Azure Networking - #10 - AAD VPN
Вставка
- Опубліковано 14 гру 2019
- Learn how to setup a Client VPN with Azure AD Authentication and MFA today at The Azure Academy
Patreon - / azureacademy
Twitter - / msazureacademy
LinkedIn- / dean-cefola-2902934b
WebSite - msazureacademy.com
Azure Docs on P2S - 1:17
Create VPN Gateway - 2:47
Create AzureAD VPN - 7:33
Config AzureAD VPN - 8:58
Setup Azure MFA - 10:07
Tie it all together - 12:00
AzureAD VPN Client - 15:09
Whats Next...?
#TheAzureAcademy #AzureFundamentals #AzureADVPN - Наука та технологія
Thanks Dean for another great presentation.
Thanks for the feedback Masoud!
Another excellent feature by Microsoft and thanks Dean to show us this 👍
Thanks for the feedback Adeel!
Excellent video Dean! Keep up the good work pls.
Thanks for the feedback Sotiris!
Excellent videos! Thanks for sharing your knowledge.
Happy to help...let me know what other videos you are interested in us making for you
Excellent share. Thanks Azure Academy!
Anytime
Thanks Dean for the video, great stuff! Will this work with an existing Virtual Network? Meaning, am I able to add a VPN gateway to the Virtual one I have that is already linked to my on-premise network? Or will I need to create another and then link them somehow?
You can create a gateway subnet and setup the VPN. You may have to take off peers or other connections to your network then put them back...assuming that they don’t overlap.
Excellent , very helpful
That is awesome to hear, thanks!
Hi Dean, Thanks for the excellent tutorial. Jut want to ask, is it possible to configure Azure MFA for server without using NPS configuration ?
Thanks for the feedback Siddarth! Azure MFA does NOT use MFA server. It is a completely cloud based service. No NPS needed.
Thanks for the question
Hi, Thank you for the training! I have one Problem in the end of this setup,
When I try to Connect I have this message: "Failure in acquirring ADD Token: Provider Error 87: The parameter is incorrect."
Can you help with any suggestion, please?
Or somebody else had this issue?
Thank you!
I have not run into that issue and just from a quick search I can't find it.
I would suggest opening a support ticket.
In the top right of the Azure portal you can click the ? and open a ticket
6:10 active-active is not about the zone, but a different deployment that'll include another gateway
correct...active active will deploy another gateway...and them them load balanced i.e. highly available
another option for HA is building across availability zones...
so instead of 2 gateways in 1 datacenter I can have 2 or 3 gateways (depending on the region) build across zones
this makes my gateways zone redundant and the service of my VPN...more highly available.
Thank you
Happy to help
Hi Dean,
This will help in moving away from the firewall. Do we have something for web filtering firewall so then we can also move away from Fortigate which is being currently used
Azure premium Firewall check it out
👉 ua-cam.com/video/GrOz2Le9VZ0/v-deo.html
Is there usable Windows 10 build in vpn client that can be used with Azure and uses SSL (port 443) and AAD and doesn’t require administrator level privilege for the client to connect? The Azure client requires administrator privilege to add entries to the route table, and this is no use to me because users don’t have admin privilege.
you might want to look at the video I did on Open VPN - ua-cam.com/video/OTAjPrfKS5U/v-deo.html
Hi, this is a great vid, really detailed and at the edge of breaking news about Azure - thanks heaps. And what I really want to know is the next 10 seconds after you finished - what is the user experience when they want to log in to their remote app on Azure? You showed the connection succeeding, but what happens next? What does the user have to do to see their remote app icon? Does it just 'pop up', or is there a link or a URL or what? Sorry to be such a newbie but from years of dev work, I'm now struggling with admin concepts.
no worries. The VPN experience is the same on all Windows 10 VPNs. Once connected it just works...so there is no visual indication that you are connected to the VPN if you don't go looking for it.
This makes the experience more seamless
@@AzureAcademy It looks like this is different than the Windows 10/11 Always on VPN. Are there benefits to doing it this way. Any articles on deploying the supporting infrastructure for Always On VPN in to Azure?
Open VPN can help ua-cam.com/video/OTAjPrfKS5U/v-deo.htmlsi=R9uH9MgKoJ-hWTt4
Awsome as always....Please make video on Azure AD auth for Azure storage account..
Do you mean Azure AD Auth for Azure Files? I covered this in a WVD Video on Azure AD Domain Services...which is required for this to work today. ua-cam.com/video/Uayv69FZlyI/v-deo.html
Did you have another Azure AD auth in mind?
can you send me a link to see what you are looking for?
Thank you.
Any time!
It says is available for Azure Gov, but I havent been able to set it up. In my commercial account I already did it; but i need to do it in the Gov account in which i get a bunch of different errors. Adding the VPN Entrerprise application fails with the URL provided but anyway the application is added, but then the process fails in the client connection.
It is available in GOV, however, I don’t have gov cloud access so I have not tested it.
I would suggest opening a case with support to resolve the issue
Excellent video Dean! Do you know if a mac os client will be available?
Not sure on that one...i will ask around and let you know, if I can
Hi Dean, I currently have this configured successfully. I'd like to configure this to incorporate Conditional Access so that remote users cannot access certain resources unless on this VPN. I wanted to create the policy to look for a range of IPs (the public IP of Azure Vnet), but It doesn't look like this VPN method changes the public IP of the endpoint that's connecting.
Any suggestions?
when on a VPN you have 2 IPs. The Internet IP and the VPN IP.
So it depends on which application they are trying to access and which IP the system thinks they are coming from. In Conditional Access you have to select your application, and generally those apps / Azure AD Apps are looking at Internet IPs. So it depends on the app.
"Server did not respond properly to VPN Control Packets. Session State: Key Material sent" this error happed a was also add " /" to the in tenant and issuer also
Never ran into that error, at what point in the process did you get this...or can you give me a time index in the video so I know what step you are on.
Thank you so much, can you please help with the following?
did everything in the video established connection
now the ip i get is the ip from the internal range i configured 172.18. and the public ip of my ISP 77.100
i don't get the public ip of the Pip resource that associated with the gateway 20.126
i will need to add RDP inbound rule on all vms for all connected users, how can i do that if the vm see my ISP public IP
shouldn't we get the PIP of the gateway like in other 3rd party vpn? for example "perimeter 81"
my point is how can all the company users get the same public ip when they connect to azure vpn i configured ? Nat?
thanks so much i hope its clear..
When connecting to a Client VPN you don’t get the gateway public ip assigned to you, you are supposed to get the 172.18 ip. Since you are on a VPN you are already on the same network as the other VMs in Azure. So your inbound rule should come from the 172.18 ip range
@@AzureAcademy Thank you so much. Have another question please, how do I connect to an azure service like SQL with only public ip?
SQL and all Azure PaaS solutions have public endpoints for you to connect to
How you do it depends on the service
Hi, thanks for the video. I have a problem, I don't know where to download the Root CA certificate, when I import the configuration I don't get this
14:50 in the video shows were the root cert is
Hi Dean,
When I am reading the doc for VPN Gateway, I saw SKU VpnGw2 has both Generation 1 and Generation 2, but I searched all around Internet, I didn't find where to select the Generation when I am creating the VPN GW in Azure Portal.
Do you know what is the default generation for that SKU?
docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#benchmark
Thanks
The default across Azure is generally to use the latest generation but you can specify the generation by deploying this with PowerShell...like this
$gw = Get-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku VpnGw2
@@AzureAcademy Oh I see, thanks Dean, you are great.
👍👍
In our company device we have to use company vpn all the time.. is it even possible to work with this setup of having additional vpn
Yes your computer can have multiple vpns installed on it
As to what you have to do to follow corporate policy is another story 😵💫
Hi, is there a way to use it for Mac users? (im using open ssl with AAD )
not that I know of...the docs -docs.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-client show the windows experience here...so you can run windows in your Mac, but I don't see native Mac support for this method.
Thank you Dean for this tutorial! would it be possible to make another one on how to connect MacBook with Azure VM (Windows) through VPN P2S setting?
Great suggestion...however...I don't have a MacBook ☹️ If you know where / how I can get a virtual MacBook or a VM running MacOS I'd love to make it!
@@AzureAcademy ua-cam.com/video/SFq4Sdx16cA/v-deo.html&ab_channel=OnlineComputerTips
Cool
Excellent work Dean, Your Az Academy videos have been extremely helpful in learning new Azure Features , Would it be possible to cover Azure AD B2B and Azure AD B2C authentication with SSO in future learning series, Best Regards - Farhan
Thanks Muhammad! I am not familiar with setting up B2B or B2C, but I will look into it and see what I can do.
Thanks for the suggestion...stay tuned!
@@AzureAcademy I would like as well to see such content if possible. Thanks for your time and efforts!
looking into this...stay tuned.
can you tell me some use cases you are thinking about so I have some direction on this topic...it is a big one!
this is not one of my main areas, so I am still learning as well!
I am reaching out to other experts in this area.
stay tuned!
@@AzureAcademy One scenario would be that 2 organizations with 2 separate tenants wanting to collaborate/access resources from each other, or communicating using Teams in a B2B manner.
Hi Dean - Can I use the OpenVPN client and use Azure AD authentication ?
no, not like I showed in this video...OpenVPN doesn't do that.
@@AzureAcademy Thanks for the response.
👍👍
did anyone try to deploy it with intune? specially for macos
Good question Ala…I have used Intune to deploy the windows agent, but not Mac
@@AzureAcademy I was trying it for the last few days. I deployed the client but couldn't push the xml file or configure auto connect
remember @@AlaVRSim if all else fails you can create a script and have that do all the magic 😎
is this a better wya to watch USA netflix than to get a VPN? rthis seems chepaer and higher bandiwth
LOL interesting question. A VPN can help you to appear like you are in another location but it is an encrypted tunnel so you may have to watch at 720p instead of 1080p
😜
@@AzureAcademy ok that makes sense. I was reading that other people tried to do this, and Netflix has blocked Azure and AWS servers.
@@Alexander-James LOL wow! I had not heard that!
@@AzureAcademy yea if you think about it it makes sense because you can make a VPN (that you can turn on and off) that would give you enough bandwidth for 4k. So they would want to close those loopholes to enforce their licsencing . There’s services such as “Nod VPN” which many people use to get American Netflix but the quality isn’t as good because of the bandwidth / amount of users using it. It seems like you can use an AWS, Azure, Google cloud VPN or vm to access Netflix because they blocked those IPs.
@@AzureAcademy I think the loophole would be to have someone in the USA co own the VPN and give the azure authentication. I think then it would work.
how it will work?? any idea
I use it every day and find it works very well...good performance and stability.
Looks like the steps have already changed, on the azure AD documentation. no longer need to enter the PS scripts.
True, but it still works for those who prefer scripting.
You better want to also blur out the Code and URL for your MFA Token, not just the QR Code. ;)
Anyways, awesome tutorial!
I generally don’t blur out secrets if I destroy the resource once the video has been created...but thanks!
Azure Academy Yeah, I expected something like that, as it is only a test environment and was recorded some time ago already. On the other hand, I see so many credentials flying around in the wild, getting published on GitHub etc. that I just had to leave a comment, just to be 100% sure.
Thanks very much for pointing this out...much appreciated!