How to Set Up a VPN Tunnel to Microsoft Azure

How to Set Up a VPN Tunnel to Microsoft Azure

Microsoft Azure offers different variations of the SQL databases that can be deployed based on the workload and complexity requirements as follows:

  • Azure SQL Databases – This is a fully managed SQL database engine created using the latest version of Enterprise Edition of SQL Server.  It is essentially a DBaaS (Database-as-a-Service) and can be deployed as a single database, elastic pool or database server.  A single database is similar to a database that can be created in a SQL Server instance.  Elastic Pool is a collection of databases that allows the flexibility of managing the performance characteristics of each database within the pool.  The database server option allows the management of groups of single databases and elastic pools.
  • Azure SQL Managed Instances This is a full-fledged SQL instance similar to a SQL instance running on a Windows server but without access to the underlying operating system.  The managed instance is co-hosted meaning there could be multiple instances of managed instances running on the same underlying hardware.  The main advantage of the managed instance is that there is no underlying operating system to worry about.  It comes with full SQL Server access and feature compatibility when there is a need to migrate on-premise SQL Server to Azure SQL.
  • Azure SQL Virtual Machines – This is similar to deploying an on-premise SQL Server in a virtual machine or in a physical server running Microsoft Windows or Linux (SQL Server 2017 supports Linux OS) operating systems.  Azure SQL Virtual Machine falls into the category of IaaS (Infrastructure-as-a-Service).   This option also offers full administrative control over the SQL Server instance and the underlying operating system. 

Regardless of the type of your Azure SQL deployment, there may be a need to access the database either locally within the Azure framework or from applications that are external to Azure.  If there is a need to access the Azure SQL databases from external networks there are two ways of setting up the connectivity while ensuring that the databases are immune to hacking.

  • Public End-Point – A public end-point can be defined for each of the Azure SQL databases that allows the external applications to access the database within Azure.  This allows requires white-listing of IP addresses of the external network that needs database access.
  • Virtual Private Network (VPN) – The second option is to set up a VPN connection between the external network or application into the Azure virtual network hosting the Azure SQL database. This option does not require defining a public end-point for the Azure SQL database.  The VPN connection can be either point-to-site or site-to-site.  A point-to-site VPN connection is specific to a server or desktop that is external to Azure while a site-to-site VPN connection is for an entire network to Azure.  In the case of site-to-site VPN, one or more applications running within the external network can seamlessly access the Azure SQL databases.  In the case of site-to-site, the access to the Azure SQL database is restricted to a specific server or desktop initiating the VPN connection to Azure.

This blog will walk you through the steps of setting up a point-to-site VPN connection from a Windows server running StealthAUDIT so that you can discover and monitor all your Azure SQL databases. 

Step 1) The first step is to create and export a self-signed root certificate.  You can use a computer running Windows 10 or Windows Server 2016 to run the PowerShell scripts below.  Note that if you have Windows 10 SDK installed you can also use the makecert utility to create a self-signed certificate.  A root certificate called AzureRootCert is created in ‘Certificates-Current user\Personal\Certificate’ and can be viewed using the Certificate Manager Tool (certmgr.exe) as shown below.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=AzureRootCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
Create and export a self-signed root certificate

Step 2) Create a client certificate using the PowerShell script below.  The script will generate a key that will be valid for 6 years from the date of creation.  Adjust the validity based on your requirements. A client certificate called AzureChildCert is created in ‘Certificates-Current user\Personal\Certificate’ and can be viewed using the Certificate Manager Tool (certmgr.exe) as shown below.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=AzureChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-NotAfter (Get-Date).AddYears(6)`
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
AzureChildCert Certificate

Step 3) Export the public key portion of the root certificate created in Step 1 as follows.

Export the public key portion of the root certificate

Step 4) In the Certificate Export Wizard click Next to continue.

Certificate Export Wizard

Step 5) In the Export Private Key screen choose the default option of “No, do not export the private key” and click next.

No, do not export the private key

Step 6) In the Export File Format screen choose the “Base-64 encoded X.509 (.CER)” option and click next.

Base-64 encoded X.509 (.CER)

Step 7) In the File to Export screen, browse to the location where you would like to save the certificate and give a name and click next.

Certificate name

Step 8)  In the next screen click “Finish” to export the certificate.  The information from this file will be required in the subsequent steps for Azure VPN configuration.

Completing the Certificate Export Wizard

Step 9) Next export the client certificate.  This step in required if you have a need to setup a VPN connection to Azure from servers other than the one which was used to create the certificates.

Export the client certificate

Step 10) Click Next in the Certificate Export Wizard

Certificate Export Wizard2

Step 11) In Export Private Key screen choose to export the private key as shown.

Export Private Key2

Step 12) Choose the default options in the Export File Format screen.

Default export option

Step 13) Since the client certificate can be used to authenticate into Azure VPN it is a good idea to protect it with a strong password.  Also, it is a mandatory option as the Certificate Export Wizard will not let you save the certificate without specifying a password.

Create password

Step 14) Provide a file name in the File to Export wizard screen and click Next.

File to Export

Step 15) Verify the export settings and click on Finish to export the certificate.

Finish to export the certificate

Step 16) In the next, you need to logon to the Azure portal and look for a Virtual Network Gateway resource.  If one does not exist go ahead and create one. Refer to the Azure documentation on steps for creating one.  For the purposes of the blog, I will be using a Virtual Network Gateway called Gateway-pkjuebl4yqscro.

Gateway-pkjuebl4yqscro

Step 17) Once you located an existing Virtual Network Gateway Azure resource or created a new one, click on the resource name hyperlink to get the configuration screen as shown and click on the Point-to-site configuration link.

Point-to-site configuration

Step 18) Next locate the root certificate that you exported in Step 7 and open it in a text editor of your choice and the contents of the certificate will look as follows. I am purposely showing the entire contents of the certificate data as I have no intention of leaving it permanently in Azure.  I created it only for the purpose of writing this blog.

Root certificate

Step 19)  In the same text editor, taking care not to delete any characters of the key, get rid of the link breaks as Azure expects the entire certificate data to be in a single line and copy the certificate data into clipboard.

Certificate data on clipboard

Step 20) Now head back to the virtual network gateway Point-to-site configuration screen in Azure portal.  In the Root Certificate section of the page provide a name for the certificate and paste the certificate contents from Step 19 into the Public certificate data column.  Make sure that the Tunnel Type is set to IKEv2 and SSTP (SSL) and the Authentication Type is set to Azure certificate.  Make sure you click on the Save link to save the settings.

Root Certificate

Step 21) At this point if you follow the Azure documentation, it asks you to download the VPN client using the link in the Virtual Network Gateway Point-to-site configuration screen. 

Download VPN Client

The problem with following the Azure documentation to setup the VPN connection is that I never got it to work no matter what I tried.  Finally, I got it work following steps below to create the VPN connection.  The fact that I could not find all the documentation in one place and even after I was able to find all the documentation, I was never to able to get it work was reason I decided to blog about it.

Step 22) When you download the VPN client from Azure, you get a zip file three directories.  Two directories are the VPN client software setup files for both 32-bit and 64-bit platforms.  There is a third directory called Generic, which contains VPN setup information files.

WindowsAmd64

Assuming you are using a 64-bit Windows operating system, navigate to the WindowsAmd64 directory and execute the VPN client package which will create a VPN connection called vnet-fvmisql.  Could be a different name in your case. Regardless it will be called vnet-xxxxxxxxx.

vnet-fvmisql

You can select the newly created VPN connection profile and click on the Connect.  I sincerely hope it works for you and if it does great.  You are done.  The problem is it might not work, and you might get “Error 798 – A certificate could not be found that can be used with this Extensible Authentication Protocol” error. If you do, please continue with Step 23 to set up a working VPN connection manually.

Error 798 – A certificate could not be found that can be used with this Extensible Authentication Protocol

Step 23)  If you are planning to set up the VPN connection on a computer other than the one where you have following the steps in this blog, then you need to import the client certificate that was exported in Step 13 before proceeding with this step forward.  Open the Network and Sharing Center and click on “Set up a new connection or network”.

Set up a new connection or network

Step 24) In the Choose a connection option screen, choose Connect to a workplace link and click on Next.

Connect to a workplace

Step 25) In the “Do you want to use a connection that you already have?” screen choose the “No, create a new connection” option and click Next.

Create a new connection

Step 26) In the” How do you want to connect?” screen click on the “Use my Internet connection (VPN)” option.

Use my Internet connection (VPN)

Step 27) If you downloaded the VPN client package from Azure as shown in Step 21, extract the contents and navigate to the Generic folder and open the VpnSettings file to get the public name of the Azure VPN Gateway.  You will need that in the next step. 

VpnSettings

Step 28) In the “Type the Internet address to connect to” screen enter the Azure VPN Server name obtained in Step 27 and give it the name of your choice and click Create. Remember to leave all other options at default.

Type the Internet address to connect to

Step 29) Navigate back to the Network and Sharing Center and click on the Change adapter settings link. You should see the VPN connection that was just setup.  In my case I called it MyNewAzureVPN.  Choose the connection and right-click and choose Properties

MyNewAzureVPN Properties

Step 30) In the VPN connection properties screen, click on the Security tab and for the Data encryption choose “Require encryption (disconnect if server declines)” option as shown and for Authentication choose “Microsoft Smart Card or other certificate (encryption enabled)” option shown from the drop down list.

Microsoft Smart Card or other certificate (encryption enabled)

Step 31) Next click the Properties in the Authentication section and choose “Use a certificate on this computer” option and click OK.

Use a certificate on this computer

Step 32) Now click the Networking tab and choose the “Internet Protocol Version 4 (TCP/IPv4)” option and click the Properties button.

Internet Protocol Version 4 (TCP/IPv4)

Step 33) In the Internet Protocol Version 4 (TCP/IPv4) Properties screen click the Advanced button.

Internet Protocol Version 4 (TCP/IPv4) Properties

Step 34) In the Advanced TCP/IP Settings screen uncheck the Use default gateway on remote network check-box and click OK.

Advanced TCP/IP Settings

Step 35) In the task-bar click on the network icon and choose the Azure VPN connection profile that you just created and click on Connect.

Azure VPN connection

Step 36) If everything worked the way it is supposed to, you should be connected to the Azure VPN gateway.  Now you can start interacting with the Azure SQL databases using the private end-points.  If you set this up on an on-premise server running StealthAUDIT, you should be able to run the StealthAUDIT for Azure SQL job and start auditing your Azure SQL environment.

MyNewAzureVPN

StealthAUDIT for Azure SQL can monitor database user activity in addition to enumerating and reporting on user permissions, database configuration, vulnerability assessment and help you discover and report on sensitive data stored in your Azure SQL database. StealthAUDIT SQL activity monitoring can audit individual actions, such as the type of SQL statement executed, or on combinations of data that can include the database username, application, execution time, etc.

To learn more about how STEALTHbits can help with auditing  your Azure SQL databases, visit our website: https://www.stealthbits.com/stealthaudit-for-sql-product

2 thoughts on “How to Set Up a VPN Tunnel to Microsoft Azure

  1. Excellent contribution. I have a question, does it work for Azure SQL Database PaaS? I recently configured a VPN but I can’t see the ip of the DBPaas inside azure.

    1. Hi Cesar, There are a couple of things that need to be setup once you cerate the Azure SQL database. This applies to all types of Azure SQL databases (Stand-alone, Managed instances). Once the instance is created you need to add the instance to a Azure virtual private network which has the right ports opened up. In addition, make sure that the instance logon security is setup to meet your needs. Let me know if it worked for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Start a Free Stealthbits Trial!

No risk. No obligation.

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other