Code Library

There are many cases in which you might want to connect to your infrastructure in Azure from your on-premises network, a customer’s site, your home network, or even a coffee shop, and you want to do this without compromising security. There are three options available in Azure to help you set up these cross-premises connections: site-to-site VPN, point-to-site VPN, and private VPN (Azure ExpressRoute).

A VPN Gateway is an Azure managed service that is deployed into a VNet and provides the endpoint for VPN connectivity for point-to-site VPNs, site-to-site VPNs, and ExpressRoute. This gateway is the connection point into Azure from either the on-premises network (site-to-site) or the client machine (point-to-site).


Site-to-site connectivity
A site-to-site VPN lets you connect securely from your on-premises network to your virtual network in Azure. You have to have a public-facing IPv4 IP address and a compatible VPN device or Routing and Remote Access Service (RRAS) running on Windows Server 2012. For a list of valid devices and the configuration thereof, please refer to https://azure.microsoft.com/documentation/articles/vpn-gateway-about-vpn-devices/.

Once you have the connection up and running, resources on your local network such as computers and VMs can communicate with the resources in the virtual network on Azure. For example, if you host a company application on Azure, your employees can access and run that application securely using your site-to-site network.

You actually can use site-to-site connectivity to connect entire on-premises networks to virtual networks in Azure. A good example is a company that has multiple branch offices. You can establish a connection between each branch office’s network and Azure.


Point-to-site connectivity
Point-to-site VPN enables you to connect from your local machine over a Secure Socket Tunneling Protocol (SSTP) tunnel to your virtual network in Azure. This uses certificate authentication between the client machine and the virtual network in Azure. This means you have to create some certificates and install them in the right places; we’ll cover this in detail later in this chapter when we create a point-to-site network.

It is recommended that you create a separate client certificate for each client that is going to access the point-to-site network and keep track of the certificate’s thumbnail and on which machine it was installed. If you do this, and you later need to turn off access for one person, you can do that by invalidating the client certificate using the Azure subscription ID, the virtual network name, and the certificate thumbprint.

If you use the same client certificate on multiple machines, the only way to revoke access is to remove the root certificate in Azure, which revokes access for every client certificate that chains back to that root certificate.

You can connect up to 128 clients to the virtual network in Azure. (The maximum bandwidth is 80 Mbps per gateway.) The connection has to be configured on each client machine that you want to use. Once configured, the user can start the VPN by starting the connection manually, although you can configure the VPN to start automatically if needed.


Comparing site-to-site and point-to-site connectivity
There are several differences between these two forms of secure connections:
 You don’t need a VPN device or RRAS to use a point-to-site network.

 With point-to-site, configuration must be done on each client machine. With site-to-site, no changes are required to the client machines.

 Point-to-site is a good choice when:

•  You only have a few clients that need to have access.
•  You don’t have access to a VPN device that you can use for a site-to-site connection.
•  You want to connect securely when off site (such as at a customer site or a coffee shop).

 You can have both point-to-site and site-to-site networks running simultaneously. If you can create a site-to-site network, you might use site-to-site for people on premises but allow point-to-site for people who need to connect from a remote location.

Source of Information : Microsoft Azure Essentials Fundamentals of Azure Second Edition