Deploy Azure VPN Gateway with P2S Config using Bicep

Deploying an Azure VPN Gateway with Point-To-Site Configuration Using Azure Certificate Authentication, Bicep, and Azure DevOps

Introduction

Azure VPN Gateway is a vital service that facilitates secure connectivity between on-premises networks and Azure virtual networks. With Point-To-Site (P2S) VPN, individual clients can securely connect to an Azure Virtual Network (VNet) from remote locations. This guide will demonstrate how to deploy an Azure VPN Gateway with P2S configuration using Azure certificate authentication, Bicep, and Azure DevOps, ensuring a streamlined and automated setup process.

Step-by-Step Implementation Guide

  1. Set Up Your Azure Environment

    • Ensure you have an active Azure subscription and the necessary permissions to create resources.
  2. Install Azure CLI and Bicep

    • Install Azure CLI:

      1
      
      curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
      
    • Install Bicep:

      1
      
      az bicep install
      
  3. Generate and Export Certificates

    • Create a self-signed root certificate using PowerShell:

      1
      
      $cert = New-SelfSignedCertificate -Type Custom -Subject "CN=P2SRootCert" -KeySpec Signature -KeyExportPolicy Exportable -KeyUsage CertSign -KeyUsageProperty Sign -KeyLength 2048 -HashAlgorithm sha256 -CertStoreLocation "Cert:\CurrentUser\My" -NotAfter (Get-Date).AddMonths(24)
      
    • Export the root certificate public key (.cer):

      1
      
      Export-Certificate -Cert $cert -FilePath "C:\path\to\rootcert.cer"
      
    • Generate a client certificate from the root certificate:

      1
      
      $clientCert = New-SelfSignedCertificate -Type Custom -Subject "CN=P2SClientCert" -KeySpec Signature -KeyExportPolicy Exportable -KeyUsage DigitalSignature -KeyUsageProperty Sign -KeyLength 2048 -HashAlgorithm sha256 -CertStoreLocation "Cert:\CurrentUser\My" -Signer $cert
      
    • Export the client certificate (.pfx):

      1
      
      Export-PfxCertificate -Cert $clientCert -FilePath "C:\path\to\clientcert.pfx" -Password (ConvertTo-SecureString -String "password" -Force -AsPlainText)
      
  4. Create a Bicep Template for VPN Gateway

    • Define the Bicep template (vpnGateway.bicep) to create the VPN Gateway:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      43
      44
      45
      46
      47
      48
      49
      50
      51
      52
      53
      54
      55
      56
      57
      58
      59
      60
      61
      62
      63
      64
      65
      66
      
      resource vnet 'Microsoft.Network/virtualNetworks@2021-02-01' = {
        name: 'myVNet'
        location: 'Australia East'
        properties: {
          addressSpace: {
            addressPrefixes: ['10.1.0.0/16']
          }
          subnets: [
            {
              name: 'GatewaySubnet'
              properties: {
                addressPrefix: '10.1.0.0/24'
              }
            }
          ]
        }
      }
      
      resource vpnGateway 'Microsoft.Network/virtualNetworkGateways@2021-02-01' = {
        name: 'myVpnGateway'
        location: 'East US'
        properties: {
          ipConfigurations: [
            {
              name: 'vnetGatewayConfig'
              properties: {
                publicIPAddress: {
                  id: publicIP.id
                }
                subnet: {
                  id: vnet.properties.subnets[0].id
                }
              }
            }
          ]
          gatewayType: 'Vpn'
          vpnType: 'RouteBased'
          enableBgp: false
          sku: {
            name: 'VpnGw1'
            tier: 'VpnGw1'
          }
          vpnClientConfiguration: {
            vpnClientAddressPool: {
              addressPrefixes: ['172.16.0.0/24']
            }
            vpnClientProtocols: ['OpenVPN']
            rootCertificates: [
              {
                name: 'RootCert'
                properties: {
                  publicCertData: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA...'
                }
              }
            ]
          }
        }
      }
      
      resource publicIP 'Microsoft.Network/publicIPAddresses@2021-02-01' = {
        name: 'myPublicIP'
        location: 'East US'
        properties: {
          publicIPAllocationMethod: 'Dynamic'
        }
      }
      
    • The Public Cert data is obtained by opening the root certificate file (in base64) in notepad and copy the content WITHOUT the —BEGIN— and —END— lines

  5. Deploy the Bicep Template Using Azure CLI

    • Deploy the Bicep template to create the VPN Gateway:

      1
      
      az deployment group create --resource-group myResourceGroup --template-file vpnGateway.bicep
      
  6. Set Up Azure DevOps Pipeline

    • Create a New Pipeline: In Azure DevOps, create a new pipeline and connect it to your repository containing the Bicep template.

    • Define Pipeline YAML: Add a YAML file (azure-pipelines.yml) to automate the deployment:

       1
       2
       3
       4
       5
       6
       7
       8
       9
      10
      11
      12
      13
      14
      15
      
      trigger:
        - main
      
      pool:
        vmImage: 'ubuntu-latest'
      
      steps:
        - task: AzureCLI@2
          inputs:
            azureSubscription: 'your-azure-subscription'
            scriptType: 'bash'
            scriptLocation: 'inlineScript'
            inlineScript: |
              az deployment group create --resource-group myResourceGroup --template-file vpnGateway.bicep        
            addSpnToEnvironment: true
      
  7. Run the Pipeline

    • Commit the changes and run the pipeline to deploy the VPN Gateway automatically.

Conclusion

Deploying an Azure VPN Gateway with Point-To-Site configuration using Azure certificate authentication, Bicep, and Azure DevOps streamlines the process, ensuring a consistent and automated setup. This approach not only saves time but also reduces the potential for manual errors, providing a reliable and secure connection for remote clients.

Learn More

For more detailed information, refer to the following Microsoft Learn articles: