Setting up a Point-to-Site VPN connection in Azure Government (the quick version) by info.odysseyx@gmail.com September 25, 2024 written by info.odysseyx@gmail.com September 25, 2024 0 comment 2 views 2 I spent way too much time yesterday setting up branch office VPN connectivity in Azure Government, so I thought I’d write a quick blog post in the hopes that it might save someone some time. I typically test network injection scenarios, such as running applications in an App Service Environment or testing SQL migrations to Azure SQL Managed Instance by establishing a VPN connection between my on-premises environment and a sandbox in Azure. A branch-to-site VPN is a very simple way to achieve this, but I have not yet deployed it to a government subscription. The prerequisites are: Create a virtual network Create a GatewaySubnet in your virtual network. Create a virtual network gateway There is a tutorial on the steps to create these resources. here. I chose the VpnGw1 SKU for my Virtual Network Gateway (VNG). This is for testing purposes only and doesn’t require a lot of bandwidth or connections, but you can adjust the VNG size to suit your needs. The next step is to set up your Point-to-Site. To do this, open your virtual network gateway and select the “Point-to-Site Configuration” blade. The setup here is very simple. Add an address pool (usually using RFC-1918 space that doesn’t conflict with your VNet space), a tunnel type (we’re doing Microsoft Entra ID authentication, so we’ll use OpenVPN), an authentication type (it’s still branded as “Azure Active Directory”), and the public IPs you want to use. The next step is to add the Azure Active Directory (Microsoft Entra ID) value. Since you are in Azure Government, you need to take into account that the endpoints are different from those in a commercial environment. Documentation here Here is a list of steps to do this, including mapping between Azure Commercial and Azure Government endpoints. The endpoint mappings are as follows: Tenant ID audience 41b23e61-6c1e-4545-b367-cd054e0ed4b4 -> 51bb15d4-3a4f-4ebf-9dca-40096fe32426 publisher Wait. Why wouldn’t the issuer change? Shouldn’t it go to the government endpoint? Well, the short answer is “no.” I took this seriously and tried to guess this endpoint by replacing the “sts.windows.net” value with “login.microsoftonline.us”, but when I tried to connect, I got the following error:[Error] VPN connection ase-vnet dialing, status = The server did not properly respond to VPN control packets. Session state: Key material sent. That didn’t help me much, so after spending a ton of time digging through the Microsoft Entra IDs, I finally came up with the idea of actually getting the JWT token from the tenant and inspecting it. Once I got the token (I’ll write a future article on how to do this), I could decode it in a tool like this: jwt.ms. If you look at the token, the issuer is still https://sts.windows.net/{tenantID}. After I fixed that, the VPN client was able to connect. There are many places in the learn.microsoft.com documentation that explain the process of configuring a point-to-point VPN, but I think it goes like this: This document Best describes the process for clouds like Azure Government, not Azure Commercial. Walks you through how to authorize an Azure VPN application (requires Global Admin role in Entra ID) and how to configure an Azure VPN client. Don’t think too much about the issuer like I did! Source link Share 0 FacebookTwitterPinterestEmail info.odysseyx@gmail.com previous post Reza stitches together global Fabric communities next post The Marketplace Summit in the UK, maximizing marketplace success You may also like A New Dawn of Software Defined Networking (SDN) in Windows Server 2025 November 5, 2024 Get AI ready: Empowering developers in the era of AI November 5, 2024 Announcing the General Availability of Windows Server IoT 2025! November 5, 2024 America’s Partner Blog | Partners Make More Possible: Education November 4, 2024 Turn Microsoft Copilot into a personal assistant with Scheduled Prompts November 4, 2024 Sync identities from Rippling to Microsoft Entra ID November 4, 2024 Leave a Comment Cancel Reply Save my name, email, and website in this browser for the next time I comment.