Create a P2S VPN For SQL Managed Instance

by | May 26, 2018 | Azure, Azure SQL Database, Networking, VNet

To connect to a Virtual Network with VPN you need to create a virtual network gateway. There are several types of VPN you can deploy to Azure, these are Point-to-site(P2S), Site-to-Site(S2S), VNet-to-Vnet and Express Route circuit. In this post, I describe how a P2S can be configured.

 

Add gateway Subnet

Create a gateway subnet by having as guidelines the image below.

Create Virtual Network Gateway

Step 1:

At the first step search for “vpn network gateway“, select it and click Create.

Generate Certificate

A certificate is very important because the security of connection depends on it. Below you will see how you can create your own security certificate with some commands.
To be able to communicate, each client must have the security certificate installed.

Create a client certificate (The Powershell way)

In this demo, you will see how you can create a client certificate using the “New-SelfSignedCertificate” cmdlet.
Let’s look at this step by step :

Step 1

Run the command to create a self-signed root certificate named ‘SQLMIP2SRootCert‘ which is automatically installed in ‘Certificates-Current User\Personal\Certificates

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature ` 
-Subject "CN=SQLMIP2SRootCert" -KeyExportPolicy Exportable ` 
-HashAlgorithm sha256 -KeyLength 2048 ` 
-CertStoreLocation "Cert:\CurrentUser\My" 
-KeyUsageProperty Sign -KeyUsage CertSign

Step 2

The next command creates the client certificate, that must exist on the client computer who connects to the Azure.

New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=SQLMIP2SClientCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Step 3

In step 3, you can check the two certificates that you created on previous steps (1,2). Open RUN and type certmgr.msc. This command opens Certification Manager. Go to Personal – Certificates

 

Step 4

In the next step, you must export certificate and save it as a file at a location of your choice, e.g “C:\Folder\MyCert.cer“. To export the file you must use the Certificate Export Wizard as the Steps (4.1,4.2,4.3,4.4,4.5) below shows.

Step 4.1

In the Wizard start form click Next.

Step 4.2

Select  , and click Next,

Step 4.3

At the Export File Format page, select , and click Next

Step 4.4

In the next step you must specify the location of the exported file, e.g. C:\MyCert, and click Next.

Step 4.5

At the final step, click Finish and you’re done with the export.

Step 5

For the Point-to-Site configuration, you need the certificate name and information like the following image.

Important Notice: To get the following pieces of information, you must export the certificate file and open it with Microsoft Notepad.

 

Point-to-site-Configuration

Now, you are ready to move on Point-to-site configuration as the following image shows. You have to fill up 3 fields:

  • Address pool: In this field, you specify the private address range.
  • Root Certificates – NAME: In this field type a name for the Root Certificate, e.g. rootcertificate
  • Root Certificates – PUBLIC CERTIFICATE DATA: Copy and Paste the information from the previous step.

After you have entered the fields as described in the instructions, click Save and the Download VPN client button will be enabled to download the VPN client.

VPN Client

Download the VPN Client

Download and unzip the file vpn.zip. The folder includes the 3 directories illustrated in the figure below. Depending on the architecture of your computer’s CPU, you choose to install the corresponding one VPN client.

Open And Run The VPN Client

 

Share This