1. Home
  2. Training Library
  3. Microsoft Azure
  4. Courses
  5. Design Microsoft Azure Infrastructure and Networking for Azure 70-534 Certification

Virtual Private Networks


1m 46s
Start course

This is the first of six preparation courses for the Architecting Microsoft Azure Solutions 70-534 certification exam. By the end of this course, you will have gained a solid understanding of Azure data center and VPN architecture. We will cover Azure’s use of Global Foundation Services for its data centers, virtual networks, Azure Compute (IaaS, virtual machines, fault domains), VPNs, and ExpressRoute. This session will also feature a high-level discussion of Azure services (load balancing options, Traffic Manager, and more).


Welcome back. In this lesson, we'll be talking about virtual private networks, abbreviated, VPN. We'll be covering site-to-site VPNs, point-to-site VPNs, ExpressRoute, virtual-network-to-virtual-network VPNs, and multisite VPNs.

Cloud migration is a long-term process that can take time for companies. The bigger the company, the longer the process may take, and in some cases, it can take years. And sometimes, a complete migration isn't possible due to any number of reasons. So hybrid solutions are often required.

Services will migrate from on-prem to cloud overtime and needs to integrate seamlessly with on-prem services. Depending on your needs, there are different options available to connect on-prem networks or devices to an Azure virtual network.

Point-to-site VPNs are the simplest way to access a remote virtual network through the public internet. This is accomplished by installing software on the client PC that needs to access the virtual network. This provides you with an encrypted tunnel to connect the given client to the network so that it can access the resources on that network. It's a useful solution when there's only a few users that need to connect to the VPN. Typical scenarios are cases of remote administration or troubleshooting. Also, it's a good solution in a development scenario for remote workers or for debugging sessions. It's not a great option when there are a lot of users that require a connection since each connection needs to be managed separately.

There are other options, though, as we've mentioned. A site-to-site VPN is a single private connection from an on-prem network to the remote virtual network over the public internet, and that projects an entire network on-prem to the remote Azure virtual network. The single connection is shared among the on-prem nodes accessing the remote endpoints. A hardware appliance can be used to build the site-to-site VPN. Not all networking appliances like consumer routers implement supporting site-to-site VPNs, so a network upgrade may be required. There's also the possibility to use a software appliance installed on a server on the LAN. For example, you could use Windows Server, which has routing service to connect LANs to VPNs.

Another option is ExpressRoute. ExpressRoute is a private connection for an on-prem data center to an Azure data center. It's a dedicated connection co-located in a third-party connection provider, and these are located all around the world. Traffic doesn't travel across the public internet, but is kept private to ensure reliability, low-latency, and security. The SLA is guaranteed by redundant connections to the Microsoft Edge network. ExpressRoute is ideal for things like data storage access, backup, and disaster recovery. It's also preferred to connect to Office 365 or Dynamics CRM Service Solutions. It's not going to be useful or cost-effective for everyone, though it can be a convenient option when you have frequent big data transfers on a daily basis. So make sure you evaluate ExpressRoute carefully before getting started with it.

Sometimes there's a need to create multiple virtual networks for security or for performance reasons. In this scenario, you'd set up two VPN gateways to allow intra-region traffic between the virtual networks. This is called vNet-to-vNet VPN. This ensures multi-region availability of the cloud infrastructure. And there are a lot of different scenarios for things like this. Maybe SQL Server AlwaysOn deployed as an infrastructure of service, or this can be useful for things like geographically distributed partitions in a NoSQL solution deployed on VMs connected to different virtual networks.

Let's check out how to create a point-to-site VPN connection with the classic portal. We created some virtual networks previously in the course, and we created virtual machines on the network. Remember when we opened up the VM to be accessible to connect in VRDP? This exposed our VM to the internet with no firewall in front of it. We can do better. We can make it so the only way to connect to the VM is if we're already on the same network.

We started in the portal, we're on the Networks tab, so we'll select our virtual network, that's the one we created earlier, and then we're gonna click on the Configure tab. And there's an option for point-to-site. So we're gonna select Configure. Now here, we have two address spaces. We have the address space for the device we'll be connecting into the virtual network from, and then the other is the virtual network's address space. We're currently seeing a collision because they're set to the same thing. So we need to change the address space for our connection. We'll select the address space, there we go.

And now we need to add a gateway subnet. And then we can save. And now we need to create the gateway. It's a couple of simple prompts. And then it's gonna take a little while, and once it's complete, we'll have our gateway.

Okay, now it's currently upset that the cert isn't up to date. So we'll create a cert, we'll use the command-line. There we go, and now we can browse to it and upload it. Alright, perfect.

Now we also need a client cert. We'll need a client cert for each client that we'll connect. So we're gonna create one on the command-line again. And we'll quickly install it here.  

Great, now we can download and install the VPN client. It'll be a few prompts, and we'll click through them. And there we are, we're all set.

Okay, let's test this out. Let's go and remove the RDP endpoint. That way we can't connect to the VM directly, we need to be on the private network, and since we wanna connect to the server on the same network, we need to know the IP address for that VM. So let's go look that up. Okay, there it is, So if we connect to the VPN, we'll just follow a few prompts, there we go, and now let's try and connect via RDP. We'll provide the credentials. And it's gonna take just a moment, but when it's done, okay, great, we're connected.

So Azure makes it easy to set up a VPN, and this sort of point-to-site connection makes things like administration pretty easy. In our next lesson, we'll be looking at some of the Azure services that we haven't covered in the course so far. So if you're ready to learn about things like media services, Redis, and more, then let's keep going.

About the Author
Ben Lambert
Software Engineer
Learning Paths

Ben Lambert is a software engineer and was previously the lead author for DevOps and Microsoft Azure training content at Cloud Academy. His courses and learning paths covered Cloud Ecosystem technologies such as DC/OS, configuration management tools, and containers. As a software engineer, Ben’s experience includes building highly available web and mobile apps. When he’s not building software, he’s hiking, camping, or creating video games.