0

BACKGROUND: I have setup a Virtual Network connection in Azure to a local on-premise database. We are connecting an app service (web page) to a local on-premise database, a page is retrieving data from this on-premise database. It kept giving errors every week and the only way to fix it would be restarting the app service, and it would magically work again.

ISSUE: I wanted to try to upgrade the SKU from basic to VpnGw2 to possibly solve the issue where our app service would lose connection to our on-premise database. I set it up the same way I had before but it is asking for a Point-To-Site connection on the VNet Connection (screenshot below) VNet Point-to-Site error

QUESTION: I am not sure how to set up a Point-to-Site configuration with an Azure app service. I am required to enter certificate data, how do I generate a certification on my Azure App Service that can be used for this? Or am I doing something wrong? From what I am reading online, a point-to-site is usually configured for a single machine, I haven't seen anything in regards to an actual app service being configured. Should I use Generate certificates for point-to-site using PowerShell via my Web Service Kudu console?

Some guides I've been using - Configure server settings for P2S VPN Gateway connections - certificate authentication - Azure portal VNet - Point-to-Site configuration

Airo
  • 70
  • 13
  • What errors are you seeing the in app service when you lose connection to the on-premise database? And how are you using the current Basic VNGW to connect to your on-prem environment? Are you using an ExpressRoute, or a Point-to-site VPN? – Narthring May 05 '23 at 16:09
  • I'm curious why you suspect upgrading the VNGW will fix the issue. It may, but I'd be interested in understanding the root cause, if you have more information available. – Narthring May 05 '23 at 16:12
  • @Narthring The error received on the app service is a 400 error code, cannot reach SQL database. Pretty much that the connection is completely lost between the app service and the on-premise database. The weird thing is that I can query the database fine through the app service Kudu console. We have tried increasing timeouts, adding caching of data, nothing seems to work. We have a Local Network Gateway that connects to an On-Premise VPN. I created a connection between the Virtual Network Gateway and Local Network Gate via site to site connection type. – Airo May 05 '23 at 16:23
  • @Narthring I honestly don't think it will make a difference but thought it would be worth trying out. There are some settings on the timeouts which I have increased. This occurs on only on our production environment, we have the same network setup on a test environment and have no issues, however the page is not being accessed often or at all there. – Airo May 05 '23 at 16:25
  • Just to confirm, it usually works but you get sporadic outages? Normally you're retrieving information from the on-prem database through the app service normally just fine, but sometimes, for unknown reasons, you get an HTTP 400 error? – Narthring May 05 '23 at 20:04
  • @Narthring Yes, that is correct - and the only way to fix it is to restart the app service and it works fine after that. Until the next time it occurs, usually a few days. – Airo May 07 '23 at 18:03

1 Answers1

0

To set up a Point-to-Site configuration with an Azure app service with certification check the below workaround :

I have created app service and virtual nertwork gateway and created a virtual network once you add your virtual network it takes gateway subnet address range like below:

enter image description here

To generate a point to site certificate make use of below powershell script:

#Root Certificate: 
 $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=Nameofyourp2s" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

#Client Certificate:
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=Nameofyourp2s" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Output:

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject                                                                                                                                    
----------                                -------                                                                                                                                    
5FE16DF849DA21B4CXXXXXXXXXXXXXXXXX        CN=mayp2s

enter image description here

To export the root certificate follow this MsDocs in virtual network gateway copy the key data and paste like below:

enter image description here

Make sure to add address pool 172.16.31.0/24 save and download the Vpn client. In downloaded file -> Extact all ->WindowsAmd64->Vpn.exe -> Run and Vpn client will be install and connected successfully like below:

enter image description here

Now, In app service Vnet integration Once refresh, when I try to add subnet it associate successfully like below

enter image description here

"Gateway does not have point to site address" this error may occur if the vnet does not have enbled point to site and dynamic routing gateway Ensure to add address pool of virtual netwok gateway and check the firewall settings on the on-premises database server allowing traffic from the virtual network.Once you have completed these steps your app service should be able to connect to the on-premises database using the virtual network connection.

To upgrade sku from basic to VpnGw2 check this below In Basic sku P2S IKEv2/OpenVPN Connections, BGP and Zone redundant are not supported

enter image description here

References:

Configure P2S server configuration- Azure VPN Gateway | Microsoft Learn

About Azure Point-to-Site VPN connections | Microsoft Learn

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Why specifically 172.16.31.0/24? Also, I was able to set up the P2S connection with my App Service, it created its own certificate after adding the VNET. Problem I am facing now is that I am unable to connect to IP address ranges inside the VNET, I was previously connecting to a database on 192.168.x.x and I can't seem to ping the db at all. – Airo May 09 '23 at 15:48
  • Not specifically you can use any address space if u are unable to connect address range inside of vnet try to change address space may be subnet not added to the virtual network gateway [this](https://i.imgur.com/0l3ZYKT.png) – Imran May 09 '23 at 16:08
  • This is the address space of my vnet subnets - https://i.imgur.com/pmuKHu3.png I am unable to ping anything on 192.168.x.x ports from the app service kudu console. – Airo May 09 '23 at 21:44
  • If you are unable to ping anything on the 192.168.x.x address space from the app service Kudu console Ensure that the point-to-site VPN is correctly configured on your Virtual Network Gateway and that the certificate used by the VPN client matches the certificate installed on your App Service Verify that the VNet Peering is configured correctly if all configured right then unfortunately you have fix it via restarting app services – Imran May 10 '23 at 12:19