend IP address, using this component you can create a pool of IP that can be accessed over the internet using a public IP address or private address assigned to the pool. The second component is the backend pool, which is the pool of Virtual machines or web applications added which will render the service that the load balancer pointing to. The third component is the Health Probe which is used to find the health of transport layer health of each resource. The health probe is used to dynamically add or remove the resource which is in the backend pool which is determined healthy or unhealthy. Using all the above components, a load balancer rule was created with the protocol which is used to query for the resource. The rule will access Frontend IP Address for IP address resolution and backend pool for finding the resource which renders the service and the most important the health of each resource in the backend pool with the type of protocol that is in requirement.

There are two kinds of Load Balancer, there are

Public load balancer used to load balance web tier

Internal load balancer used load balance database tier

Create Azure Load Balancer Service

I have already created two virtual machines named VM1 and VM2 on the availability set AS1. You can find the Availability Set Overview page below.

Launch Azure admin panel and type Load balancer on the top search bar and the resulting dropdown select Load balancer as it appears.

The Load balancing – help me choose screen appears and click create either on the top navigation or on the middle pane.

On the create load balancer page, I have already created a resource group called lb-rg on east us location, select the resource group where Availability Set and Virtual machines are located. Mine is lb-rg.

Type a name for this load balancer, here it is lb-demo.

Leave all other settings as it is and click ”Frontend IP configuration” at the bottom of the page.

On the Frontend IP Configuration page click “Add a Frontend IP”

Type a name for the frontend IP and create new standard SKU public IP.

Once Frontend IP has been added, click Next at the bottom of the page to create a backend pool

Click Add a backend pool and select the Virtual Machines running on Availability Set.

Type a name for the backend pool and select the Virtual Network where the Virtual machines are connected.

Click Add to add virtual machines.

Select the Virtual machines which are ready for load-balanced and click Add.

Click add to add a Backend pool.

Leave other tabs default and click Review and create to create the load balancer.

The Load Balancer validation is passed and clicks create to create the load balancer.

Once a load balancer is created you will see that deployment of the load balancer is complete, click Go to resource to go to the newly created load balancer.

On the load balancer resource overview, you can find Health Probe and load balancer rules are blank and we are going to create them.

Add Health Probe

Navigate to the health probe on the left side navigation and click add to add a new health probe.

Type a name for the health problem and change the port to what protocol you want to load balance, in this demo we are going to load balance HTTP workload, so I left port 80 which is default as well.

Click add to add health probe.

Add Load Balancing Rule

Navigate to Load balancing at the left side navigation to add a new rule.

Type a name for the load balancing rule.

Select the front-end IP address that we have already added.

Leave the protocol to TCP and port to 80, type backend port to 80, if you are trying to load balance HTTPS type port 443 on port and backend port.

Select the backend pool and health probe and leave other settings as default and click Add.

Test the Azure Load Balancer

We have completed creating the Azure Load Balancer and Heath probe and load balancer rule added. Copy the Load balancer Ip address on the overview page as below.

Launch a web browser and paste the public IP address copied from the load balancer overview page. I have already modified default.htm to show the name of the virtual machine. You would see the name of two virtual machines.

Now I have stopped Vm1 and refresh the web browser and now the web page is loaded from VM2.

Conclusion:

In this article, we have seen the demonstration of how to Create Azure Load Balancer and access tested the HTTP web page load balancing between the two Virtual Machines under the Availability Set. I’m excited to receive your feedback and comments below to improve this article and upcoming ones. I’m looking forward to seeing you on another occasion with a different article. Thanks for taking the time to read the article and I hope this article will help you create a Load Balancer or understand how it is deployed.

Preface: Access Virtual Machines using Azure Bastion

The traditional RDP access using port 3389 is the hacker’s target for the virtual machines running on the cloud and the desktops access connecting on the internet. The Virtual machine running on the Azure cloud has no exception to these attacks. To mitigate this security risk Microsoft has introduced a feature in Azure to Access Virtual Machines using Azure Bastion.

Bastion is a web-based Remote Desktop Protocol (RDP) and Secure Shell Protocol access service. It eliminates the need for exposing the ports such as RDP (3389) and SSH (22) over the internet for accessing Azure virtual machines. The Azure Bastion works on SSL connection using the web browser and there is no need for an agent on the Virtual Machines. Bastion is a more secure way of accessing Virtual machines from the Azure Admin Portal. The browsers should be HTML5 compliant with all the security measures taken care of and accessed using port 443.  The Bastion connections are scalable and can be configured to access more than one connection at the same time.

Adding Bastion Subnet to the Virtual Network

Adding Bastion service and configuring it is so simple and bring bastion service implemented just some clicks of the mouse pointer. In order to add this feature, create the Bastion subnet upfront and then add the service. Go to Virtual Networks and select Subnet from the left side navigation and click Add Subnet.

Click on Add Subnet on the subnets pane.

The name of the subnet should be AzureBastionSubnet and add a subnet with the prefix of 26 or 27, 27 is the lowest subnet that can be used on any subnet on Azure Virtual Network. The subnet prefix 27 will be good enough for bastion subnet purposes. In my case, I have typed 172.16.3.0/27 subnet as my Virtual Network address space is 172.16.0.0/16 and leave the other values as is and click save.

Creating Bastion Service

Azure Bastion Subnet with the subnet name AzureBastionSubnet has been created, now is the time to create Bastion services, type Bastion at the top search bar, and select the Bastions from the search results dropdown.

Create a Bastion page opens and on the Basics tap do the following.

Subscription: Select the subscription where the virtual machines are running if you have multiple subscriptions.

Resource Group: Resource group you can either create a new one or select the existing one as appropriate.

Name: On the Instance details give a name for this bastion resource.

Region: Select the location where the Virtual Network resource is located.

Tier: you can either choose Basic or standard as per Bastion instance host scaling.

Instance Count: You can create a number connection needed concurrently. Drag the instance count as your need.

Virtual Network: Virtual Network is for which virtual network you are crating Bastion.

Subnet: Subnet will be chosen from the list, AzureBastionSubnet that we have created will be the one chosen.

Public IP address: Select Create and type an appropriate name to identify later.

Click Review + Create.

On the create page you should is validation passed if the basics parameters are correct. Click ‘create’ to start Bastion deployment.

Click Go to Resource, to view what are the additional resources created along with Bastion.

Testing Bastion

Now, time to connect to the virtual machine. Click connect and select Bastion.

Type the username password that you provide on RDP connection access to the Virtual Machine.

Whola, here is the virtual machine RDP console on a web browser tab.

Conclusion: Access Virtual Machines using Azure Bastion

In this article, we have seen the demonstration of how to create Bastion service and access Virtual Machines using Azure Bastion securely and seamlessly. I’m excited to receive your feedback and comments below to improve this article and upcoming ones. I’m looking forward to seeing you on another occasion with a different article. Thanks for taking the time to read the article and I hope this article will help you create Bastion Service or understand how it is deployed.

Preface:

In this article, we are going to demonstrate how to create a VM clone both portal and PowerShell script way. Using this guide, you can choose the portal or script to clone an Azure virtual machine based on your requirement and what you are comfortable with. The original virtual machine has been cloned by creating the Snapshot of OS disk and Data Disk using the portal.

The snapshots have been used to create managed disks and virtual machines created by attaching the managed disks. In the first part of the demonstration, we have created a virtual machine using the portal, and in the second part demonstration, we have created the virtual machine using the script and running it on the cloud shell. This tutorial is created to show the audience how it relates portal and PowerShell script to create the VMs, and you can use any one of these two methods to create VM. The portal method will be quick and easy, but PowerShell script would be granular, and you can automate the VM cloning.

The following topics discussed in this article; The parameters given in the demonstration are just examples; you can replace the parameters which is relevant to your environment and create cloned VMs. We start the article with VM cloning using the portal, and, in the end, we are going to discuss how to use the script to accomplish the same.

1. Cloning VM using Azure Portal
2. Cloning VM using Cloud Shell (PowerShell)

We have started this article with VM cloning using the portal, and, in the end, we are going to discuss how to use the script to accomplish the same.

Cloning VM using Azure Portal

Log in to https://portal.azure.com and go to the VM, which needs to be cloned. From the dashboard, select Virtual machines and the VM name to go to the VM object.

On the VM object, you can see the resource name, VM size, and Geo-Location, and so on. From this VM, we are going to take a snapshot of the OS and Data disks. So we are interested in navigating to Disks from the left navigation.

Create snapshot of OS Disk

This parent VM is a Microsoft SQL Server 2017 on Windows Server 2019. From the parent, on the disks view we see two disks. one disk is the Operating system disk, called OS disk, and another disk is the Data disk where the databases and its logs are stored. Click on each disk one by one and create a Snapshot of the disks.

From the previous image step, we selected the OS disk, and we are going to create a Snapshot of the OS disk first and, subsequently, the Data disk. Click on OS disk and get the OS disk management properties.

Click Create Snapshot to create an OS disk snapshot.

On the “create a snapshot window,” we will provide the details such as resource group name, snapshot name, and so on. It is good to create the clone VM in a separate resource group, away from where the original VM exists. Once the cloned VM purpose is over, delete that resource group to remove all the related resources to make it clean tidy.

Once a resource group has been created or selected based on your scenario, type Snapshot name, and select storage type. As this is a demo, I have chosen Standard HDD.

Creating OS snapshot will be started once you confirm the validation check is passed and Create Snapshot clicked.

On the next screen, the deployment of the resource is complete. In this case, the creating of OS disk snapshot.

Create a snapshot of Data Disk

As the OS disk snapshot is created, we are making the Snapshot of the data disk, go to the Disks navigation on the VM management page and click on data disk as shown in the image below.

Click Create Snapshot, this time we are create data disk snapshot.

Select the same resource group you have created or selected in the previous Snapshot of OS disk snapshot and move on to naming the data disk snapshot. Same as the last occasion, we are choosing the Standard HDD as this is just a demonstration.

Click on the Review + Create button to move on to create the Snapshot.

Verify the validation passed by checking the green tick mark and click on Create.

The Data disk snapshot also completed, as shown in the image below, you would get the deployment completed message, so you have finished creating a Snapshot of OS disk and Data disk.

Create Managed Disks from Snapshots

The next step in this process is creating managed disks from the snapshots. Select the menu icon (three horizontal lines) on the Azure portal and click “Create Resource.”

Search the key word “Managed Disks”

You will see the managed disks option and click create from the bottom of it.

Select the Resource group where the snapshots exist.

Type a name for the managed disk for OS disk snapshot

Select Source type as Snapshot

Select the OS disk snapshot Source snapshot

The size of the managed disk must be the size of the original OS disk.

Once you enter the details, go to Create and Review and check for ‘validation passed’ indication and click Create.

You will get the message deployment is complete.

Same way, create a managed disk from the data disk snapshot.

Select the Resource group where the Snapshot exists.

Type a name for the managed disk for Data disk snapshot

Select Source type as Snapshot

Select the Data disk snapshot Source snapshot

The size of the managed disk must be the size of the Original Data disk.

Click Review + Create, and it will run validation.

You will get the ‘validation passed’ indication click create the Data managed disk.

Upon the completion of Data managed disk creation, you will get “Your deployment is complete” message.

Go to the Resource Group, where the managed disk created, and open the OS managed disk.

Create VM clone from Managed Disk

From the OS disk managed disk control, create VM as in the image below.

On the Create Virtual Machine window,

Select the Resource Group where managed disk exists

Type a name for the virtual machine

Select the OS disk managed disk as Image

Select the VM size from the drop-down list, recommended using the same size as the original VM.

Choose Windows Server as License type

And select the option whether you have a license or not. If you are not sure about this, click No.

Click Next Disks to go to disk selection.

On the Disks page, select attach on the data disk attach column.

On the existing disks list, select the data managed disk.

Once the data disk is selected, select read-only from the host caching drop-down.

On the virtual network page, select the Virtual network of the original VM or the one assigned on VPN, if point to site is configured to access the VMs.

Select the subnet that is matching to original VM.

And leave the public IP to create an IP.

Click Review + Create and wait for validation to complete.

Once you see the validation passed prompt click create to create the VM.

After the virtual machine’s deployment is complete, click Go to Resource to go to the VM management page.

You can now copy the public IP and login to the VM with the Original VM user account.

The RDP screen of Cloned is VM shown in the below screenshot.

Conclusion

In this demonstration, we have walked through the steps to create a cloned Virtual Machine using the Azure portal. We created Snapshot of OS disk and Data Disk and created managed disks from those snapshots. If your Virtual machine has only OS disk, ignore the data disk part while creating Snapshot and managed disk. Also, create the cloned VM only with OS disk. Most of the scenario requires data disks also to be cloned. So, having that in my intention, I have created a cloned VM with a Data disk. Your mileage may vary.

I hope the portal way of creating a cloned Virtual Machine is comprehensive. We will do the same type of cloning using a cloud shell (PowerShell). Click the link below to go to “Cloning VM using PowerShell” Cloning VM using PowerShell demonstration. I will be right with you in that article.

If you have any comments or feedback, please feel free to send it to me in the comments. I will reply to you when I get it.

How to Automate Cloning Virtual Machines in Azure using PowerShell – Part 2

Overview

In the previous article of this two-part series, we have demonstrated Azure Virtual Machine cloning using the Azure portal. If you have not seen that article, click on the link above and come back to this part as you may want to use the GUI way of cloning as most Azure administrators like the GUI method as it will cover most of the things graphically and easy for you to follow. If you are a PowerShell script person, you continue reading and creating the VM clone, taking the given script, modifying the parameters, and applying it to your environment or need. Guess what, you clone Azure Virtual Machine without any difference from the GUI method.

The snapshot name is the same as the Azure portal method of creating clone and I thought we do not use the same snapshot for this article. But I changed my mind as it will be easy for advanced Azure administrators, but it would be hard to follow for new Azure administrators as they might not know how the snapshot created and the steps to follow. Creating a snapshot for this article would also help viewers not go back and forth between parts 1 and 2 to create a snapshot.

In this part 2 of the two-part article, we will look at creating snapshots of OS and Data disks, a deep explanation about each command on the PowerShell script given on the line above it. When you are ready, let’s look at this demonstration’s breeze, and bingo, the Azure cloned VM is ready to use.

Clone Azure Virtual Machine using PowerShell

The virtual machine used in part 1 to create cloned VM is the one we will use here to create a clone on a new resource group. The Azure VM that we are cloning with PowerShell is the one shown in the below screenshot. We will use the same method to create a snapshot for this demonstration, also. I would recommend following the same steps that I have outlined below for creating a clone using PowerShell.

On the Virtual machine management page, click disks at the left side navigation, and you would find two disks. One disk is the OS disk, and another is the Data disk. If you have only one disk, i.e., OS disk, take a snapshot of the OS disk and don’t run the script’s data disk-related commands. As most VM uses one or more data disks, I have decided to demonstrate the cloning for an Azure VM where the data disk is included.

As we will create a snapshot for the OS disk first, click the OS disk on top and create a snapshot.

On the OS disk overview page, click Create snapshot, as shown in the screen below.

Create a new resource group which is relevant to your scenario,

Type a name for the snapshot

Select the storage type and click the Review + create button.

Verify the validation is passed on the review page and click create to create a snapshot of the Virtual Machine’s OS disk.

Once the OS disk snapshot deployment is complete, you would see a deployment status, as shown below.

We have created a snapshot of the OS disk successfully. The next step is to create a snapshot of the Data disk. Go to the disks page of VM, and you would find the data disk and select it.

On the Data disk overview page, the same as we did the OS disk snapshot, click Create snapshot to create this disk’s snapshot.

Create a new resource group which is relevant to your scenario,

Type a name for the snapshot

Select the storage type and click the Review + create button.

Verify the validation is passed on the review page and click create to create a snapshot of the Virtual Machine’s Data disk

The Data disk snapshot was created successfully. The below screenshot shows that deployment is complete. So we have completed creating the OS disk and the Data Disk snapshots. The next step is to create a script and run it on the cloud shell.

As shown in the screen capture below, click on the cloud shell icon to open the cloud shell on the Azure portal. You can log in to Azure Powershell ISE and run the script. But the cloud shell is good enough for this demonstration.

The below script is for the demonstration. I would recommend you modify the script as per your need. I have given the illustration of each command on top of the command.

# Replace the Subscription ID matching to your Azure subscription
Select-AzSubscription -SubscriptionId '7xx23xxx-5874-7da5-b65c-a37b4e78ff23'

# Assign Resource Group name where the snapshots have been created.
$RGName ='Clone-Demo-Shell'

# Assign snapshot name of the OS disk (provided on creating snapshot) to a variable
$OSSnapshotName = 'DBSRV2019-OSDISK-SnapShot'

# Assign a Managed OS Disk name to a variable
$OSDiskName = 'DBSRV2019-OSDISK-Managed_Disk-Shell'

# Choose between Standard_LRS and Premium_LRS
$StorageType = 'Standard_LRS'

# Get the value of Geo location from the snapshot and assign the value to GeoLocation variable
$GeoLocation = 'westus'

# Retrieve the values of snapshot for the OS Snapshot
$OSSnapshot = Get-AzSnapshot -ResourceGroupName $RGName -SnapshotName $OSSnapshotName 

# Create a configurable OS disk object from the details of storage type Geo Location and snapshot ID 
$OSDiskConfig = New-AzDiskConfig -AccountType $StorageType -Location $GeoLocation -CreateOption Copy -SourceResourceId $OSSnapshot.Id

# Create a Managed OS Disk from the OS disk Configuration
$OSDisk = New-AzDisk -Disk $OSdiskConfig -ResourceGroupName $RGName -DiskName $OSDiskName

# Assign snapshot name of the data disk that has been provided on creating snapshot
$DatasnapshotName = 'DBSRV2019-DataDisk-Snapshot'

# Assign a Managed Data Disk name to a variable
$DatadiskName = 'DBSRV2019-DataDisk-ManagedDisk-Shell'

# Retrieve the values of snapshot for the Data Snapshot
$DataSnapshot = Get-AzSnapshot -ResourceGroupName $RGName -SnapshotName $DatasnapshotName 

# Create a configurable data disk object from the details of storage type Geo Location and snapshot ID
$DatadiskConfig = New-AzDiskConfig -AccountType $StorageType -Location $geolocation -CreateOption Copy -SourceResourceId $DataSnapshot.Id

# Create a Managed Data Disk from the data disk Configuration
$Datadisk = New-AzDisk -Disk $DatadiskConfig -ResourceGroupName $RGName -DiskName $DataDiskName

# Assign the value of virtual network name to VNetName variable (replace the name with the one that your virtual network name)
$VNetName = 'Demo-vnet'

# Assign a variable as the Identity of the VM 
$VMIdentity = 'DBSRV2019-Clone-Shell'

# Assign VM size ( for more VM sizes run Get-AzureRmVmSize with location name)
$VMSize = 'Standard_D4s_v3'

# Create a public IP and assign static IP address
$pip = New-AzPublicIpAddress -Name "ClonepublicIP$(Get-Random)" -ResourceGroupName $RGName -Location $GeoLocation -AllocationMethod Static

# Create an inbound network security group rule for port 3389
$nsgRuleRDP = New-AzNetworkSecurityRuleConfig -Name CloneNetworkSecurityGroupRuleRDP  -Protocol Tcp -Direction Inbound -Priority 1000 -SourceAddressPrefix * -SourcePortRange * -DestinationAddressPrefix * -DestinationPortRange 3389 -Access Allow

# Create a network security group
$nsg = New-AzNetworkSecurityGroup -ResourceGroupName $RGName -Location $geolocation -Name CloneNetworkSecurityGroup -SecurityRules $nsgRuleRDP

# The VNET assigned to the clone VM has to be same as Source VM resource Group
$RGNameVnet ='Demo'

# Retrieve the Virtual network details with the Virtual network residing resource group
$vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RGNameVnet

# Create a Network Interface Card
$nic = New-AzNetworkInterface -Name CloneNic -ResourceGroupName $RGName -Location $GeoLocation -SubnetId $vnet.Subnets[0].Id -PublicIpAddressId $pip.Id -NetworkSecurityGroupId $nsg.Id

# Create and assign the value to Virtual machine varriable with the VM identity and VM size
$VirtualMachine = New-AzVMConfig -VMName $VMIdentity -VMSize $VMSize

# Attach Data Disk to the confirguration with the datadisk.id from the data disk maanged disk
$VirtualMachine = Add-AzVMDataDisk -VM $VirtualMachine -Name $dataDiskName -ManagedDiskId $datadisk.id -Lun "0" -CreateOption "Attach"

# Attach OS Disk to the confirguration with the osdisk.id from the OS managed disk and type of operating system on the snapshot
$VirtualMachine = Set-AzVMOSDisk -VM $VirtualMachine -ManagedDiskId $osdisk.Id -CreateOption Attach -Windows

# Add virtual network interface using the NIC ID and assign the value to $VirtualMachine 
$VirtualMachine = Add-AzVMNetworkInterface -VM $VirtualMachine -Id $nic.Id

# Create the virtual machine with above details and Managed Disks
New-AzVM -VM $VirtualMachine -ResourceGroupName $RGName -Location $GeoLocation

I have run the above script on the cloud shell, and you can see at the end of the script output that the Virtual Machine is created successfully.

The newly created cloned VM overview page is shown in the screen capture below. Click connect and use the same credentials that you are using for the original VM to RDP to this cloned Virtual Machine.

The RDP screen is shown in the below image that the cloned virtual machine that we have created.

Conclusion

Here is the end of a two-part article of clone Azure virtual machine from the original one using the Azure portal and Azure cloud shell (using PowerShell). We have achieved the same result by using the method in the first part and the Azure portal method or GUI way of creating VM and, in the second part, also Cloudshell way of creating Azure VM. So use the method you are comfortable with and your use case.

I’m delighted to create this article to post it on my blog. You may have some questions or feedback on this article. If you have any, send on the comment below to respond to them at the earliest.

How to Easily Clone a Virtual Machine in Azure Using Portal – Part 1

Preface

The Azure Point to Site VPN Setup, also called Azure P2S VPN Setup, is most widely used where the number of clients connecting to Azure Virtual Network is less. The Point to Site VPN allows you to connect to the Azure Virtual network using a secure connection over the internet. The client computers running Windows, MAC X OS, Linux can connect to Azure Virtual Network securely from a remote location, such as home or conference, useful for telecommuters. There are multiple client protocols available to connect using Point to Site VPN, such as OpenVPN, SSTP, and Ikev2. In this article, we are going to use SSTP and IKEv2. Where windows client uses SSTP and MAC X OS, and Linux client uses iKEv2.

We are using the Azure certificate authentication, and here we demonstrate how to create a self-signed certificate on Windows 10 computer and upload a root certificate to Azure. The client those are using the VPN connection client needs to be installed with a client certificate created. We are going to see how to export root and client certificates and how to upload the root certificate to Azure VPN gateway. In the end, we are going to install the Azure VPN client downloaded from Azure Virtual private gateway on the Windows 10 client and establish the VPN connection using the client certificate already installed.

The following steps are involved in setting up Azure Virtual Network Gateway. We see the steps one by one and create complete Virtual Network Gateway setup and connect the VPN gateway from a Windows 10 client computer.

1. Create Azure Virtual Network
2. Create Gateway Subnet
3. Deploy Virtual Network Gateway
4. Generate self-signed Certificate
5. Export the Root and Client Certificates using certificates MMC
6. Connect Azure Virtual Network using VPN client on Windows 10 PC.

Create Azure Virtual Network

Open Azure Portal using Azure Portal client or Web browser.

Click Menu Icon and Virtual Network

In this demonstration, we are creating a new Virtual Network named VNet3. On the Azure portal, click add on the Virtual Network screen opened in the previous step. Clicking Add on the Virtual Network tab will add a Net Virtual Network.

A new Resource Group for this demo created with the name RGDEMO. Type a name for this Virtual Network. I have given Vnet3 as a Virtual Network name for this demonstration.

The address space with the IP address 192.168.0.0/16 set on the IP Address Tab on the create virtual network window with subnet range 192.168.100.0/24 added.

Azure Point to Site VPN Setup

Once the subnet range added within the address space, click Review+create to validate the settings.

As the validation passed, click Create to start the Virtual Network deployment.

Click Go to Resource to open the Virtual networks list to continue with setting up Gateway subnet.

Azure Point to Site VPN Setup

Click Go to Resource to open the Virtual networks list to continue with setting up Gateway subenet.

On the newly created Virtual Network, click +Gateway Subnet to add a Gateway subnet to configure this Virtual network deploy Virtual Network Gateway. A new subnet range 192.168.101.0/24 assigned for  gateway subnet. Type the subnet range and leave other settings default and click OK.

The newly created Gateway subnet will be listed on the subnet list with the name GatewaySubnet.

We have completed adding Gateway Subnet. Next, we are deploying Virtual Network Gateway.

Go to Menu ico on the top left corner and select All Services and Networking category on the menu.

Azure Point to Site VPN Setup

On the Virtual Network Gateway tab click Create virtual network gateway on the middle of the window.

The create virtual network gateway window open and type a name for this gateway and select Region. Select Virtual network name, in this case, the newly created Virtual Net Vnet3 selected.

Scroll down and type a name for public IP address, leave all the other settings to deailt and click Review+Create.

The Virtual network gateway parameters are correct, so we get validation passed. Click  Create to start the deployment of Virtual Network Gateway. This deployment process will take more than 15 mins, so wait for the deployment to complete.

Azure Point to Site VPN Setup

The Virtual Network Gateway deployment is complere. Click Go to resource to configure it.

Open PowerShell ISE as an administrator in a Windows 10 Client computer and copy and paste Powheshell ISE script editor window (you can customize the subject name as you want).

$rootcert = New-SelfSignedCertificate -Type Custom  `
-Subject "CN=P2SROOT" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign

The above command will create a variable with the root certificate for the Client certificate that we are generating in the next step. Select the command as in the picture below and run it.

Azure Point to Site VPN Setup

With the root certificate that we created in the previous step, we are using the root certicate variable that we have created and us the code below to generate a client certificate with the name P2SClient on the PowerShell ISE.`

New-SelfSignedCertificate -Type Custom `
-DnsName P2SCLIENT `
-KeySpec Signature `
-Subject "CN=P2SCLIENT" `
-KeyExportPolicy Exportable `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $rootcert `
-TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

In the previous two steps, we have created a root certificate and client certificate using that root certificate. We are going to export the root certificate and the client certificate using the Microsoft Management Console (MMC) with the certificate snap-in.

Press Windows+R and type mmc and click OK.

On the Microsoft Management Console, click File and  Add/Remove Snap-In

Azure Point to Site VPN Setup

Select Certificates from available snap-in and click Add.

Select My user account on the available certificate snap-ins and click Finish.

As Certificates snap-in selected, click OK.

Azure Point to Site VPN Setup

We are exporting Root certificate first and then client certificate subsequently. Right click the P2SRoot and click Export under All Tasks.

A Certificate export wizard will open with a Welcome page, click Next to continue.

On the Root certificate export, we are not exporting a private key, select No, do not export the private key, and click Next.

On Export file format page, select “Base-64 Encoded X.509 (.CER)” and click Next.

Type the file path and file name with .cer extension and store the certificate in a secure page and click Next.

On the certificate export complete page of the Wizard, click Finish closing the Wizard.

Click OK on Certificate export wizard, “The export was successful”  message popup.

The next step is to export the client certificate with the private key.

Right-click the client certificate P2SCLIENT and click export under All Tasks.

The certificate export wizard will start with a welcome page, click Next to continue.

This time we are selecting “Export private key.” This certificate is going to be installed on the client computer that needs Azure Point to Site VPN access for authentication. Select ”Yes, Export Private key” and click Next.

Leave the default selections and click Next.

Type a password for the certificate file and click Next.

Type a file path and file name with extension and click Next.

On the completing export wizard, click Finish.

Click OK on the confirmation message popup.

Go to file path that we exported and right-click the root certificate, and select the Notepad in the open with apps selection.

Copy the certificate content as selected in the image below.

As the certificate content copied on the clipboard, open Azure Network gateway on the Azure portal and click configure now.

Type an Address pool range, IKEv2, and SSTP as tunnel type, Azure as authentication type and type a name for root certificate name and paste the certificate content, which is there in the clipboard on the public certificate data box.

Click Save and exit from the screen.

As the last step, click download VPN client to download he VPN client.

AZURE VPN Client Configuration

Right click eenergycleint.pfx certificate and select Install PFX

Select Current User and click Next,

On the File to import page, leave the default and click Next.

Type the password and click Next.

Please the certificate in the following store select the personal store and click Next.

On the completing wizard page click Finish

Click OK to confirmation popup.

Next we are going to install the VPN client binary, right click the install file and select Run as administrator.

Click yes to install confirmation dialog box.

On the Task bar click the network icon and click VNET3.

The Network & Internet settings page will open, select the VNET3, and click connect.

Click connect to Azure point to client VPN.

Check “Do not show this message again for this connection” and click Continue.

Once connected, use the private IP address of the VM to RDP access.

Goto Virtual Machine overview on Azure Portal and copy the private IP of the VM.

Go to StartàRun and type “mstsc” and click OK.

Paste the private IP address copied on the clipboard from Azure Portal and click Connect.

The remote desktop connection will prompt for credentials, type credentials and click OK.

The ipconfig command on the picture shows you have logged in using the private IP with VPN Connectivity.

Conclusion

In this article we have gone through the Azure VPN client setup for Point to Site setup. We have created subnet gateway, deployed VPN gateway and connected windows 10 client and accessed the resource inside the Azure network with the private IP address of the device.

If you have any questions or feed back, please post it in the comment column below. I’m happy to help you resolve the issues or answer to the questions if any at the earliest possible.

Read More

Read More

Read More

Read More

Read More