Azure Networking – #10 – AAD VPN

I'm Dean Cefola and this is The Azure Academy we all need some way to connect to the cloud and sometimes that's over the internet or the Azure portal sometimes that's through a express route or site-to-site VPN and sometimes that means a point to site VPN or client based VPN when you're using one of these kind of solutions you might be currently using a third-party vendors product and you wish you could move into Azure but there's just not support for Azure ad integration or MFA support or a way that you can make it more secure than what Azure has offered well today your wishes have been granted because at ignite there were some great announcements and one of them involves how to secure your client based VPNs and we're going to talk about that today here at the Azure academy so if you haven't done so already please do click on our subscribe button and join us here in theater academy community where we all just are trying to learn all about asher and please give us some comments below if you have any questions on this video or anything else as well as things that you'd like us to cover in the future there are a lot of announcements from ignite that we're trying to get through so it'll be kind of a first-come first-served so put in your request and we'll make videos so let's jump right over to the Azure documentation so the documentation that we want to look at is under products and when you click products you can see we've got kind of a new layout here so looking at the all services right away then over on the left we can still navigate down to networking or you could just find what you're looking for in the list which is going to be VPN gateway and there it is under networking so when we open that up we've got a new layout here for the main documentation section and what we want is under the how-to guide and this is going to be for point to site connections what we have enabled in the past was the ability to set up a radius server that would allow you to integrate with Azure mfa so that you could do multi-factor authentication but not exactly as your ad authentication now we have as your ad authentication without the need of a radius server which will you you are as your built-in mfa if that's something that you want to do so the three docks that we're going to be spending our time on today is creating our tenant multi-factor and creating our VPN client so in order for this to work we already need to have a virtual network and gateway stood up so if we go to the Azure portal I've already got a resource group created for my VPN and I've already got a virtual network created so this virtual network needs to have a subnet called gateway subnet in order for you to be able to provision the Gateway service now that we've got that already in place we'll click Add and then type in our search here virtual network gateway and we'll click on the search results and click the Create button so walking through the build experience here we have to select our subscription which probably is selected for you already and we need to give our gateway a name I'll just call mine VPN gateway 1 and then a region I'll be in the east us so our gateway type will be VPN because we're building a client based VPN and we need to select our VPN type so we do need a route based VPN for this now as far as the SKUs go we're gonna scroll down just a little bit here so the number of SKUs have increased from what we've had in the past we used to only have 1 2 & 3 now we've also got 4 & 5 and we also have another set of 1 through 5 with a Z so this is if you want to deploy a gateway into availability zones now the benefit of availability zones is that they provide another layer of high availability and somewhat of a layer of disaster recovery at the Azure resource level specifically all of our regions like each us have multiple data centers in them there are some Azure regions that have multiple availability zones and that's where we take segments of those data centers that are geographically located together within the region and then we link them as a zone so your resource could end up in one of the four data centers that are in zone one or the data centers that are in zone – or zone 3 over many zones that particular region has so for this deployment I just need to get this up and running so I don't need a very fast or high-performing gateway or one that allows a lot of connections like three four and five wood so I'm just gonna choose the availability zone and gateway one so that way I have at least some high availability protection for my resources now we need to select the virtual network that we're going to use and I've already got that here it's V net one and it's pre-populated my gateway subnet address and now we need a public IP address will be where all of our users will connect to and I'll name it similar to my gateway just to keep the resources connected together and we'll scroll down a little bit more and now we have to select our availability zones now because we have chosen a gateway that's in zones we have multiple options and that's also because east us happens to have three zones you may be in another region that only has two zones so I can choose to pin this resource to zone 1 zone 2 or zone 3 it would do all of its scale-up inside that zone alone but I also have the option which is what I'm going to choose of zone redundant and zone redundant means that it will be able to scale out across all three zones ok so it gives me some more high availability now another level of high availability is whether or not you want to have active active so the gateway by default is active passive in its deployment so you get at least two appliances spun up in the background and they'll be in zone redundant form so one will be in zone one for example the other one might be in zone 3 it just depends on the load that's in the zones at the time but I can choose to make them both active or all active if my scale requires it the system would span into all three zones with multiple appliances however much I need and they would all be active all accepting connections and this becomes important if you have a high amount of users say up to a thousand users that you want to connect through this kind of service but in my case I do not need active actives so I'll leave this disabled and another way to control traffic flow is through configuring your BGP which is your border gateway protocol I am gonna leave that turned off at the moment because this is just a test for this video but that is a good practice if you want to control your routing and traffic flow a little bit more so I'll hit next here and we'll provide a tag and this will be for our cost center so we know who's paying for all of this and then we'll hit our review button and our validation has passed so we know that we should be able to build this resource no problem and we'll hit create so our Gateway finished deploying in roughly 15 minutes and let's go to our resources now and we can see that it is a route based gateway with a skew that's in an availability zone we've got the network it's tied to the public IP that it's tied to and then we can look under the configuration if we needed to ever change our SKU or change our active-active or enable BGP and so now in order to make it a point to site configuration we would normally go here and configure our point to site and all of that but because we want to integrate this with Azure Active Directory and possibly MFA we've got some other things we've got to do first instead now in the docks under the configure a tenant link we need to first authorize our VPN over Azure Active Directory so we're going to need our directory ID and so that is under the properties of Azure Active Directory and we could copy that out which I've already done in the background and then there is a link here that we have to run in order to be able to build our enterprise application that we'll be using to connect Azure ad with our VPN and as you can see this is available in the public government German and China clouds so this should basically be available for everyone everywhere so I'll open this in a new tab and when we do we've got to sign in and that's needs a global administrator in order to do this step and if you do not have global admin access then you're going to need to find the person who does in your org and then you can see more details of what this app is going to do here and I'll just hit accept and if we go to Azure Active Directory now and we go to enterprise applications we can see the Azure VPN now the enterprise app experience has been updated recently so it looks a little bit different than you may have seen it in the past so we've got our name application and object IDs here at the top and then a getting started section and one of the first things that I like to do with all my enterprise apps is assign an owner and this is because it's the owner who's responsible for the app and that way if there's ever a question of what's going on with any owners in the future you can always find out who they are and go back to them and say you know what's going on with this or that now under the users and groups we're also going to need to assign the users that we want to have access to our VPN so we'll click add user and then select some of our users and then we'll hit select and they will be given default access to the application and they are now assigned so now let's look at the properties blade and a few things that we just want to validate are turned on and that is that this is enabled for users to sign in so that should be yes and then also that the user assignment is required we want to say yes to that and save so if you're going to use multi-factor off what we do need to do here is verify that you have the right licenses or that you have security defaults enabled MFA has in the past been a licensable feature so if you did not have a p1 or p2 license or office 365 as your 80 license you did not have multi-factor off however we made it a free feature if you turn on security defaults so in the blade we're gonna go to properties and then at the bottom manage security defaults and then we're gonna switch that to yes and we'll hit save so I'll go back to my main Azure ad screen and go to my users so I'll click on the multi-factor off and now under the multi-factor it's a additional how should we contact you and this can be done through a mobile app so with the security defaults the free version we don't have a whole lot of options to enable MFA so you've just got to go with that if you want more options than you do need to go to the premium feature SKU so I'll receive notifications for my verification and I'll push setup I need to now use my phone in order to be able to scan this QR code so let me turn on my phone here and I'll start my Microsoft Authenticator app and then we'll add a new Authenticator for a work account and so I'll log in and there you can see mfa has now been set up in my Authenticator so we can hit next and now we've got to enter our verification code from the mobile app and then we'll click verify no validation has been successful and if you want to learn more about how to do MFA there is a video link up here that you can go watch as well so we'll hit done now MFA has been set up so now I can proceed with using MFA with my a charade login for my VPN but first we have to configure the VPN gateway to accept such a login so we'll go back to our Azure Docs and underneath the enable Azure ad authentication on VPN gateway step we've got some code blocks here and we need to edit some details from this code so I've already done this in my notepad and the first thing we need to do is specify the VPN gateways name and resource group which I've done as VPN gateway 1 and VPN and then we also need to add our Azure ad tenant information for that in this last line of the code we see that we have to take this login and add our directory tenant ID now further up in the dock it tells us where to find that in the properties blade of the Azure ad portal and there's your directory ID that you can copy and then put into your notepad then we have to enter that same thing again at the end of the line as well for our Azure ad issuer URI so I've completed those steps and now I can execute this code in PowerShell or I can click on the try it button which is going to open up a cloud shell for us so I'll hit sign in and then I'll log in with my account and it'll start up my cloud shell and if you don't have one already it'll prompt you to create a cloud shell which is really just an Azure storage account and inside our cloud shell here we're gonna paste that command with the edits that we've made so we'll right-click and paste and now that we've completed that we can see under our VPN client configuration section we're using the open VPN protocol and we also have our Asher ad tenants ID listed here as well as the issuer ID which should match our tenant ID and then we have the Azure ad audience parameter which relates to the Azure VPN app ID so now that all of that is complete we need to run another command and that is the next one here where we're going to get the VPN client configuration and we need to change this code to provide the name of our gateway and resource group and then we can leave the rest of this code alone and this second line is going to give us the URL from which we can download the package so we'll run that code and there is our URL to download the code and it is a zipped file so we can just click on that link and there is our configuration so let's open that up and I've saved that into a folder here for as your ad VPN and inside there is our zip file and you just want to make sure that you unblock it otherwise you'll have files that are individually blocked and then we'll extract it to this location and we get two folders so in this generic folder is a root cert and a VPN settings XML file and the one that we're interested in is in the Azure VPN folder and this is our VPN client configuration now what we need to do is we need to download the VPN agent in order to make use of this file so for that back in our documentation we can scroll down here to the next step which is configure a VPN client that'll take us to the third dock in the link to which we can then click this download link which will take us out to the Microsoft Store so that we can download the VPN client and we'll click on get here and then this is redirecting us to the store apps so that's okay to allow and then we need to click the install button and you might need to provide credentials and it just takes a second to download and install and now that it's installed we can hit the launch button here or it's also listed under your Start menu as as your VPN client I'll hit launch so before we import our connection I want to show you where the steps are in the docs so right where we found that download link in this configure a VPN client this is talking about how to walk through this in different ways and this section that we want which is importing our client and the important thing when you import that VPN config file is that we end up with authentication type as your Active Directory alright so let's take a look at how that goes so we'll hit our plus button and do an import and we'll navigate to our Azure ad VPN and open the client folder and as your VPN and click on our client XML and hit open and now we can rename this connection if we want to the VPN server that's here we don't need to touch as well as the root cert or secret those have all been provided from the XML we have Azure Active Directory for authentication type and then we can see that our tenant information application ID for the Azure ad VPN and issuer are all in here correct and we can hit save and we are ready to attempt a connection so we'll hit the connect button and since I have multiple profiles on my system I'll choose the one that I want to connect with and hit continue and we see that we are already connected and we can see that in the tale log at the bottom as well and we see we've got the IP address of one 72.1 8.1 0.2 and we can verify that in our command prompt by doing IP config and there is our IP address for our VPN connection so hope that you've enjoyed looking at how to set a point to site connections finally being able to leverage Azure Active Directory authentication even with multi-factor authentication if that is a requirement for you and this should be able to help folks move away from third-party providers and appliances which can be quite expensive in order to move to a native cloud solution that can meet those same requirements so if you thought that this video was good please do click on that thumbs up icon and that lets the YouTube algorithm know that you liked our content and it should be shared with others and while you're down there please click on that subscribe button and join us here at the Azure Academy community and if you are interested in getting an email when our videos come out which is roughly once a week and you can click on that notification bell and please do leave us a comment down below on any questions that you have or feedback or maybe even a feature that you'd like to see added to our VPN skews and then we can all make as you're better so thanks very much for joining us today and we'll see you next time happy learning

You May Also Like