How to build a client VPN with Azure

Gavin Lewis
6 min readApr 2, 2020
Photo by bongkarn thanyakij from Pexels

Staff working from home can present challenges for organizations, especially for those who have been forced into fast-tracking these arrangements due to the COVID-19 virus. IT departments around the world are scrambling to implement ways to enable their colleagues to work remotely and helping keep the lights on for their employers. Thankfully, the cloud has been the new normal for around 90% of organizations in some way or form for the last few years. That being said, the cloud doesn’t just solve all your remote-working problems magically, there are often still several challenges present depending on the cloud strategy which has been adopted in your organization — SaaS, PaaS, IaaS, hybrid-cloud or a combination of them all.

Several months ago I wrote about how organizations can link their on-premise and cloud networks together using IPSec VPNs, but what about enabling employees to gain access to access these same systems and infrastructure from home? If you guessed Client VPNs you guessed right, but are probably thinking, “this isn’t anything new, our company already has a Client VPN”, and you’d also be right. The new problem these organizations are now facing is their current VPN infrastructure doesn’t have enough capacity to serve the demands of a fully remote workforce and is compromising the efficiency of their staff’s daily tasks. So, how can we solve this problem quickly, securely and inexpensively? By leveraging your cloud provider, of course!

In this example, I’ll walk through how you can setup a Point-to-Site VPN in Azure, though the same can be achieved on AWS. Ok — let’s get started!

Caveat: I’m assuming you already have an Azure tenant, subscription and VNet configured.

1. Create a Virtual Network Gateway

The first piece of the puzzle is to create an Azure Virtual Network Gateway to facilitate access for the outside world into your Azure VNet. Now, depending on the capacity you require will depend on the SKU which should be selected — the varying tiers support different bandwidth throughputs and connection limits. Any of the SKUs are fine to use except for basic, as the basic SKU does not support the Azure AD Authentication option which we’ll want to use later.

Gavin Lewis

Passionate about building and delivering solutions in the Cloud! Principal Cloud Architect @ Rapid Circle. Views are my own.