Azure
Ante Miličević
December 6, 2023

Setup P2S Azure VPN with the integration of Azure AD SSO

Delve into a simple guide on integrating Azure AD Single Sign-On (SSO) with P2S Azure VPN. Enhance secure access and streamline user authentication with this straightforward setup.

In this tutorial, we will set up a P2S Azure VPN connection within our VNet. We will deploy the Azure Virtual network gateway and consider you have VNet created. If you don’t have a virtual network deployed, you can follow this documentation to do so https://learn.microsoft.com/en-us/azure/virtual-network/quick-create-portal

These are steps that are going to be covered in this tutorial for successfully deploying P2S Azure VPN with the integration of Azure AD SSO:

  • Deploy Virtual network gateway
  • Configure Virtual network gateway
  • Test everything

Deploy Virtual network gateway

Search for Virtual network gateways and click “Create”

For the “SKU” option, you need to choose one of the following options, otherwise, your VPN won’t work: “VpnGw1”, “VpnGw2”, “VpnGw3”, “VpnGw4” or “VpnGw5”. Other variables you can populate upon your preferences and other settings you can leave the default.

Disclaimer: it takes around 45 minutes for the Virtual network gateway to be deployed

Configure Virtual network gateway

Once your Virtual network gateway is deployed, you need to configure it in order to have a properly working Azure AD SSO within your VNet. It contains 2 important parts:

  1. Authorize the Azure VPN application
  2. Configure Point-to-site configuration

1. Authorize the Azure VPN application

  1. Sign in to the Azure portal as a user that is assigned the Global administrator role.
  2. Next, grant admin consent for your organization. This allows the Azure VPN application to sign in and read user profiles. Copy and paste the URL that pertains to your deployment location in the address bar of your browser:
    Public (You will probably use this) 
    
  https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent
    Azure Government 
    
  https://login.microsoftonline.us/common/oauth2/authorize?client_id=51bb15d4-3a4f-4ebf-9dca-40096fe32426&response_type=code&redirect_uri=https://portal.azure.us&nonce=1234&prompt=admin_consent
    Microsoft Cloud Germany 
    
  https://login-us.microsoftonline.de/common/oauth2/authorize?client_id=538ee9e6-310a-468d-afef-ea97365856a9&response_type=code&redirect_uri=https://portal.microsoftazure.de&nonce=1234&prompt=admin_consent
    Azure China 21Vianet 
    
  https://login.chinacloudapi.cn/common/oauth2/authorize?client_id=49f817b6-84ae-4cc0-928c-73f27289b3aa&response_type=code&redirect_uri=https://portal.azure.cn&nonce=1234&prompt=admin_consent
  3. Select the account that has the Global administrator role if prompted.
  4. On the Permissions requested page, select Accept.
  5. Go to Azure Active Directory. In the left pane, click Enterprise Applications. You'll see Azure VPN listed.

2. Configure Point-to-site configuration

Go to your Virtual network gateway resource and click “Point-to-site configuration”

Settings that you need:
  • Address pool - The address pool refers to the range of private IP addresses assigned to client computers connecting to the VPN. It's crucial to select a subnet that doesn't conflict with the existing subnets in your private network. Assuming you've created a VNet without modifying the default subnet configuration, your VNet likely falls within the 10.x.x.x range. In this scenario, you can safely use the address pool 172.16.254.0/24 by simply copying it.
  • Tunnel type - OpenVPN (SSL)
  • Authentication type - Azure Active Directory
  • Tenant - you can follow this link to find a Tenant https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant
    • Azure Public: 41b23e61-6c1e-4545-b367-cd054e0ed4b4 - you probably will use this
    • Azure Government: 51bb15d4-3a4f-4ebf-9dca-40096fe32426
    • Azure Germany: 538ee9e6-310a-468d-afef-ea97365856a9
    • Azure China 21Vianet: 49f817b6-84ae-4cc0-928c-73f27289b3aa
  • Audience
    • Azure Public AD: https://login.microsoftonline.com/{AzureAD TenantID} - you probably will use this
    • Azure Government AD: https://login.microsoftonline.us/{AzureAD TenantID}
    • Azure Germany AD: https://login-us.microsoftonline.de/{AzureAD TenantID}
    • China 21Vianet AD: https://login.chinacloudapi.cn/{AzureAD TenantID}
  • Issuer
    • https://sts.windows.net/{AzureAD TenantID}/
    • Make sure it ends with “/”, otherwise it won’t work

After successfully populating variables, click “Save”. Keep in mind this process will take around 15 minutes.

Test everything

You need to download the VPN client file, download the Azure VPN client and connect with the Azure VPN client.

You can download the VPN client file by following the steps:

  • go to your Virtual network gateway resource
  • “Point-to-site configuration”
  • “Download VPN client”

After that, download the Azure VPN client and connect to the network.

Useful links

Read more

Benjamin Kušen
April 1, 2024

Optimizing Kafka Consumers with Kubernetes and KEDA

Ante Miličević
March 25, 2024

Continuous Profiling Using Parca

Benjamin Kušen
March 17, 2024

Establishing Static Code Analysis Using SonarQube

SEE ALL

Facing Challenges in Cloud, DevOps, or Security?
Let’s tackle them together!

get free consultation sessions

In case you prefer e-mail first:

Thank you! Your message has been received!
We will contact you shortly.
Oops! Something went wrong while submitting the form.
Opstergo
© 2024 Opstergo d.o.o.
Privacy Policy
Cookie Preferences
info@opstergo.com
Thank you for subscribing to our newsletter!
By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information. If you wish to disable storing cookies, click here.
PreferencesDenyAccept