I am trying to set up my Azure resources so that they can only be accessed via VPN. For example, I only want to be able to access my Azure SQL database using a private network through a VPN. How do I set this up?
- Does Azure have a VPN (e.g. like how we use Cisco etc.) that I can configure?
- How do I set this up? And how do I access this VPN (e.g. can I sign into some sort of Azure VPN client from anywhere)?
- How do I connect all my resources to this VPN?
- Is there a better way to do this?
I know there a lot of articles out there, but I am new to this and would appreciate some guidance (even if you just end up linking me to the correct articles).
There’s a couple different methods to setup VPNs in Azure. Question is what is your goal? Do you want to configure a site-to-site VPN on your firewall or do you want your users to launch a VPN application and manually connect to access Azure resources (Point to site VPN).
- Point to site VPN - Follow this guide (This is probably the easiest method - there is a cert method too).
https://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
In the end you’ll be able to open your Azure VPN Client: https://go.microsoft.com/fwlink/?linkid=2117554 , import the Point to Site VPN config and authenticate using Azure AD credentials.
The only concern I have with the way this works is it appears any licensed Azure AD account will be able to authenticate against the VPN, so long as they have the VPN config. The other thing is they’ll be able to access everything on the VNET, so I’d recommend locking down your VNET with Azure Firewall or NSG’s
- For Site-to-Site VPN’s, your Firewall vendor should have a step-by-step guide on how to do this.
Also while not strictly speaking a vpn
For management purposes Azure bastion also allows secure rdp access to VM in Azure
Azure bastion is hella expensive