1
00:00:01,040 --> 00:00:03,460
Why do I mention radius just out of the blue?

2
00:00:03,460 --> 00:00:06,390
I'm putting radius in a particular context here,

3
00:00:06,390 --> 00:00:10,620
specifically combining it with the Azure point‑to‑site VPN.

4
00:00:10,620 --> 00:00:11,670
Now, first of all,

5
00:00:11,670 --> 00:00:14,400
remember that a virtual private network is a secure

6
00:00:14,400 --> 00:00:18,540
tunnel over an unsecure medium, and that unsecure medium is the internet.

7
00:00:18,540 --> 00:00:22,740
Assuming you have at least one virtual network in the Azure cloud,

8
00:00:22,740 --> 00:00:26,420
you may be thinking of what is a good way for me to support remote

9
00:00:26,420 --> 00:00:29,410
access into that virtual network that is secure.

10
00:00:29,410 --> 00:00:32,400
In other words, how can we do a VPN?

11
00:00:32,400 --> 00:00:34,680
Well, yes, there is the site‑to‑site VPN,

12
00:00:34,680 --> 00:00:37,410
that would be an always‑on connection between your

13
00:00:37,410 --> 00:00:40,520
on‑premises network and your virtual network,

14
00:00:40,520 --> 00:00:42,440
but there is also the point‑to‑site,

15
00:00:42,440 --> 00:00:45,300
and this is a capability of the Azure virtual

16
00:00:45,300 --> 00:00:48,040
network gateway that supports many,

17
00:00:48,040 --> 00:00:52,630
depends on what sku or stock keeping unit you're paying for on your gateway,

18
00:00:52,630 --> 00:00:56,850
different skus have different maximum numbers of P2S tunnels,

19
00:00:56,850 --> 00:01:00,160
but the value proposition with P2S is that you can give

20
00:01:00,160 --> 00:01:03,970
individual users the ability to create a tunnel into the

21
00:01:03,970 --> 00:01:06,240
virtual network from wherever they are.

22
00:01:06,240 --> 00:01:10,540
This is particularly relevant with the COVID‑19 pandemic in the remote

23
00:01:10,540 --> 00:01:16,120
workforce to where users may not be reporting to your corpnet where you've got

24
00:01:16,120 --> 00:01:20,350
a site‑to‑site VPN or an ExpressRoute tunnel into Azure,

25
00:01:20,350 --> 00:01:20,970
you see.

26
00:01:20,970 --> 00:01:24,570
How can we give remote users who just have an internet

27
00:01:24,570 --> 00:01:27,480
connection the ability to stand up a secure tunnel?

28
00:01:27,480 --> 00:01:32,150
Well, that's what P2S is, and the protocol selection here is variable.

29
00:01:32,150 --> 00:01:36,940
You can use the secure sockets tunneling protocol on TCP 443.

30
00:01:36,940 --> 00:01:41,150
This is a semi‑proprietary VPN protocol,

31
00:01:41,150 --> 00:01:44,060
however, it's proprietary to Windows, number one,

32
00:01:44,060 --> 00:01:47,670
so if you've got users who are running Linux and macOS,

33
00:01:47,670 --> 00:01:49,440
you'll want to go another route.

34
00:01:49,440 --> 00:01:52,520
We can use the internet key exchange V2 protocol,

35
00:01:52,520 --> 00:01:56,240
IKEv2, to support Mac clients, but even better nowadays,

36
00:01:56,240 --> 00:01:59,010
in Azure, we have the OpenVPN protocol,

37
00:01:59,010 --> 00:02:03,540
which will allow your users to do a point‑to‑site VPN from Windows,

38
00:02:03,540 --> 00:02:09,240
from macOS, from Linux, or even mobile OSs like iOS and Android.

39
00:02:09,240 --> 00:02:14,900
In creating the P2S VPN configuration in Azure in your virtual network gateway,

40
00:02:14,900 --> 00:02:17,990
you can choose 1 of 3 authentication options.

41
00:02:17,990 --> 00:02:20,150
So you've got a choice with the protocol,

42
00:02:20,150 --> 00:02:22,090
and you also have choice with authentication.

43
00:02:22,090 --> 00:02:25,050
It wasn't too long ago where we didn't have choice,

44
00:02:25,050 --> 00:02:29,730
where the only auth option in the Azure VNet gateway is client certificate.

45
00:02:29,730 --> 00:02:33,390
The problem with that is that you've got to distribute client certificates to

46
00:02:33,390 --> 00:02:36,250
all of the devices that are going to remote into Azure,

47
00:02:36,250 --> 00:02:39,210
and that also means you have to upload the signing or

48
00:02:39,210 --> 00:02:43,270
root cert directly into the gateway, which is a lot of management overhead,

49
00:02:43,270 --> 00:02:46,350
and you track revoked certificates manually.

50
00:02:46,350 --> 00:02:48,150
It's not a very scalable option,

51
00:02:48,150 --> 00:02:51,160
and I'm so grateful that Microsoft has done engineering

52
00:02:51,160 --> 00:02:53,230
work here to where we have other options.

53
00:02:53,230 --> 00:02:57,970
I think the best option is Azure AD authentication because I would assume,

54
00:02:57,970 --> 00:02:59,330
I guess, shouldn't assume,

55
00:02:59,330 --> 00:03:03,130
but I would assume that if you're doing hybrid cloud and hybrid identity then

56
00:03:03,130 --> 00:03:07,050
you already have your local Active Directory accounts synchronized with your

57
00:03:07,050 --> 00:03:10,930
Azure AD tenant using Azure AD Connect cloud sync,

58
00:03:10,930 --> 00:03:11,910
and in that case,

59
00:03:11,910 --> 00:03:16,910
we can do Azure AD auth to allow a VPN tunnel on your client

60
00:03:16,910 --> 00:03:20,070
devices into a target or hub virtual network,

61
00:03:20,070 --> 00:03:24,180
and then you can use VNet peering to link that transit VNet with other VNets,

62
00:03:24,180 --> 00:03:24,270
you see.

63
00:03:24,270 --> 00:03:27,020
To do Azure AD authentication though,

64
00:03:27,020 --> 00:03:30,070
you do have to be using the OpenVPN protocol,

65
00:03:30,070 --> 00:03:33,950
but that extra setup, there is actually more setup to that as well,

66
00:03:33,950 --> 00:03:36,360
you have to do some work in Azure AD to create a

67
00:03:36,360 --> 00:03:38,600
service principal for Azure VPN.

68
00:03:38,600 --> 00:03:43,120
Your client devices have to be using the Azure VPN client,

69
00:03:43,120 --> 00:03:46,550
but the work there is going to pay off because,

70
00:03:46,550 --> 00:03:47,090
number one,

71
00:03:47,090 --> 00:03:50,420
you're using open VPN so you have much more wide

72
00:03:50,420 --> 00:03:53,210
client operating system support, and number two,

73
00:03:53,210 --> 00:03:57,240
you can layer in additional identity controls on the Azure side like

74
00:03:57,240 --> 00:04:01,340
conditional access policies and Azure Multifactor Authentication.

75
00:04:01,340 --> 00:04:04,100
We're not going to deep dive into setting up Azure AD

76
00:04:04,100 --> 00:04:08,530
because the AZ‑800 exam actually calls out the third option

77
00:04:08,530 --> 00:04:10,040
that we'll get to in just a second.

78
00:04:10,040 --> 00:04:13,250
That said, check the exercise files because as always,

79
00:04:13,250 --> 00:04:17,970
I like to provide supplemental pointers to the Microsoft docs to help you out.

80
00:04:17,970 --> 00:04:21,110
That third option I was talking about that's specifically in

81
00:04:21,110 --> 00:04:24,910
scope for exam AZ‑800 is where you want to authenticate

82
00:04:24,910 --> 00:04:29,080
point‑to‑site VPN connections from local AD accounts that have

83
00:04:29,080 --> 00:04:31,340
not been synchronized into Azure AD.

84
00:04:31,340 --> 00:04:33,600
I mean, if you're doing the account synchronization,

85
00:04:33,600 --> 00:04:36,040
then I would go Azure AD, but otherwise,

86
00:04:36,040 --> 00:04:47,000
you can, in fact, configure your point‑to‑site VPN for local AD accounts, that's where the radius comes in, and let me explain more with a diagram.