Following is an excerpt from Secure Virtual Network Connectivity over Internet Chapter from book Exam AZ-500 Study & Lab Guide Part 3: Microsoft Certified Azure Security Engineer Associate.
Introduction to Virtual Private Network
VPN provides an encrypted communication between private networks over public network such as Internet. The important point here is that resources in the private networks communicate using Private IP Addresses over the Public Network.
VPN uses IPSec Protocol framework to provide Data Confidentiality or Encryption, Data Integrity and Data Origin Authentication between the VPN peers or devices.
You can implement VPN in following 2 ways.
- Site to Site VPN (S2S)
- Remote Access VPN (P2S)
S2S VPN uses VPN device on both sides of Private networks.
P2S VPN uses VPN client software installed on client computers on one side and VPN device on other side of private network.
VPN Device can be Router, Firewall, Azure VPN Gateway or Linux/Windows Server with VPN Software etc.
IPSec Protocol framework
IPSec provides Data Confidentiality, Data integrity and Data Origin Authentication between the VPN peers or devices. IPSec works at IP Layer (Layer 3 of OSI) to protect and authenticate IP Packets between IPSec devices or peers.
IPSec is a framework of open standards. IPSec is not bound to specific algorithms. You can choose Encryption and Hash Algorithms as per your Business, Compliance and Security requirements.
IPSec provides following services:
Data Confidentiality or Encryption: Sender encrypts the packets before transmitting across public network or Internet. This ensures that nobody can read the communication if it is intercepted. Data Confidentiality uses encryption algorithms such as DES, 3DES or AES etc and shared secret key to encrypt the message. . To know more about shared secret key read Diffie-Hellman (DH) Protocol on next page.
Data Integrity: The receiver can verify that the data which was transmitted was not altered. Data Integrity uses hash algorithms such as Message Digest 5 (MD5) or Secure Hash Algorithm (SHA-1). When a message has to be sent then message and shared secret key are passed through Hash Algorithm to produce hash. Generated hash and encrypted message are sent to remote VPN peer. At the remote end, encrypted message is decrypted. Decrypted message and Shared secret key are passed through Hash Algorithm to produce hash. If the calculated hash and received hash match then it means that message was not altered.
Origin Authentication: The receiver can authenticate the packet source. This ensures that packets have come from trusted source. Origin Authentication uses authentication methods such as Pre-shared key & Certificates etc. Pre-shared key should be same on both sides of VPN devices. Pre-shared key is never sent in clear form over the public network. A Hashing Algorithm is applied to Pre-shared key to generate hash. Hash is then sent to remote VPN peer over the Public network such as internet. On the other side, VPN peer also creates the Hash from Pre-shared key and Hash Algorithm. If the 2 hashes match then the remote peer is authenticated to local peer.
Note: A message can produce hash but a hash cannot reproduce the original message.
Diffie-Hellman (DH) Protocol
Diffie-Hellman (DH) Protocol is a cryptography protocol which allows VPN peers to generate same shared secret key individually. Shared secret key is used by encryption Algorithms (DES, 3DES, AES) and Hash Algorithms (MD5, SHA) to encrypt the message and produce Hash respectively. Shared secret is never exchanged or transmitted over the insecure public network.
Note: Shared Secret Key and Pre-shared key are different. Shared secret key is used by encryption and Hash Algorithms whereas Pre-shared key is used by VPN peers to authenticate to each other.
Figure below shows the components of IPSec Protocol framework and partial options available for each component.
VPN Tunneling
VPN Connections happens through a secure tunnel. Tunneling is the process of placing an entire packet within another packet before it’s transported over the internet. That outer packet protects the contents from public view and ensures that the packet moves within a virtual tunnel.
This layering of packets is called encapsulation. Computers or other network devices at both ends of the tunnel, called tunnel interfaces, can encapsulate outgoing packets and reopen incoming packets. Network devices at both ends of the tunnel use same Tunnelling protocol to encapsulate packets.
A Tunnelling protocol determines how your data is transmitted between network devices at both ends of the Tunnel. Tunnelling Protocol combines encryption and Integrity standards to be used on both sides of the Tunnel.
Tunnelling Protocol options (Not specific to Azure)
Layer 2 Tunneling Protocol (L2TP/IPSec)
This protocol is a combination PPTP and the L2F Tunnelling protocol. This protocol was created by Cisco Systems. It creates a more secure data tunnel than PPTP, but doesn’t actually have encryption or privacy capabilities. As such, it is bundled with IPSec.
Secure Socket Tunneling Protocol (SSTP)
This protocol was created by Microsoft. It provides a mechanism to transport traffic through an SSL/TLS channel. SSL/TLS provides transport-level security with key negotiation, encryption and traffic integrity checking.
Internet Key Exchange, version 2 (IKEv2)
A newer, more secure version of L2TP. IKEv2 was born from a collaboration between Microsoft and Cisco. Like it’s predecessor, it is bundled with IPSec.
Generic Routing Encapsulation (GRE)
GRE is a tunneling protocol developed by Cisco Systems that can encapsulate a wide variety of network layer protocols inside virtual point-to-point links or point-to-multipoint links over an Internet Protocol network.
OpenVPN
OpenVPN is an open-source software that implements Virtual Private Networks (VPN) to create secure point-to-site or site-to-site connections. OpenVPN allows Peers to authenticate each other using Pre-shared secret, Keys, Certificates or Username/password. OpenVPN uses the OpenSSL library to provide encryption of both the data and control channels. OpenVPN can be extended with third-party plug-ins or scripts. OpenVPN is considered the most secure, offering the same protection as the previously mentioned protocols, but on a greater scale.
Note: Azure S2S VPN uses IKEv2 or IKEv1 Protocol only.
Note: Azure P2S VPN can use IKE or SSTP or OpenVPN Protocol.
Note regarding VPN Tunnelling Protocol – IKEv1 & IKEv2
In this chapter we will focus on VPN Tunnelling Protocol – IKEv1 & IKEv2 from Azure VPN Gateway point of view. The reason being is that Azure VPN Gateway support IKEv1 & IKEv2 in S2S VPN. Preferred is to use IKEv2 protocol as it is modern and has more features than IKEv1.
Note: In Azure P2S VPN configuration, Azure VPN Gateway also supports OpenVPN and SSTP protocol.
VPN Tunnelling Protocol: IKEv2
VPN Tunnelling protocol IKEv2 is responsible for establishing a secure tunnel between the VPN client and the VPN server. It does that by first authenticating both the client and the server, and then agreeing on which encryption methods will be used.
IKEv2 handles the process of establishing security attributes between two network entities (in this case, the VPN client and the VPN server). It does that by generating the same symmetric encryption key for both entities. Said key is then used to encrypt and decrypt all the data that travels through the VPN tunnel.
One of the single most important benefits of IKEv2 is its ability to reconnect very quickly in the event that your VPN connection gets disrupted.
Step by Step IPSec Working
Step 1: Define interesting traffic
Traffic is deemed interesting when the VPN device recognizes that the traffic you want to send needs to be protected.
Step 2: IKE Phase 1
IKE Phase 1 sets up secure communication channel between VPN peers. In this phase VPN peer identity is verified. Between VPN peers a basic set of security services including Encryption & Hashing Algorithms to be used are negotiated and agreed upon. In this phase DH protocol is used generate shared secret key. Basic set of security services protects all subsequent traffic.
IKE Phase 1 is also called Main Mode.
Step 3: IKE Phase 2
IKE negotiates IPSec security associations (SA) parameters and sets up matching IPSec SAs in the peers. These security parameters are used to protect data and messages exchanged between endpoints.
IKE Phase 2 is also called Quick Mode.
Step 4: Data Transfer
Data is transferred between IPSec peers based on the IPSec parameters and keys stored in SA database.
Default Cryptographic Algorithms Supported by Azure VPN Gateway
In default configuration you can’t choose Encryption & Hashing Algorithms and DH Group as per your Business and Technical requirements.
Table below shows combinations of algorithms and parameters Azure VPN Gateway use in default configuration in IKE Phase 1 or Main mode.
Table below shows combinations of algorithms and parameters Azure VPN Gateway use in default configuration in IKE Phase 2 or Quick mode.
Custom Cryptographic Algorithms Supported by Azure VPN Gateway
Using custom IPsec/IKE policy you can choose Encryption and Hash Algorithms as per your Business, Compliance & Security requirements.
The following table lists the supported cryptographic algorithms and key strengths configurable by the customers when creating custom IPsec/IKE policy using PowerShell or Azure Portal. You must select one option for every field.
Below options are only valid when you are creating custom IPsec/IKE policy.
Important Notes Regarding above table
- IKEv2 corresponds to Main Mode or Phase 1.
- IPSec corresponds to Quick Mode or Phase 2.
- DH Group specifies the Diffie-Hellmen Group used in Main Mode or Phase 1.
- PFS Group specifies the Diffie-Hellmen Group used in Quick Mode or Phase 2.
Note 1: To know more about Phase 1 or Phase 2 refer to IPSec working.
Note 2: In subsequent pages we have lab exercises on how create a S2S VPN connection using Custom IPsec/IKE policy.
Azure Virtual Network Hybrid Connectivity over Internet
You can connect Virtual Network (VNET) to your on-premises networks over public internet usingAzure VPN Gateway. A VPN gateway is a type of virtual network gateway that sends encrypted traffic across a public connection. The connectivity uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
VPN gateway connects VNET to on-premises network using Site to Site VPN (S2S) or Point to Site VPN (P2S). S2S VPN uses VPN device on-premises. P2S VPN uses VPN client software installed on client computers.
VPN Gateway is created in GatewaySubnet. A GatewaySubnet is created in Azure Virtual Network (VNET).
Figure below shows Virtual Network Connected to on-premises Datacenter.
Every Azure VPN gateway consists of two instances in an active-standby configuration by default. You have the option to configure active-active.
To know more about Virtual Private Networks (VPN) in detail and Lab Exercises on VPN (S2S VPN, P2S VPN & Custom IPSec/IKE Policy), refer to book Exam AZ-500 Study & Lab Guide Part 3: Microsoft Certified Azure Security Engineer Associate.
The Book is now available on Amazon.
Most Popular Blog Post
Virtual Networks
Blog Posts on Exam Guide’s and Exam Experience
Blog Post on Exam AZ-104 Study & Lab Guide
Blog Post on Exam AZ-500 Study & Lab Guide
Blog Post on Exam AZ-300 & AZ-301 Study & Lab Guide
Blog Post on 70-535 Exam Experience
Blog Post on MCSA Cloud Infrastructure Lab Guide 70-534 Exam
Blog Posts on Design Case Studies
Design Case Study on Azure Firewall Manager
Mini Design Example – Layer 4 Load Balancer or Layer 7 Load Balancer
Mini Design Scenario Excerpt: Identity Management
Business Continuity Solution for Web/App tier and Database Tier
Design Case Study – Secure Remote Access to on-premises Application
Azure AD B2B Collaboration User licensing Case Study
Blog Posts on Governance, Compliance & Security
Implementing IT Governance in Azure Cloud
Data Compliance in Cloud with Immutable Blob Storage
Azure VM Disk Encryption using Encryption at Host option
Design Case Study on Azure Firewall Manager
Multi-Factor Authentication using MS Authenticator App for IOS
Deploy Secure HDInsight Cluster
Introductory Blog Posts on Cloud Computing
Introduction to Cloud Computing
Introduction to Containers
Introduction to Virtual Private Network (VPN)
Blog Posts on Azure Virtual Machine HA, DR, Scalability and Costing
Azure Availability Zones (AZ)
Availability Set (AS)
Virtual Machine Scale Set (VMSS)
How to Save on Virtual Machine Compute Cost
Blog Post on Azure Virtual Networks
Virtual Networks
Azure Virtual Network Peering
Other Popular Blog Posts
Identity options with Azure Active Directory (Azure AD)
Azure Service Bus Relay
Containers
Hands on Lab – Video on Demand (VOD) Streaming using Azure Media Services (AMS)
Azure AD Application Proxy
Azure Active Directory Privileged Identity Management
Azure IoT Edge
Blog Posts and links on Azure AZ Series Certifications and Exams
Amazon Link for Exam AZ-104 Study & Lab Guide
Amazon Link for Azure Study & Lab Guide for Beginners
Amazon Link for Exam AZ-500 Study & Lab Guide Part 1
Amazon Link for Exam AZ-500 Study & Lab Guide Part 2
Amazon Link for Exam AZ-500 Study & Lab Guide Part 3
Amazon Link for Exam AZ-300 & AZ-301 Study & Lab Guide Part 2
Amazon Link for Exam AZ-300 & AZ-301 Study & Lab Guide Part 1
Amazon link for Exam AZ-103 Study & Lab Guide
Sample Chapter from AZ-300 & AZ-301 Study and Lab Guide Part 2
Sample Chapter from AZ-300 & AZ-301 Study and Lab Guide Part 1
TOC and Sample Chapter from AZ-103 Study and Lab Guide
NEW AZURE CERTIFICATIONS & BOOKS
