Azure VPN

Azure VPN allows you to connect your on-premise computers directly to Azure Virtual Machines as through they were part of your local network. This allows your to run a type of hybrid cloud and on-premise systems and applications. For example you could run an application on an Azure VM, but have the data held on an on-premise server, in situations where any data protection and security implications prevent the data to be held on the cloud. This type of system can be implemented by setting up an Point-to-Site or Site-to-Site type of VPN network.

Setting up a Point-to-Site VPN is fairly easy and is a good candidate for a proof of concept.

Setting up an Azure Point-to-Site VPN

There are 4 main steps involved in setting this up as follows:
a) Configure a virtual network
b) If required add virtual machines
c) Create certificates
d) Configure and install VPN client

Configure a virtual network

  • Select the Network option from the Azure portal main menu and follow the steps to provide a name for the network. Be sure to select the Custom Create option where you will be able to provide your own settings.
  • Specifying a DNS server is optional and is mostly necessary when creating a Site-to-Site network since the intention there would be to have the ability to connect between the Azure virtual network and other non Azure (perhaps on-premise) networks. Where no DNS server is specified, Azure will use its own DNS server for name resolution when connecting between VM's inside the Azure virtual network.
  • Make sure to select Point-to-Site connectivity by ticking on the check box named "Configure point-to-site connectivity". Then specify the IP address range to be issued to the clients connecting to the VPN. This is specified  by providing a starting IP address along with the CIDR address count. The CIDR is a way to specify the sub-net mask which indicates the usable address range. Make sure that this IP address range does not conflict with any local on-premise network. 
  • The next step is to specify the IP address range to be used by the VPN's virtual machines and other role instances. Similar to the above, you provide a starting IP address along with the CIDR to indicate the usable address range. Again take care that the specified range does not cause any conflicts with on-premise networks.
  • To complete the above step, you also have to specify a subnet from the above address range for the gateway (virtual router) on the virtual network. This is usually a very narrow address range of either one or two address. This is also specified with a starting IP and a CIDR. 
  • Once the gateway subnet is specified, the virtual network gateway can be created by simply clicking on the Create Gateway button at the bottom on the virtual network page on the Azure portal. This may take several minutes.

Add virtual machines or role instances

At this time the virtual network is created and available. So you can attach virtual machines to it and they will be issued with IP address from the range specified above. However no clients can yet connect to them. This is done in the following steps.

Create certificates

In order to connect to the gateway for the virtual network and thereby allowing clients to connect to it and be authenticated, we need digital certificates. We need one certificate to be installed on the virtual network which is be known as the root certificate and one or more associated certificates to be installed on each clients connect to the network, which will be known as client certificates. Certificates can be obtained/purchased from a certificate authority software. Alternatively for development and testing you can create your own by using the MakeCert software tool.

Once the root certificate file (with the .cer extension) is created store it in a safe place, because you will need this file to create the associated client certificate for each client machine that need to be connected to the virtual network. The root certificate file itself is then uploaded to the virtual network page on the Azure portal. This is a link to how to create certificates using MakeCert.

Configure and install VPN clients

After installing the client certificate on a client machine, you also have to install a client VPN package on it. This is done by simply downloading it from the virtual network page on the Azure portal. There are 2 versions, one for 32 bit and one for 64 bit. Download and install the appropriate one. This has to be done on each client machine that is to be connected to the virtual network.

Once the VPN client package is installed, you see it under the connect to a network menu with the name you specified for the network at the beginning.

At this stage, if you have already set-up any virtual machines or role instances, you should be able to add them this virtual network where they will be assigned IP addresses from the range you specified earlier for the virtual network. If you make a note of those, you will then be able to RDP on to using them which will be entirely a private network.

You should now be able to connect (satisfying user permissions and firewall conditions) and use any resource like a shared folder from the on-premise client machine to the VM and from the VM to the on-premise client over this VPN.

Network Configuration Overview


  1. There are lots of information about latest technology, like Hadoop cluster is a special type of computational cluster designed specifically for storing and analyzing huge amounts of unstructured data in a distributed computing environment. This information seems to be more unique and interesting. Thanks for sharing.
    Big Data Training Chennai | Big Data Course in Chennai | Big Data Hadoop Training in Chennai

  2. Since Windows Azure Gateway is using standard IPSec site-to-site tunneling you could theoretically use any device supporting the requirements.
    data room due diligence