Azure Virtual Network Gateway provides the ability to connect to your Azure Virtual Network with Azure Client VPN (SSL) connections using your Azure AD or hybrid identity, with Multi Factor Authentication (MFA) and your Conditional Access policies.

We can have an Enterprise grade SSL VPN, with Active Directory authentication and Single Sign on (SSO) from your corporate laptops and apply all your conditional access policies, like MFA, Compliance devices, trused locations, etc.

How to create the VPN Gateway

Go to your Virtual Network’s subnets and create a Gateway subnet by clicking the “+ Gateway subnet”

Create a Virtual network gateway, by searching for the “Virtual network gateways” service and press Add.

Select “VPN”, “Route-based” and at the SKU select any size except the Basic. Basic SKU does not support Azure AD authentication.

Create a Public IP and leave all other settings default and create the Gateway.

After about 20 minutes the VPN Gateway is ready. In the meantime we will prepare the Azure AD and give concern to use the Azure AD with the Azure client VPN. Using a Global Admin account, go to the “Azure Active Directory” and copy the “Tenant ID” from the Overview blade, and keep it on a notepad.

Then copy the url and paste the below url to your browser’s address bar. You need to log in with a Global Admin non guest non Microsoft account.

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

With a guest or Microsoft account, even if it is Global Admin, you will be propted to login with an admin account, meaning a member work account.

Once you login with a member work Global Admin account, you can accept the permissions to create the Azure VPN application

You can navigate to the Azure Active Directory / Enterprise Application and view / manage the Azure AD application.

Open the Azure VPN enterprise application and copy the “Application ID” to a notepad.

Go to the VPN Gateway, select the “Point to site configuration” and click the “Configure now”

Add the Address Pool that you want the VPN clients to have, for Tunnel type select “OpenVPN (SSL) as it is the only type that supports Azure AD authentication.

Then use the details that you have copied to the notepad, the Tenant ID and the Application ID, and add them to the required fields and press save.

• Tenant: https://login.microsoftonline.com/paste-your-tenant-id-here
• Audience: paste-the-azure-vpn-application-id-here
• Issuer: https://sts.windows.net/paste-your-tenant-id-here/

How to Download the VPN Client and Connect to the Gateway

Download the VPN client, using the button.

Extrack the downloadded zip file

And at the AzureVPN folder you will find the configuration xml.

Open the Microsoft Store and get the Azure VPN Client

Open the Azure VPN Client and at the lower left corner, press the + and Import the xml configuration file

accept all the settings and press save

The Azure VPN connection will appear at the Azure VPN client and also at the Windows 10 network connections, like any other VPN

Azure VPN Client:

Windows 10 Network Connections:

Once you press connect, it will prompt you to connect using the account(s) that you are already using at your Windows 10 machine, or use a different account

You will be prompted for MFA or any other conditional access policy you have applied, and the you will be connected.

Conditional Access & Multi-Factor Authentication (MFA)

You can add Conditional Access to the Azure client VPN connection. Go to Azure Active Directory / Security / Conditional Access and create a new Policy.

Select the “Azure VPN” at the “Cloud apps or actions” section

At the Access Controls / Grand section, you can require multi-factor authentication, or AD Joined device, or compliant device, or all of that

At the “Conditions” section you can controll the location that the policy will apply. Lets say, you can apply the MFA requirement at “Any location” and exclude the “Trusted locations”, in order to not require MFA when the device is at a trusted location, like your company’s network.

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Client VPN with Azure AD auth & MFA | Step by step guide appeared first on Apostolidis Cloud Corner.

Azure Private Link is a new service, currently in Preview, that provides private connectivity from a virtual network or an on-premises network with Site-2-Site VPN to Azure platform as a service (PaaS) Microsoft services. Azure Private Link makes the networking a lot more simple improving the security and eliminating the need for public access.

image from: https://azure.microsoft.com/en-us/services/private-link/

Azure Private Link is a Service mapped to Azure Virtual Networks through a private endpoint. This means that all traffic is routed internally, using private IPs and connectivity, eliminating the exposure to threats. Using Private Link helps an organization to meed the compliance standards.

Azure Private Link is a Global service. It does not have regional restrictions. You can connect privately services from all the Azure Regions around the globe.

Lets Lab It!

Let’s see in practice how we can connect from an Azure VM and from our on-premises computer using VPN to an Azure SQL Database using private IPs. For the Lab I already have a Virtual Machine running Windows Server 2019 and an Azure SQL Database. The SQL Database is not connected to any networks.

Open the Azure Portal, press New and search for “Private Link”, select it and press “Create”

A nice “Getting started page” will open. Click the “Build a private connection to a service”

The “Create a private endpoint” wizard will open. Select a name for the Private Link and a Region and press Next to go to the second step.

At the second step, select to connect to the azure resource in my directory, and select the subscription where the Azure SQL Database resides. Then select the SQL Server.

At the third step, select the VIrtual Network that the Private Link will be created. I selected the network where my Virtual Machine resides. If you don’t have your own DNS server select Yes to create an Azure private DNS zone.

At the final step, review the settings and create the Private Link

After the resource creation, you can check the DNS for the Azure SQL Server Private IP Address!

And at the SQL Server, at the “Private endpoint connections” section you will see the new Private Link.

Open a Remote Desktop Connection to the Azure VM, and run a nslookup for the SQL Server name. In my case the command is:

PS C:\> nslookup plsqlsrv.database.windows.net
Server: UnKnown
Address: 168.63.129.16

Non-authoritative answer:
Name: plsqlsrv.privatelink.database.windows.net
Address: 10.0.2.5
Aliases: plsqlsrv.database.windows.net

And it returned the Private IP address of the SQL Server.

From my computer, i tried to connect to the Azure SQL Server, using the name plsqlsrv.database.windows.net and the connection failed since my Public IP Address is not allowed to access the server.

From the Azure VM I managed to connect successfully and of course internally!

After that, I added a Virtual Network Gateway to the Network and created a Point to Site VPN connection from my local computer to Azure. You can check my guide on how to do this: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-point-to-site-vpn/

In order to connect to the Azure SQL you need to either use a local DNS server to map the SQl Server name to the Azure SQL IP or add an entry to the local host file for testing.

Conclusion

Azure Private Link is in Preview and currently supports Azure SQL Database and Storage accounts. Additional services coming in preview in next 3-6 months:

• · Cosmos DB
• · App Service Vnet Integration + App Service Environment
• · Azure Kubernetes Service
• · Azure Key Vault
• · PostgreSQL
• · MySQL
• · Maria DB

Source:

https://azure.microsoft.com/en-us/services/private-link/

https://azure.microsoft.com/en-au/blog/announcing-azure-private-link/

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Azure Private Link | Private connection to Azure PaaS appeared first on Apostolidis Cloud Corner.

Application Security Groups helps to manage the security of the Azure Virtual Machines by grouping them according the applications that runs on them. It is a feature that allows the application-centric use of Network Security Groups.

An example is always the best way to better understand a feature. So let’s say that in a Subnet we have some Web Servers and some Database Servers. The access rules of the Subnet’s Network Security Group to allow http, https & database access to those servers will be something like this:

Using only the Network Security Groups functionality we need to add the IP addresses of the servers to use them to the access lists. There are two major difficulties here:

1. For every rule we need to add all the IPs of the servers that will be included.
2. If there is an IP address change (e.g by adding or removing a server) then all the relative rules must change.

Use Application Security Groups

Now, lets see how we can bypass this complexity by using Application Security Groups, combined with Network Security Groups.

Create two Application Security Groups, one for the Web Servers and one for the Database Servers

At the Azure Portal, search for Application Security Groups

Provide a name and a Resource Group

Create one more with name Database Servers and at the Resource Group you will have those two Application Security Groups:

Then go each Virtual Machine and attach the relevant ASG.

Click the Virtual Machine and then go to the Networking settings blade, and press the “Configure the application security groups”

Select the relevant ASG and press save:

Do the same for all your servers. Finally open the Network Security Group. Open the https rule, at my example is the “https2WebServers” rule.  Change the Destination to “Application Security Group” and for Destination application security group select the Web Servers.

Same way change the database access rule and for Source add the “Database Server” ASG and for destination the “Web Servers” ASG. Now the NSG will look like this:

Now on when removing a VM from the Web Servers farm of the Database servers cluster there is no need to change anything at the NSG. When adding a new VM, the only thing we need to do is to attach the VM to the relative Application Security Group.

A Virtual Machine can be attached to more than one Application Security Group. This helps in cases of multi-application servers.

There are only two requirements:

• All network interfaces used in an ASG must be within the same VNet
• If ASGs are used in the source and destination, they must be within the same VNet

Pantelis Apostolidis

Pantelis Apostolidis is a Sr. Specialist, Azure at Microsoft and a former Microsoft Azure MVP. For the last 20 years, Pantelis has been involved to major cloud projects in Greece and abroad, helping companies to adopt and deploy cloud technologies, driving business value. He is entitled to a lot of Microsoft Expert Certifications, demonstrating his proven experience in delivering high quality solutions. He is an author, blogger and he is acting as a spokesperson for conferences, workshops and webinars. He is also an active member of several communities as a moderator in azureheads.gr and autoexec.gr. Follow him on Twitter @papostolidis.

www.cloudcorner.gr

The post Application Security Groups to simplify your Azure VMs network security appeared first on Apostolidis Cloud Corner.