LinkedInGitHubYouTube

Configure a Point-to-Site VPN on Windows for Azure Files

Here’s a concise summary of the article “Configure a point-to-site (P2S) VPN on Windows for use with Azure Files.”

Overview

  • Purpose: Use a point-to-site (P2S) VPN to mount Azure SMB file shares from outside Azure without opening port 445. P2S is for individual clients; if many clients need access from on-premises, consider site-to-site (S2S) instead.

  • Recommended reading: Networking considerations for direct Azure file share access.

Prerequisites

  • Latest Azure PowerShell module.

  • An Azure file share in a storage account.

  • A virtual network with a private endpoint for the storage account.

  • A gateway subnet on the virtual network (recommend /27 or larger).

High-level steps

  1. Collect environment info

    • Gather resource group, virtual network name, gateway subnet name and storage account name.

    • Example PowerShell provided to retrieve virtual network, subnet, private endpoint and storage account objects.

  2. Create root certificate for VPN authentication

    • Create a root certificate (enterprise or self-signed) and a client certificate signed by that root.

    • Example PowerShell to generate a self-signed root certificate and export the public certificate text to use in Azure.

  3. Deploy the virtual network gateway

    • Gateway components: a public IP address and uploaded root certificate public data.

    • Use portal or PowerShell. Deployment can take up to 45 minutes.

    • Portal: create Virtual Network Gateway, choose VPN gateway type and appropriate SKU (do not use Basic if you need IKEv2), configure public IP and review/create.

    • Configure Point-to-site settings on the gateway: address pool, tunnel type (IKEv2, SSTP, OpenVPN), authentication type (Azure certificate), upload root certificate public data.

    • PowerShell: example script to create public IP, gateway IP config, set VpnClientAddressPool, VpnClientProtocol, and upload root cert.

  4. Create client certificate

    • Each client must have a client certificate installed (enterprise or self-signed).

    • For enterprise CA: create user client certs with common name like [email protected] and ensure Client Authentication EKU.

    • For self-signed root: identify root cert on machine (thumbprint) and use New-AzVpnClientConfiguration to generate client cert and VPN profile; example PowerShell to create and export a PFX client cert.

  5. Configure the VPN client

    • Download the VPN client package produced by the gateway and install the appropriate architecture package (WindowsAmd64 or WindowsX86).

    • Use Always On VPN where possible (introduced in Windows 10/Server 2016) — installers include config for legacy Windows VPN client as well.

    • Install client certificate (.pfx) on the client (Current User store), then install the VPN package and connect through VPN Settings.

    • Example PowerShell to remotely copy certs and install VPN client and connection (supports installing on multiple machines).

  6. Mount Azure file share

    • After connecting via the P2S VPN, mount the Azure SMB file share on the on-premises machine (see Mount SMB Azure file share on Windows).

  7. Rotate VPN root certificate

    • You can add a new root certificate to the existing virtual network gateway without redeploying the gateway; after adding, re-create client certificates.

    • Example PowerShell to create a new self-signed root certificate, export it, and add it to the gateway.

Notes and important cautions

  • Run certificate and client-generation PowerShell scripts as Administrator on an on-premises Windows machine (Windows 10/Server 2016 or later). Do not run root-cert generation from an Azure VM.

  • If you need IKEv2 or certain tunnel types and authentication methods, do not use the Basic gateway SKU (it doesn’t support IKEv2).

  • If gateway settings change (tunnel type, certificate), regenerate the VPN client profile and reinstall on clients.

Useful links (kept as in the article)

  • Configure a site-to-site VPN for use with Azure Files: https://docs.azure.cn/en-us/storage/files/storage-files-configure-s2s-vpn

  • Networking considerations for direct Azure file share access: https://docs.azure.cn/en-us/storage/files/storage-files-networking-overview

  • Create an Azure file share: https://docs.azure.cn/en-us/storage/files/storage-how-to-create-file-share

  • Configure Azure Files network endpoints: https://docs.azure.cn/en-us/storage/files/storage-files-networking-endpoints?tabs=azure-powershell

  • Configure server settings for P2S VPN Gateway connections: https://docs.azure.cn/en-us/vpn-gateway/point-to-site-certificate-gateway

  • Configure a point-to-site (P2S) VPN on Linux for use with Azure Files: https://docs.azure.cn/en-us/storage/files/storage-files-configure-p2s-vpn-linux

If you’d like, I can:

  • Produce a short step-by-step checklist you can follow on a single page.

  • Extract and format the provided PowerShell snippets into a single runnable script template for your environment. Which would you prefer?

PreviousHow to use DFS-N with Azure FilesNextModify an Azure File Share - Azure Files

Was this helpful?