At the time of writing this book, every nation in the world has been affected with the Covid-19 pandemic. The pandemic forced most of us to work from home. While working from home, you need to secure the method by which you can connect to your corporate resources. Most of the organizations have configured the employee workstations or laptops with VPN so that the employees can connect to their corporate network securely. This is an example of a point-to-site connection. In the case of S2S connections, you create secure connections between two sites. All users in the on-premises environment will connect to their on-premises gateway. Since the on-premises gateway is connected to the Azure VPN gateway, users will be able to access Azure resources privately over a VPN. However, this will work only if the user is in the office or if they are connected to the on-premises network. What if the user is working remotely and is not present in the office? This is where you can leverage P2S connections.
Using a P2S connection, you can create a secure connection from an individual computer to an Azure virtual network over VPN. P2S is also an alternative to S2S connections if you have a limited number of users who want to connect to Azure and you don’t have an on-premises equipment that supports S2S connections. The P2S connections are always initiated from the client machine. All clients need to download the VPN profile and install it on their device to establish the P2S connection.
Before Azure accepts P2S requests from the clients, authentication should be done first. There are three authentication types.
- Azure certificate
- RADIUS authentication
- Azure Active Directory
The availability of the authentication methods will depend on the VPN SKU. For example, Basic SKU only supports certificate authentication.
P2S connections support the following protocols:
- The OpenVPN protocol is a TLS VPN solution that supports Android, iOS (versions 11.0 and above), Linux, Windows, and macOS (versions 10.13 and above).
- Secure Socket Tunneling Protocol (SSTP) is also a TLS-based VPN protocol; however, the support is limited to Windows devices (Windows 7 and later).
- IKEv2 VPN is an IPSec VPN solution for macOS-based computers. macOS versions 10.11 and above are supported.
Since TLS uses 443, you don’t need to open additional ports on your firewall. The selection of the protocol is based on the device support and your network configuration.
In Exercise 4.3, you will establish a P2S connection from your local machine to Azure. In Azure, you have a virtual network in the East US region with one VM added to the workloadSubnet and the GatewaySubnet for hosting the VPN gateway. The architecture can be reviewed in Figure 4.15. You can reuse the gateway that you created in Exercise 4.2. If you have deleted the resources or resource group, you can re-create the architecture using this PowerShell script:
https://github.com/rithinskaria/azure-infra/blob/main/vpn-p2s-env.ps1
FIGURE 4.15 P2S architecture
In Figure 4.15, you can see the P2S connection has been established to Linux, Windows, and macOS computers. You could also establish P2S connections to handheld devices and tablets. For the exercise, you will be connecting via a Windows machine and verify the connectivity to the VM. If you don’t have a Windows machine, you can download the VPN profile for your OS. See Exercise 4.3.EXERCISE 4.3
Leave a Reply