Specify Azure requirements for Always On VPN

2.2 Point-to-Site (P2S) VPN Connectivity

📘Microsoft Azure Networking Solutions (AZ-700)

Overview

Always On VPN is a type of Point-to-Site (P2S) VPN that automatically connects devices (like laptops or desktops) to your Azure Virtual Network (VNet) whenever the device has internet access. It’s always “on,” so users don’t have to manually start the VPN connection.

This is useful for organizations where employees or IT devices need constant secure access to Azure resources, such as file servers, databases, or management tools.

Key Requirements for Azure Always On VPN

To implement Always On VPN, there are some specific Azure and Windows requirements. Let’s divide them into categories.

1. Azure Infrastructure Requirements

  1. Azure Virtual Network (VNet)
    • You need a VNet to host your resources.
    • The VPN clients will connect to this VNet via the VNet gateway.
    • The VNet must have an address space that does not overlap with client networks (to avoid routing issues).
  2. Azure VPN Gateway (P2S VPN)
    • Always On VPN uses the Point-to-Site (P2S) VPN feature of Azure VPN Gateway.
    • Supported gateway SKUs for Always On VPN:
      • VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5
    • The SKU determines throughput, concurrent connections, and features. For most Always On VPN scenarios, VpnGw1 or VpnGw2 is enough.
    • Must be Route-based VPN, not policy-based.
  3. Certificates or Authentication
    Always On VPN supports two main authentication methods:
    • Azure Active Directory (Azure AD) authentication
      • Requires devices to be Windows 10/11 Enterprise or Pro.
      • Devices must be Azure AD joined or hybrid Azure AD joined.
    • Certificate-based authentication
      • Requires root CA and client certificates.
      • Devices need the client certificate installed to authenticate automatically.
    • RADIUS authentication (optional)
      • For integration with on-premises authentication.
  4. DNS Configuration
    • Always On VPN devices need to resolve internal names (servers, services).
    • Configure Azure VNet DNS or custom DNS servers in the VNet.
    • Required for access to internal resources like file servers or domain controllers.

2. Device Requirements

  1. Operating System
    • Windows 10/11 Enterprise, Education, or Professional editions.
    • Windows must support Native VPN client for Always On VPN (Windows built-in VPN, not third-party).
  2. Device Join Type
    • Azure AD joined, Hybrid Azure AD joined, or Active Directory domain-joined.
    • Required for authentication via Azure AD or certificates.
  3. VPN Client Configuration
    • Configured via Windows VPN client, usually deployed automatically via Intune or Configuration Manager.
    • Configuration includes:
      • VPN server address (Azure VPN Gateway public IP or DNS name)
      • Authentication method (Azure AD, certificate, or RADIUS)
      • Split tunneling settings (optional, for routing only specific traffic through VPN)
  4. Network Connectivity
    • Devices must have internet access to reach Azure VPN Gateway.
    • Always On VPN supports automatic reconnection if the internet connection drops.

3. Security Requirements

  1. Encryption
    • Always On VPN supports IKEv2 or SSTP protocols.
    • IKEv2 is preferred for better performance and automatic reconnection.
  2. Conditional Access (Optional but recommended)
    • Use Azure AD Conditional Access to enforce multi-factor authentication (MFA) or restrict access based on device compliance.
  3. Certificates (for certificate-based authentication)
    • Root CA certificate installed on VPN Gateway.
    • Client certificate installed on each device.

4. Network Routing Requirements

  • Address Spaces: VPN client IP address pool should not overlap with VNet or on-premises networks.
  • Route Configuration:
    • Default routes (0.0.0.0/0) if you want all traffic through VPN.
    • Split-tunnel routes if you only want internal traffic to go through VPN, while internet traffic uses local connection.

5. Deployment and Management Requirements

  1. Deployment Tools
    • Microsoft Endpoint Manager (Intune) for automatic deployment of VPN profiles.
    • PowerShell or configuration scripts for manual deployment.
  2. Profile Management
    • VPN profile configuration XML or Windows 10/11 VPN profile packages.
    • Profiles define server address, authentication method, routing, and tunnel settings.
  3. Monitoring
    • Use Azure Monitor, Network Watcher, or VPN diagnostic logs to check connection status and troubleshoot issues.

Exam Focus Points

When studying for AZ-700, focus on:

  • Always On VPN requires a Route-based VPN Gateway.
  • Supported gateway SKUs: VpnGw1–VpnGw5.
  • Devices must be Windows 10/11 Enterprise/Pro, Azure AD joined or Hybrid AD joined.
  • Authentication options: Azure AD, certificate, or RADIUS.
  • VPN profile deployment: via Intune, Configuration Manager, or manual.
  • Routing: know the difference between split tunnel vs default route.
  • DNS & network requirements: internal DNS access and non-overlapping address spaces.
  • Optional but good to know: Conditional Access and MFA integration.
Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by