Design 11: VPN Gateway (Point-to-Site)

Summary

This design implements VPN Gateway to allow remote users to securely access the Azure network.

Topology: The VPN Gateway resides in the Hub VNet (Gateway Subnet). It provides access to all peered Spokes.

1. Key Design Decisions (ADR)

ADR-01: SKU

• Decision: VpnGw1AZ.
• Rationale: Zone Redundant (AZ) for high availability. Supports P2S and S2S.

ADR-02: Authentication

• Decision: Azure AD Authentication.
• Rationale: Users login with their corporate Entra ID credentials (MFA enforced).

2. High-Level Design (HLD)

+--------------+           +--------------------------+           +--------------+
|  Remote User |           |        HUB VNet          |           |  SPOKE VNet  |
|  (Laptop)    |           |      (Gateway)           |           |  (Workload)  |
+------+-------+           +------------+-------------+           +------+-------+
       |                                |                                |
       v (Tunnel)                       | (Peering)                      |
+------+-------+                        v                                v
|  Azure VPN   |           +------------+-------------+           +------+-------+
|  Client      |---------->| VPN Gateway              |<--------->|  VM          |
+--------------+           | (GatewaySubnet)          |           |  (Private IP)|
                           +--------------------------+           +------+-------+

3. Low-Level Design (LLD)

                               PRIMARY REGION (East US)
+-----------------------------------------------------------------------+
| HUB VNet: vnet-hub (10.0.0.0/16)                                      |
|   +-----------------------+                                           |
|   | Subnet: GatewaySubnet |                                           |
|   | [VPN Gateway]         |                                           |
|   | (Active-Active)       |                                           |
|   +-----------|-----------+                                           |
|               |                                                       |
|               v (Peering)                                             |
+---------------|-------------------------------------------------------+
                |
+---------------|-------------------------------------------------------+
| SPOKE VNet: vnet-app-spoke (10.1.0.0/16)                              |
|   +-----------------------+                                           |
|   | VM                    |                                           |
|   | (10.1.1.4)            |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

                               SECONDARY REGION (West US)
+-----------------------------------------------------------------------+
| DR STRATEGY                                                           |
|   +-----------------------+                                           |
|   | VPN Gateway (DR)      |                                           |
|   | (Standby)             |                                           |
|   +-----------------------+                                           |
+-----------------------------------------------------------------------+

4. Component Rationale

• GatewaySubnet: Dedicated subnet required by Azure.

5. Strategy: High Availability (HA)

• Active-Active: Two instances running simultaneously. If one updates, the other handles traffic.

6. Strategy: Disaster Recovery (DR)

• Implementation: Cold Standby.
• Process: Deploy VPN Gateway in West US Hub if East US fails. (Takes 45 mins).

7. Strategy: Backup

• Config: PowerShell script to backup configuration.

8. Strategy: Security

• Auth: Entra ID + MFA.
• Cert: Root Certificate for machine auth (optional).

9. Well-Architected Framework Analysis

• Reliability: High.
• Security: High.
• Cost Optimization: Medium. VPN Gateway costs ~$140/mo.
• Operational Excellence: High.
• Performance Efficiency: Medium. Limited by bandwidth (650 Mbps).

10. Detailed Traffic Flow

1. Connect: User opens Azure VPN Client. Clicks "Connect".

2. Auth: Prompts for Azure AD Login (MFA).

3. Tunnel: Encrypted tunnel established to Gateway Public IP.

4. Route: User tries to reach 10.1.1.4.

5. Transit: Gateway routes traffic via Peering to Spoke.

11. Runbook: Deployment Guide (Azure Portal)

11. Runbook: Deployment Guide (Azure Portal)

Phase 1: Create Gateway Subnet

1. Go to vnet-hub (created in Design 5).

2. Subnets (left menu) -> + Gateway subnet.

3. Subnet address range: 10.0.255.0/27 (or similar available range in Hub).

4. Save.

Phase 2: Create VPN Gateway

1. Search: "Virtual network gateways" -> + Create.

2. Name: vgw-hub-east.

3. Region: East US.

4. Gateway type: VPN.

5. VPN type: Route-based.

6. SKU: VpnGw1 (Basic is cheaper for labs, but VpnGw1 supports IKEv2/OpenVPN).

7. Virtual network: Select vnet-hub.

8. Public IP address:

* Create new: pip-vgw-hub.

9. Enable active-active mode: Disabled (unless you want 2 IPs).

10. Configure BGP: Disabled.

11. Review + create -> Create.

* *Warning: This takes 30-45 minutes to deploy.*

Phase 3: Configure Point-to-Site (P2S)

1. Once deployed, go to vgw-hub-east.

2. Point-to-site configuration (left menu).

3. Address pool: 172.16.0.0/24 (IPs assigned to laptops).

4. Tunnel type: OpenVPN (SSL).

5. Authentication type: Azure Active Directory.

6. Azure Active Directory values (Standard for Public Cloud):

* Tenant: https://login.microsoftonline.com/{Your-Tenant-ID}/ (Find Tenant ID in Entra ID Overview).

* Audience: 41b23e61-321f-4b1d-8269-c97c506e6d9a (Fixed ID for Azure VPN Client).

* Issuer: https://sts.windows.net/{Your-Tenant-ID}/.

7. Save.

Phase 4: Connect Client

1. Download Client: On the P2S page, click Download VPN client.

2. Install: Install "Azure VPN Client" from Microsoft Store on your PC.

3. Import:

* Extract the downloaded zip.

* Open Azure VPN Client -> Import.

* Select azurevpnconfig.xml from the AzureVPN folder.

4. Connect: Click Connect. Log in with your Entra ID credentials.

5. Verify: Open PowerShell/CMD on your PC and ping 10.1.1.4 (Spoke VM). It should reply.