Always On VPN – Overview

Problem: We had an aging VPN environment that was no longer supported by the vendor. People, would just disconnect the VPN, not use it or otherwise circumvent policies we had in place.

Solution: Our endpoints are Windows 10/11 pro machines all with Azure A5 licenses. This license bundle also includes Windows Enterprise which will tie the entire set up together. The solution which is also a step to No Trust architecture is to deploy a Always On VPN with Certificate authentication via a full device tunnel. Below is a brief description of what technologies I have used, part two will include the architecture of the solution.

Why Azure P2S VPN and VWAN?

Azure’s P2S VPN is a fantastic way to let individual devices—like employee laptops—connect securely to your Azure virtual network. Unlike site-to-site VPNs that link entire offices, P2S is perfect for remote workers or distributed teams. When you pair it with Azure Virtual WAN, you get a centralized, scalable networking hub that simplifies managing connections for thousands of users.

Here’s why this setup shines:

• Scalability: VWAN supports up to 100,000 P2S users per virtual hub, depending on the scale units you choose, making it ideal for large deployments like ours.
• Device Tunnel: A device tunnel connects to Azure before a user logs in, enabling pre-login tasks like domain authentication or device management. This is critical for enterprise environments.
• Windows 10/11 Enterprise + A5 Licenses: These licenses include advanced security and management features (like Microsoft Intune), which pair perfectly with Azure’s VPN capabilities. Also includes Windows Enterprise licenses so the device tunnel can be established.
• Centralized Management: VWAN acts as a networking backbone, streamlining configuration and monitoring across regions and users. This will also bring all your infrastructure into one place.

Key Components of the Setup

Let’s break down the main pieces of this P2S VPN deployment:

1. Azure Virtual WAN: Think of VWAN as the control center. It hosts virtual hubs (regional network points) that manage VPN connections. Each hub can support thousands of P2S connections, and you can add multiple hubs for even more capacity or geographic coverage.
2. P2S VPN Gateway: This is the engine inside the VWAN hub that handles user connections. You’ll configure it for a device tunnel using the IKEv2 protocol, which is robust and natively supported by Windows.
3. Authentication: For a device tunnel, you’ll use certificate-based authentication. Each Windows device needs a client certificate generated from a trusted root certificate, which you upload to Azure. This ensures only authorized devices connect. However, depending on your environment you can have  user based tunnels with Entra AD or Active directory.
4. Windows 10/11 Enterprise Devices: In order to have a device tunnel, the Windows installation needs to be at Windows 1x Enterprise and must be joined to a domain.
5. Configuration Tools: This will be Intune. I will explain in later posts what is needed to deploy profiles and certificates through Intune.

How It All Comes Together

Here’s a step-by-step overview of setting up this P2S VPN (don’t worry, we’re keeping it high-level):

1. Set Up Azure Virtual WAN:
   • Create a Virtual WAN in the Azure portal and define your virtual hubs (one per region, if needed).
   • Ensure the hub’s address range doesn’t overlap with your on-premises or other Azure networks.
2. Configure the P2S VPN Gateway:
   • In the VWAN hub, set up a P2S VPN gateway. Choose a scale unit that supports over 5,000 users (e.g., 50 scale units for up to 25,000 concurrent users).
   • Select IKEv2 as the tunnel type, as it’s ideal for device tunnels and supported by Windows.
   • Configure certificate-based authentication by uploading your root certificate’s public key to Azure.
3. Generate and Distribute Certificates:
   • Use an enterprise Certificate Authority (CA) or create a self-signed root certificate.
   • Generate client certificates for each device and install them in the Local Machine certificate store.
   • Tools like Intune or PowerShell scripts can automate certificate deployment across 5,000+ devices.
4. Create the VPN Profile:
   • Build a VPN profile for the device tunnel using IKEv2 and certificate authentication.
   • Enable the “Always On” feature to ensure the VPN connects automatically before user login.
   • Use Intune or Configuration Manager to push the profile to all Windows devices.
5. Test and Monitor:
   • Test the connection on a few devices to confirm the device tunnel works (e.g., can devices access Azure resources pre-login?).
   • Use Azure Monitor to track connection health and troubleshoot any issues.

Key Considerations

When deploying, especially to a large environment here are some tips to keep in mind:

• Scalability Planning: A single VWAN hub can handle up to 100,000 P2S users, but you’ll need to select the right scale unit. For 5,000 users, a 20–50 scale unit gateway (supporting 10,000–25,000 users) ensures room for growth.
• Certificate Management: Managing certificates for thousands of devices is no small task. Use an enterprise CA integrated with Intune to automate issuance and renewal.
• Bandwidth Needs: Assess the aggregate throughput required. Each scale unit provides 500 Mbps, so a 50-scale-unit gateway offers up to 25 Gbps. Ensure this meets your users’ needs.
• Tunneling: Either a split tunnel or a full tunnel can be used. For cost concerns, split tunneling is recommended.
• Security: A5 licenses include Microsoft Defender for Endpoint, which can complement the VPN by securing devices against threats.

Benefits of This Setup

Once implemented, this P2S VPN with VWAN delivers:

• Seamless Remote Access: Employees can access Azure resources securely from anywhere, with the device tunnel ensuring connectivity before login.
• Simplified Management: VWAN’s centralized hub makes it easy to manage thousands of connections, while Intune streamlines device configuration.
• Cost Efficiency: VWAN’s pay-as-you-go model scales with your needs, and you only pay for the scale units you use.
• Enterprise-Grade Security: Certificate-based authentication and A5 license features keep your connections and devices locked down.

Wrapping Up

This is part one of a series on getting a Device Tunnel AoVPN environment to be set up. Setting this up is complicated, however, once it is set up and working as it should, it’s more maintenance than anything.