Setting up a point-to-site VPN connection to your Azure network.
We need to set up a way of accessing all the browser-based management tools without exposing them needlessly to the internet. The most convenient way is the point-to-site VPN service in Azure, which allows you to securely connect to the VNet of your lab environment from wherever you are working (like the office in your local caffé).
You will now set up a x509 certificate set for the encrypted connection. If you don’t have a business cert, you can prepare a self-signed one using openssl your Linux VM, or with makecert.exe on Windows. Open a new PowerShell prompt with administrative priviliges, change to the (smart and safe) directory where you wish to store the files, and type:
$env:path += ";C:\Program Files (x86)\Windows Kits\10\bin\x64\" makecert.exe -sky exchange -r -n "CN=ltlabs P2S root" ` -pe -a sha256 -len 4096 -ss My "ltlabsp2sroot.cer" makecert.exe -sky exchange -n "CN=ltlabs P2S client" ` -pe -a sha256 -m 96 -ss My -in "ltlabs P2S root" -is my
Now, to extract the public key in Base 64 encoding do the following:
- Type Win + R and run certmgr.msc
- Navigate to Certificates – Current User → Personal → Certificates
- Locate the root certificate you just created
- Right click on it, All Tasks → Export…
- Do not export the private key
- Choose Base-64 encoded X.509
- Choose a new filename like PublicKey.cer
- $GatewaySubnetName must be “GatewaySubnet”
- $VPNClientAddressPool must be separated from $VNetPrefix
- Pay extra attention to make sure the $RootCert variable is correct.
It needs to be a single string with no extra line-breaks or spaces.
$text = cat .\PubKey.cer $text = $text -join "" $RootCertBase64 = $text.substring(27,$text.Length-52) $ResourceGroup = "LT-Labs" $VNetName = "vnet01" $SubnetName = "vnet01subnet01" $GatewaySubnetName = "GatewaySubnet" $VNetPrefix = "10.0.0.0/16" $SubnetPrefix = "10.0.0.0/24" $GatewaySubnetPrefix = "10.0.10.0/24" $VPNClientAddressPool = "172.16.0.0/24" $ResourceGroup = "LT-Labs" $Location = "eastus2" $DNS = "184.108.40.206" $GatewayName = "gateway01" $GatewayIpName = "gateway01ip" $GatewayIpConfName = "gateway01ipconf" $RootCertName = "p2sRoot.cer" Login-AzureRmAccount $Id = (Get-AzureRmSubscription | Out-GridView ` -Title "Choose Sub." ` -PassThru).SubscriptionId Select-AzureRmSubscription -SubscriptionId $subscriptionId $VNet = Get-AzureRmVirtualNetwork -ResourceGroupName $ResourceGroup ` -Name $VNetName $VNet | Add-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName ` -AddressPrefix $GatewaySubnetPrefix | Set-AzureRmVirtualNetwork
$VNet = Get-AzureRmVirtualNetwork -ResourceGroupName $ResourceGroup ` -Name $VNetName $Subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName ` -VirtualNetwork $VNet $PublicIp = New-AzureRmPublicIpAddress -Name $GatewayIpName ` -ResourceGroupName $ResourceGroup ` -Location $Location ` -AllocationMethod Dynamic $IpConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GatewayIpConfName ` -Subnet $Subnet ` -PublicIpAddress $PublicIp $RootCert = New-AzureRmVpnClientRootCertificate -Name $RootCertName ` -PublicCertData $RootCertBase64 New-AzureRmVirtualNetworkGateway -Name $GatewayName ` -ResourceGroupName $ResourceGroup ` -Location $Location ` -IpConfigurations $IpConfig ` -GatewayType Vpn ` -VpnType RouteBased ` -EnableBgp $false ` -GatewaySku Standard ` -VpnClientAddressPool $VPNClientAddressPool ` -VpnClientRootCertificates $RootCert
That last command can take a good 15 minutes to run, so just relax and take a break. Once the prompt returns, all that’s left is to configure your Windows client to connect to the gateway. Run the following command in PowerShell to access your configuration:
$VPNClient = Get-AzureRmVpnClientPackage -ResourceGroupName $ResourceGroup ` -VirtualNetworkGatewayName $GatewayName ` -ProcessorArchitecture Amd64 start $VPNClient
That last command will download an EXE file that your browser might find suspicious. Nevertheless, it’s the program that configures your VPN client. Once you have run the program, you will see in your control panel that a new VPN connection is available with the same name as your Azure VNet. Connect and you will be able to access your Azure machines as if they were on your local network!
Now you can safely block all inbound connections from the internet to your Azure resource group.