Creating a Point to Site VPN connection to an Azure Resource Manager Virtual Network

I have been helping out on the MSDN forums and came across a post where a user was struggling to create a Point to Site (P2S) VPN connection to an Azure Resource Manager (ARM) Virtual Network – https://social.msdn.microsoft.com/Forums/azure/en-US/567b968e-aa50-4ee4-b554-af09c54a40e0/routing-in-azure-between-pointtosite-and-sitetosite-networks?forum=WAVirtualMachinesVirtualNetwork. At the time of writing it is not possible using the portal. I had a look at the ARM PowerShell commands and found the command
Set-AzureRmVirtualNetworkGatewayVpnClientConfig  but failed to find any documentation. I set about the task of working out how to do this.

Gateway Subnet
The Virtual Network Gateway must connect to a subnet named GatewaySubnet. I created this using the portal. Yes, I know I could do this in PowerShell, but I often use the portal for a quick fix.

Certificates

Certificates are used to authenticate clients. You must have a root certificate and client certificate(s) that have been created using the root certificate. The root certificate is uploaded to Azure and the client certificate imported into the installed in the User’s personal store on the client machine.

The documentation that exists for creating a P2S VPN connection to a service manager virtual network details how to create these using makecert – https://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-point-to-site-create/. This is the method I used, although if you have an Enterprise Certification Authority it would make sense to use that.

To upload the root certificate to Azure it must be exported in Base64 format:

If you then open the exported certificate in notepad you will see similar to the following:

The Add-AzureRmVpnClientRootCertificate PowerShell command requires the characters between the BEGIN and END certificate markers in a single string with no carriage returns.

The PowerShell

Here’s the PowerShell I used to create the gateways and P2S connection. Note it can take over 20 minutes for the gateway to successfully create. Be patient! At the end of the script the URL to download the VPN client is stored in the variable $packageUrl

 # Must create a subnet called GatewaySubnet for the gateway to connect to prior to creating the gateway

$vnetname = "TestNetwork"

$rgname = "TestRG"

$region = "North Europe"

$clientpool = "192.168.10.0/24"

$RootCertName = "MyRootCert.cer"

$publicCertData = "<Replace_With_Your_Base64_Cert_Data>;"; #Export cert as Base64, and put data into single line.

#$publicCertData = "MIIDFDCCAgCgAwIBAgIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAMB8xHTAbBgNVBAMTFFBvaW50VG9Qb2ludFJvb3RDZXJ0MB4XDTE1MDEwNjA5MTMzOVoXDTM5MTIzMTIzNTk1OVowHzEdMBsGA1UEAxMUUG9pbnRUb1BvaW50Um9vdENlcnQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDONIScIVcbFGK/WojhRLyVtSFPhc67tKj2yDCUoaRyT8kfPAm5lvNL1WP5qWurd1ydbK/8hPGHWhkomeac6IEPd9IxmOHY3n6WfcAeCq6BcTDtvUdGSFEtB3gor0wZAIwehhmlAC9ZrdLdDRy3us1AxwJfxcoTZ4EbxKaM1HZGMTOE+2bvkvG+IshQULPScTVieLKLSZSYf57CdFl6OpoYScsrsuQuHNpSWb0kFwJwq83hWtjbojTkQyblcdI9jWG7nD0gb6Fe/BOkN8TtJ/il48X1eE5m3IpCKyU/RTzrumrtG1huwvYDqr1WzGOR5FJGtZtQxZjsg9BRepaOWB2DAgMBAAGjVDBSMFAGA1UdAQRJMEeAEGE1PUv6Gv4noBNem2xCw8ChITAfMR0wGwYDVQQDExRQb2ludFRvUG9pbnRSb290Q2VydIIQtCz5YGITP4ZMrYRvqfzKHTAJBgUrDgMCHQUAA4IBAQAEJCytWDQ9UzNl/vwT/xI+nkB/lRtRhUOKqsuCxa45PNQg6OFN4WwS+zaAZcg0UiJA324Bf4o8ivRXDML107smcakLJXPMJ7clvKga6QlG++6NwyRV6FIJnG8chxJlbxZNNVu2xmi0DZ2uqlzv8KNsLWkHuB6DjkVX82QYmPz9jjT3gTjtCML7bvJND0GTb2pEw4SAQD/h+tRaaaYETeUzQl0+wqk69/i7jQ8tKhZD5Xw38/SNU5gKp5bD4ofjFew6rfGhaPWPqRinsJ/PBYbE02rBU86NlTZ5Yvsg6sWvHTb+NVYbD0mJ7fPpKuFnNLAqyNC0kXBvfvOeCKV9U9hg"

#Login to Azure RM

Login-AzureRMAccount

# Get the Virtual Network

$vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $rgname

#Create IP for the gateway

$GWIP = New-AzureRmPublicIpAddress -AllocationMethod Dynamic -ResourceGroupName $rgname -Location $region -Name GWIP1

#Get the gateway subnet

$GWSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet

# Create GW Config

$GWIPConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name GWIPConfig -SubnetId $gwsubnet.Id -PublicIpAddressId $GWIP.Id

#Create Gateway

$gw = New-AzureRmVirtualNetworkGateway -Location $region -Name GW1 -ResourceGroupName $rgname -GatewayType Vpn -IpConfigurations $GWIPConfig -VpnType RouteBased

# Create client VPN config

Set-AzureRmVirtualNetworkGatewayVpnClientConfig -VirtualNetworkGateway $gw -VpnClientAddressPool $clientpool

# Create Root Cert

$rootCert = Add-AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $RootCertName -PublicCertData $publicCertData -VirtualNetworkGatewayName $gw.Name -ResourceGroupName $rgname

#Get URL for VPN client - download the exe from here

$packageUrl = Get-AzureRmVpnClientPackage -ResourceGroupName $rgname -VirtualNetworkGatewayName $gw.Name -ProcessorArchitecture Amd64