Configure Point to Site on ARM based Virtual Network


For the Classic Virtual network we could enable the Point to Site via the Old Portal (https://manage.windowsazure.com) however I’m afraid as of now, we don’t have a way to create the Point to Site connection via the new Portal (https://portal.azure.com) for ARM. Though we can make use of PowerShell command let to achieve the same.

First Method

1. Delete the existing Gateway connection and the Virtual Network Gateway & Gateway PIP.

Note: You can make use of https://resources.azure.com to delete the gateway connection and then the Virtual Network Gateway & Gateway Public IP.

2. Delete the existing Gateway Subnet from the Virtual network

Note: You can achieve this by Navigating to https://portal.azure.com à Virtual Networks à Subnets à Right Click on Gateway Subnet and Delete.

3. You can make use of following script which will help us in creating the Gateway Subnet, Gateway Public IP and the Virtual Network Gateway along with Point to Site.

Note: You need to specify CIDR /28 for Gateway subnet and the Name would be “GatewaySubnet” with Quotes and NO SPACES.

$RGname = "TEST"
$Location = "EAST US"
$VNETname = "TESTVNET"
$GWname = "TESTGateWay"
$GWSubnet = "192.168.1.65/28"
 
# Incase VNET is not available
New-AzureRMVirtualNetwork -Name $VNETname -ResourceGroupName $RGname  -Location $Location -AddressPrefix 10.0.0.0/16 -Subnet $Subnet1

#Get VNET and add Gateway subnet there:
$vnet = Get-AzureRMVirtualNetwork -Name $VNETname -ResourceGroupName $RGname
Add-AzureRMVirtualNetworkSubnetConfig -Name GatewaySubnet -AddressPrefix 10.0.3.0/28 -VirtualNetwork $vnet
Set-AzureRMVirtualNetwork -VirtualNetwork $vnet

#Create public IP for gateway
$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName $RGname -Location $location -AllocationMethod Dynamic
 
#Create GW IP Config
$vnet = Get-AzureRMVirtualNetwork -Name $VNETname -ResourceGroupName $RGname
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

#Create Gateway
New-AzureRmVirtualNetworkGateway -Name $GWname -ResourceGroupName $RGname -Location $location -IpConfigurations $gwipconfig -GatewayType Vpn -GatewaySku Standard -VpnType RouteBased -VpnClientAddressPool "192.168.1.0/24"

#Add root certificate
#You need to export your root cert in cer format with base64 encoding. Then open resulting file in notepad and make single long string from text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
#I have truncated it in this example

$cert = "MIIDETCCAf2gAwIBAgIQPTApmVXmK...dWoNHTdid6aWSSBf21rfas8"
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName "ARMcert" -VirtualNetworkGatewayName $GWname -ResourceGroupName $RGname -PublicCertData $cert

# After that you can download VPN client package. ProcessorArchitecture can be Amd64 or X86
Get-AzureRmVpnClientPackage -ResourceGroupName $RGname -VirtualNetworkGatewayName $GWname -ProcessorArchitecture Amd64

SECOND METHOD:

If you decide not to delete the Gateway Connection, Virtual Network Gateway or the Gateway PIP then you can make use of https://resources.azure.com à Subscription à Resource Group à (Resource Group Name) à Microsoft.Network à VirtualNetworkGateway à (Gateway)

Click On Read/Write and then Click on Edit on the Gateway.

SelectGateway

We then have to add following tag right below “enableBgp”:false

"vpnClientConfiguration": {
  "vpnClientAddressPool": {
    "addressPrefixes": [
      "192.168.2.0/24"
    ]
  },
  "vpnClientRootCertificates": [],
  "vpnClientRevokedCertificates": []
}

Note: Update the Appropriate Point to Site Address Space which should not overlap with you On Premise or Azure Virtual network Address Range.

Click on Put and then wait for few minutes. Approx. 10 minutes for the gateway to update.

EditGateway

Once the update is complete you can make use of PowerShell and Upload the Root Certificate and also download the Package.

#Add root certificate

#You need to export your root cert in cer format with base64 encoding. Then open resulting file in notepad and make single long string from text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----
#I have truncated it in this example

$cert = "MIIDETCCAf2gAwIBAgIQPTApmVXmK...dWoNHTdid6aWSSBf21rfas8"
Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName "ARMcert" -VirtualNetworkGatewayName $GWname -ResourceGroupName  $RGname -PublicCertData $cert

# After that you can download VPN client package. ProcessorArchitecture can be Amd64 or X86
Get-AzureRmVpnClientPackage -ResourceGroupName $RGname -VirtualNetworkGatewayName $GWname -ProcessorArchitecture Amd64

I would also suggest that you may want to try this on a test Virtual network before making changes to the Production VNET.

Comments (2)

  1. Sergey says:

    Hi Sushant,
    Thanks for the amazing article! Now i’m able to connect to my Azure Virtual Network.
    Unfortunately VPN connection doesn’t see DNS server in Azure, any ideas why?

    Thanks!

  2. Alexandre GIRAUD says:

    Just using Set-AzureRmVirtualNetworkGatewayVpnClientConfig is enough 😉

Skip to main content