question

DavideGhisalberti-2619 avatar image
0 Votes"
DavideGhisalberti-2619 asked DavideGhisalberti-2619 commented

Schedule VPN Gateway deploy

Hi all! I'm configuring a Point-to-Site VPN access for my VMs on Azure. So far so good, everything works. My concern it's about the pricing of the SKU 'VpnGw1'

On the online calculator I can see the prices for GBs and tunnels, and a configurable pricing for "Gateway hour". I thought (wrongly) that this pricing was related to effective gateway usage, but it's instead related to the 'existance' of the gateway object in my subscription (e.g. I create the gateway at 3.00 pm and delete it at 6.00 pm, I pay for three hours regardless I've used it or not).

It seems odd because I can't understand how to schedule the gateway object to be created when I want to use it (for example, only for business hours/days).
There is a way to configure a schedule for creating and destroying this object, and to configure it in a way that my VPN clients are not aware of that? For example I don't want to distribute every day a configuration package or certificate or information to be configured by my clients, I just want my gateway to be active from 9 to 5/Monday to Friday

Thanks in advice for the help!

azure-vpn-gatewayazure-automation
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

2 Answers

AndreasBaumgarten avatar image
1 Vote"
AndreasBaumgarten answered DavideGhisalberti-2619 commented

The way it would work is:

  1. Create the required certificates and store this somewhere for automated deployment

  2. Create a script to deploy the VPN Gateway using the existing certificate

  3. Deploy the VPN Gateway via script on a schedule (for example every day at 8:00 AM)

  4. Delete the VPN Gateway via script on a schedule (for example at 6:00 PM)


Repeat steps 3 - 4

As long as you are using the same certificate and public IP of the VPN Gateway it should work without modifications on the client.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DavideGhisalberti-2619 avatar image DavideGhisalberti-2619 ·

Hi. For completion, the answer seems to be partially incorrect:

As long as you are using the same certificate and public IP of the VPN Gateway it should work without modifications on the client.

After my testing I can say that even by meeting these conditions, the client needs to update the VPN configuration because 'ServerAddress' and 'ServerSecrets' changes each time a VPN Gateway object is re-created (even by maintaining the same public IP, certificate and resources' name.)



0 Votes 0 ·
AndreasBaumgarten avatar image
1 Vote"
AndreasBaumgarten answered DavideGhisalberti-2619 commented

If you delete and redeploy the VPN Gateway everyday the public IP will maybe change as well.

Anyway ... With PowerShell it's possible to deploy a VPN Gateway:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps

And this can be scheduled on premises with the task scheduler in Windows.
Or a runbook in Azure Automation can be used with a schedule.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

· 3
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AndreasBaumgarten avatar image AndreasBaumgarten ·

You don't have to create a new certificate every time. If the certificate exists (for instance stored on the on-premises computer or Azure Storage if you use Azure Automation) and is valid you can just re-use this cert every time.

(If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

Regards
Andreas Baumgarten

1 Vote 1 ·
DavideGhisalberti-2619 avatar image DavideGhisalberti-2619 ·

Thanks that's interesting. However I can't understand if with this script for deploying and deleting the Gateway would have the consequence to re-generate and re-distribute certificates and VPN Client configuration *.exe files.
I see that I can generate my root certificate once and then re-upload it each time I create my Gateway; I can't understand if I need to generate and distribute each time the configuration setup, it would be a stopper (it would mean to distribute each day a new setup)

Thanks!

0 Votes 0 ·
DavideGhisalberti-2619 avatar image DavideGhisalberti-2619 ·

Ok so if I understood correctly, I could:
- prepare my IP and VNet configuration objects on Azure and keep those there
- Generate my root and client certificates, and store the root on Azure Storage
- Prepare the automation script to create the Gateway
- Launch it
- After I've deployed the Gateway for the first time, I'll generate the *.exe for client configuration

From there, I'll distribute and install the client certificates and the *.exe configuration to my users. Finally, when the Gateway is up and running, my users can connect to the VPN without doing anything else.

Please confirm if my suppositions are correct, and then I'll give it a try and close the thread, thank you a lot!



0 Votes 0 ·