Setting up VPN in Azure for Development Environment
Whichever project you work on in most cases security is the crucial part of the development process. I’m not talking about security of an application (we all understand that this is the top most important thing anyway) but rather about security of development environment. It’s always good when you have one permanent development team but this is a utopia. Quite often people drift from project to project, from company to company or they just decide to quit and start something new (maybe they sick and tired of their job and want to switch to fixing cars or may be knitting in front of a fire place 😊). At this point most of the companies will be bothered with access to their environment which is left with a former employee. But this is not the case when you use VPN (Virtual Private Network) to provide access to development environment. This is the exact thing that we do when we set up development environment for our customers.
In this article we are going to look at setting up VPN connection between a developer’s workstation and Microsoft Azure (we like cloud technologies 😊).
I assume that you already have virtual network and couple of virtual machines configured. Let’s jump straight to the Virtual network gateways configuration. This is the place where you want to configure your gateway between external and internal environments. Let us go ahead and create a new virtual network gateway. Click ‘Add’ button.
Let’s fill in all required fields. Select you subscription and provide the name of you new gateway, select desired region and set gateway type to ‘VPN’ and VPN type to ‘Route-based’. Pick up your virtual network where your virtual machines reside. Create a new public IP address by giving it the name. Leave ‘Enable active-active mode’ and ‘Configure BGP ASN’ options disabled. Click ’Review + create’ button and if everything was filled in correct you’ll have ‘Create’ button available on the ‘Review + create’ screen. Go ahead and hit it.
Now when you’ve created your virtual network gateway go to the configuration page. Click on the name of your gateway and in the menu in the middle of the page select ‘Point-to-site configuration’ option. Here you need to provide address pool and tunnel type. Let’s select ‘IKEv2 and SSTP (SSL)’. The authentication type should be ‘Azure certificate’. With this option we have a list of root certificates that we need to populate with public certificates. This certificate section will allow us to grant access to our developers and when we want to revoke it we can simply delete certificate from the list (of course you can use ‘Revoke certificates’ list below).
When Azure set up pretty much done we still have things left to do. Right, we need certificates. And since we love .NET we are going to use makecert.exe console app from the Windows SDK (you can find link to the installer in the links at the end of this article).
There are two steps which we need to accomplish to get our certificates. First one is to create a self-signed certificate. The command below does the trick:
makecert.exe -sky exchange -r -n “CN=Development_Certificate” -pe -a sha256 -len 2048 -ss MyThe certificate with the name ‘Development_Certificate’ will appear in certificates store under Personal certificates.
We use this certificate to create our client certificate which is going to be installed on a developer’s workstation. Let us execute the following command for that:
makecert.exe -n “CN=Development_Certificate_Client” -pe -sky exchange -m 96 -ss My -in “Development_Certificate” -is my -a sha256Now we should have two certificates. One is ‘Development_Certificate’ and the other one is ‘Development_Certificate_Client’.
The client certificate will be installed on developer’s computer. But we still need to add public certificate data to the Azure Public Certificates area.
Let’s go ahead and create our root certificate. For that in the certificate store right click on the ‘Development_Certificate’ select ‘All Tasks’ > ‘Export’. Click ‘Next’ to move away from the ‘Welcome to the Certificate Export Wizard’ screen. Select ‘No, do not export the private key’ in the next step. Hit ‘Next’. From the format list select ‘Base-64 encoded X.509 (.CER)’.
Click ‘Next’. Give the name for the certificate. Click ‘Next’ button one more time, check all export parameters and click ‘Finish’.
Now go to the location of the export root certificate and open it with a text editor. You should see something like that (of course the certificate data will be different 😊 but the structure should remain).
Now let’s give a name to the root certificate in Azure and copy data between — — -BEGIN CERTIFICATE — — — and — — -END CERTIFICATE — — — delimiters and paste it to the ‘Public Certificate Data’ area on the ‘Point-to-site configuration’ Azure screen.
We are almost there. The only thing left is to download VPN client from the ‘Point-to-site configuration’ screen and export ‘Development_Certificate_Client’ with a private key.
So with those two things (VPN client and exported ‘Development_Certificate_Client’) developer can access your development environment in Azure via VPN.
I’ll leave some points from my experience here which might be useful in future when you manage those certificates:
- Name a certificate after developer’s name, thus you can know which certificates belong to a particular individual
- Export and keep self-signed, root and client certificates. Developers may loose there certificates and you need to give them new one. In order not to reissue and configure everything again you just send them saved client certificate
- Protect client and self-signed certificates with a password
- Combine two makecert commands into a batch or ps1 file and configure to specify the name of the developer
Next time we will look at how to install and configure VPN client on the developer’s workstation and what to do if we have an issue with the Microsoft provided VPN client.
Useful links:
- https://developer.microsoft.com/en-us/windows/downloads/windows-10-sdk (This is the Windows 10 SDK to get hold of makecert.exe)
- https://www.dropbox.com/s/gwe95o4gwa87tdc/VPN%20Certificate%20Issue.bat?dl=0 (My batch file I’ve created to quickly issue certificates)
