Skip to main content
Version: Next

Task 04: Point-to-Site VPN Connection

Runbook Azure

DOCUMENT CATEGORY: Runbook SCOPE: P2S VPN configuration PURPOSE: Enable remote admin access via P2S VPN MASTER REFERENCE: Microsoft Learn - P2S VPN

Status: Active

Overview

This task configures Point-to-Site (P2S) VPN on the existing VPN Gateway (Task 02) to allow individual administrators to connect remotely to the Azure management network. P2S VPN is optional — it provides an alternative to Azure Bastion for remote management scenarios.

Task Classification

Execution Target: Azure-Only (control-plane API operation) Tab Profile: 3 tabs — Azure Portal · Azure CLI / PowerShell · Standalone Script

Optional Task

This task is optional. It is only required when remote administrative VPN access is needed in addition to or instead of Azure Bastion (Task 05).

Terraform Reference

Module: azurelocal-toolkit File: network.tf Mode: Management

Components Configured

ResourceName PatternPurpose
P2S VPN ConfigurationOn existing VPN GatewayRemote admin VPN access
VPN Client Address PoolPer configIP pool for VPN clients

P2S Configuration

SettingValueSource
AuthenticationCertificate or Entra IDnetwork.vpn.p2s.auth_type
Tunnel TypeOpenVPNnetwork.vpn.p2s.tunnel_type
Client Address PoolPer confignetwork.vpn.p2s.address_pool
Root CertificateKey Vault referencenetwork.vpn.p2s.root_cert_secret

Prerequisites

  • Task 02: VPN Gateway completed — VPN Gateway provisioned
  • Root certificate generated and uploaded to Key Vault (if using certificate auth)
  • Entra ID application registered (if using Entra ID authentication)
  • Client address pool CIDR does not overlap with VNet or on-premises ranges

Variables from variables.yml

VariableConfig PathExample (IIC)
VPN Gateway Namenetwork.vpn.azure_gateway.namevpng-azrl-azl-eus-01
VPN Gateway RGnetwork.vpn.azure_gateway.resource_grouprg-azrlmgmt-azl-eus-01
Auth Typenetwork.vpn.p2s.auth_typeCertificate
Tunnel Typenetwork.vpn.p2s.tunnel_typeOpenVPN
Client Address Poolnetwork.vpn.p2s.address_pool172.16.0.0/24
Root Certificatenetwork.vpn.p2s.root_cert_secretkeyvault://...

Single Subscription Model

Landing Zone Placement

FieldValueConfig Path
SubscriptionCustomer subscriptionazure.subscriptions.<name>.id
Resource GroupSame as VPN Gatewaynetwork.vpn.azure_gateway.resource_group
VPN GatewayExisting gatewaynetwork.vpn.azure_gateway.name
Client PoolPer confignetwork.vpn.p2s.address_pool

Execution Options

Azure Portal

When to use: Learning Azure Local, single deployment, prefer visual interface

Procedure

  1. Navigate to VPN Gateway:
  • Search for Virtual network gateways → Select the gateway from Task 02
  1. Configure Point-to-Site:
  • Go to Point-to-site configurationConfigure now | Field | Value | Source | |-------|-------|--------| | Address pool | Client CIDR | network.vpn.p2s.address_pool | | Tunnel type | OpenVPN (SSL) | network.vpn.p2s.tunnel_type | | Authentication type | Azure certificate or Entra ID | network.vpn.p2s.auth_type |

  1. Upload Root Certificate (if certificate auth): | Field | Value | Source | |-------|-------|--------| | Name | Root cert name | network.vpn.p2s.root_cert_name | | Public certificate data | Base64 cert data | From Key Vault |

  2. Configure Entra ID (if Entra ID auth): | Field | Value | Source | |-------|-------|--------| | Tenant | Entra tenant ID | azure.tenant.id | | Audience | Entra app ID | network.vpn.p2s.entra_app_id | | Issuer | https://sts.windows.net/{tenant-id}/ | Derived from tenant |

  3. Save the configuration

  4. Download VPN Client: Click Download VPN client → Distribute to authorized admins

Validation

  • P2S configuration saved on VPN Gateway
  • VPN client profile downloadable
  • Test client connects successfully
  • Client receives IP from configured pool

Validation

  • P2S configuration present on VPN Gateway
  • VPN client downloads successfully
  • Client connects and receives IP from pool
  • Client can reach management subnet resources

CAF/WAF Landing Zone Model

In the CAF/WAF model, the P2S configuration exists on the VPN Gateway in the Connectivity subscription.

Landing Zone Placement

FieldValueConfig Path
SubscriptionConnectivity subscriptionazure.subscriptions.connectivity.id
Resource GroupConnectivity resource groupnetwork.vpn.azure_gateway.resource_group
VPN GatewayExisting gatewaynetwork.vpn.azure_gateway.name

Execution Options

Azure Portal

Follow the same procedure as Single Subscription → Azure Portal, targeting the Connectivity subscription.

Validation

  • P2S configured on gateway in Connectivity subscription
  • Client receives IP from address pool

Validation

  • P2S VPN functional from Connectivity subscription
  • No routing conflicts with Hub VNet address space

Troubleshooting

IssueRoot CauseRemediation
Client cannot connectRoot cert not trustedVerify root cert uploaded correctly
No IP assigned to clientAddress pool exhausted or misconfiguredExpand pool or verify CIDR
Address pool overlapsCIDR conflicts with VNet or on-premChoose non-overlapping CIDR
Entra ID auth failsApp registration misconfiguredVerify tenant ID, audience, and API permissions
OpenVPN not availableGateway SKU too lowUpgrade to VpnGw2AZ or higher
PreviousUpNext
Task 03: S2S VPN ConnectionManual Deployment IndexTask 05: Azure Bastion

Version Control

  • Created: 2025-09-15 by Hybrid Cloud Solutions
  • Last Updated: 2026-03-03 by Hybrid Cloud Solutions
  • Version: 4.0.0
  • Tags: azure-local, vpn, p2s, remote-access, networking
  • Keywords: point-to-site, P2S VPN, remote access, VPN client, certificate authentication, Entra ID
  • Author: Hybrid Cloud Solutions