2.2 Point-to-Site (P2S) VPN Connectivity
📘Microsoft Azure Networking Solutions (AZ-700)
A Point-to-Site VPN is a secure connection from an individual device (like a laptop or VM) to an Azure Virtual Network (VNet). Unlike Site-to-Site VPNs, which connect entire networks, P2S connects single clients directly to Azure.
One of the key tasks in setting up P2S VPN is choosing the right tunnel type. The tunnel type determines how the VPN encrypts traffic and which devices or operating systems can connect.
1. Tunnel Types in Azure P2S VPN
Azure supports three main tunnel types for P2S VPN:
- IKEv2 (Internet Key Exchange version 2)
- OpenVPN®
- SSTP (Secure Socket Tunneling Protocol)
1.1 IKEv2
- Protocol type: Uses IPsec (Internet Protocol Security) for encryption.
- Security: Strong encryption, very secure.
- Supported platforms:
- Windows (all modern versions)
- macOS (with some extra configuration)
- Linux (requires additional software)
- Performance: Very fast, low latency, ideal for high-speed networks.
- Use case in IT: Employees connecting from their laptops to Azure VNets securely. Works well behind firewalls that allow UDP traffic.
Configuration notes for exam:
- Requires client certificates or Azure AD authentication.
- Must configure IPsec/IKE parameters in the VPN client or gateway.
- Only works if the client device supports IKEv2.
1.2 OpenVPN®
- Protocol type: Uses SSL/TLS for encryption.
- Security: Strong encryption; flexible.
- Supported platforms:
- Windows
- macOS
- Linux
- iOS and Android
- Performance: Slightly slower than IKEv2 but highly compatible.
- Use case in IT: Remote developers or administrators using various devices (including personal laptops or mobile devices) connecting securely to Azure VNets.
Configuration notes for exam:
- Supports certificate-based authentication or Azure Active Directory authentication.
- Can use UDP or TCP as transport protocol (helps bypass strict firewalls).
- Highly recommended if you need cross-platform support.
1.3 SSTP (Secure Socket Tunneling Protocol)
- Protocol type: SSL-based, runs over HTTPS (TCP 443).
- Security: Strong encryption.
- Supported platforms:
- Windows only
- Performance: Slower than IKEv2 or OpenVPN because it runs over TCP.
- Use case in IT: When client devices are behind strict firewalls that block other VPN traffic.
Configuration notes for exam:
- Only used if IKEv2 or OpenVPN are blocked.
- Ideal for legacy Windows systems.
- Does not work on macOS, Linux, iOS, or Android.
2. How to Select a Tunnel Type
When you select a tunnel type for P2S VPN in Azure, consider:
| Factor | IKEv2 | OpenVPN | SSTP |
|---|---|---|---|
| Performance | Fast | Medium | Slow |
| Cross-platform | Limited | Excellent | Windows only |
| Firewall-friendly | Medium | High | High |
| Security | High | High | High |
| Exam tip | Best for Windows devices on unrestricted networks | Best for multiple OS devices | Only if other types blocked |
Key exam point: You can select multiple tunnel types in Azure. For example, you can enable IKEv2 + OpenVPN on the same gateway to support both Windows and macOS users.
3. Configuring the Tunnel Type
Configuring a P2S VPN tunnel type involves Azure Portal, PowerShell, or CLI.
Step-by-step in Azure Portal:
- Go to the VNet Gateway:
- Navigate to
Virtual network gatewayin Azure. - Select your gateway or create a new one.
- Navigate to
- Point-to-Site Configuration:
- Select
Point-to-site configuration→Configure now. - Enter an address pool (e.g., 172.16.201.0/24) for VPN clients.
- Select
- Authentication Type:
- Choose Azure certificate authentication, Azure AD, or RADIUS.
- Tunnel Type Selection:
- Choose from IKEv2, OpenVPN, SSTP, or multiple.
- For cross-platform access, select OpenVPN + IKEv2.
- Save Configuration:
- Click Save.
- Download the VPN client package for your platform.
- Client Installation:
- Install the VPN client on the user device.
- Import certificates if required.
- Connect to Azure VNet.
4. Exam Tips – What You Must Know
- IKEv2 is fastest, ideal for Windows, supports certificate or Azure AD auth.
- OpenVPN is most flexible, supports all platforms, and can bypass firewalls.
- SSTP is fallback for Windows-only and blocked networks.
- You can enable multiple tunnel types for the same P2S VPN.
- When configuring, you must select authentication type, address pool, and tunnel type.
- Remember that Azure AD authentication is only supported for IKEv2 and OpenVPN, not SSTP.
5. Quick Visual Summary
| Tunnel Type | Platforms | Firewall Friendly | Speed | Use Case |
|---|---|---|---|---|
| IKEv2 | Windows, macOS, Linux | Medium | Fast | Windows VPN clients |
| OpenVPN | Windows, macOS, Linux, iOS, Android | High | Medium | Cross-platform VPN access |
| SSTP | Windows only | High | Slow | Legacy Windows or blocked network |
✅ Bottom line for exam:
When selecting and configuring a P2S VPN tunnel type in Azure, you choose based on client OS, network restrictions, and performance needs, configure the VPN gateway with the proper address pool and authentication, and optionally enable multiple tunnel types to support different users.
