In this real world-based project, I acted as a Cloud Specialist to create a solution for people who were working in the office to start working from home, normally accessing the environment in Microsoft Azure, and without exposing the entire environment to the internet.
To solve this business problem and come up with a solution compatible with the requirements, I defined that it was necessary to implement Point-to-Site (P2S) VPNs, so that employees who were working from home would choose an encrypted tunnel between their computer and the Microsoft Azure environment.
Implementation:
Step 1. Create a Resource Group.
Step 2. Create Virtual Network.
Create a virtual network with default settings.
Step 3. Create VM app01
Create a VM without public IP address.
Step 4. Create VPN Gateway
VPN gateway is a resource that allow private connection between Azure VMs and on-premises servers over private IP.
In Azure console, search for Virtual Network Gateways.
Important points to consider while deploying the resource.
- Creating VPN gateway may take up to 20 minutes.
- Prerequisites: For this hands on, I already have created certificates (root and client).
Review and create the resources.
VPN configuration:
Point-to-Site configuration:
Before installing client VPN, you must install client certificate. Client certificate will allow authentication between client machine and azure environment using root certificate.
Click on point-to-site configuration and enter the root certificate. Root certificate will create a client configuration file to be downloaded on local desktop.
Configure P2S configuraiton using the root certificate.
- Adding a pool of IPs (range): 172.16.0.0/24
- Tunnel type: IKEv2 and SSTP (SSL)
- Use default IPsec.
- Authentication type: Azure certificate.
- Enter the root certificate and its name.
Click on save to save the VPN configuration. This may take few minutes.
Installing Client Certificate:
Double click on Client Certificate that previously obtained along with root certificate.
Follow the wizard and add the credentials.
After completing installation, accept the windows security warning and continue installation.
Installing VPN client:
When VPN gateway configuration is saved, it will allow to download the VPN client tool.
Click on VPN client download.
Unzip the downloaded folder, and extract the content of WindowsAmd64.
A warning will pop up. Ignore and click on “Run anyway”.
Remote connection via VPN:
On windows Start menu, search for VPN. Below connections will pop up. Click on connect.
- VPN common connection Error Code 720: “Error 720: Can’t connect to a VPN Connection” when you try to establish a VPN connection”.
Solution: on your computer, search for Device Manager and uninstall all WAN Miniport components. Then click on “scan” and it will install the updated packages. Try to connect the VPN again and it will connect.
Step 5. Testing the remote connection using Private IP
In Azure console, go to the VM app01and obtain its private IP address.
Open Git Bash terminal on your computer and ping the VM.
- Connecting to the VM using VPN and run operation by Installing Apache
ssh app01 using its private IP.
Run below commands to install Apache2 web server.
sudo apt-get update
sudo apt-get install apache2
sudo systemctl restart apache2.service
Open a new browser by entering the private IP address.
Conclusion and Key Insights:
This hands-on exercise focused on providing remote work solutions using Azure VPN Gateway, a crucial skill for any cloud engineer. The ability to configure, establish, and troubleshoot VPN connections is essential in this role. Point-to-Site VPN connections offer secure communication over the internet using private IP addresses, ensuring internal communication without the need for public IP addresses.
Beyond configuration, effective troubleshooting and management are vital for smooth operations. For example, during this exercise, I identified and terminated connections from specific source IP addresses as needed. One common issue users encounter is difficulty connecting via VPN. I resolved this problem by consulting documentation and research, ultimately updating the WAN Miniport drivers.
Overall, this project provided valuable insights and boosted my confidence in establishing secure connections for remote workers.
