Hey guys, just wondering if anyone has actually deployed always on VPN or point to site VPN in production for multiple endpoints?
Thinking if all of the infrastructure was in Azure, would make sense to connect people’s devices into the Azure network directly, sounds good on paper but has anyone actually done this in production or just rely on site to site VPN to connect?
Wondering about management, learnings from the implementation, etc .
Why not both!? 
We have our on-premise datacenteres and campus connected to and from Azure over a site-to-site VPN gateway. This allows transparent routing which works great for us!
We also use Azure (Windows) Virtual Desktop and it can connect to and from campus, as well as select Azure services such as Azure Active Directory Domain Services.
The Azure VPN Gateway product runs in active/standby, as does our on prem firewalls. It has been very reliable (knock on wood) and creates a feeling that Azure is simply an extension of our current network - which was the intended consequence.
We also run SSL VPNs with a Forti appliance. The P2S capability of Azure VPN Gateway doesn’t (didn’t?) provide enough granularity to control which systems a user could or could not access based on their identity.
Yep! VWan + P2S gateway using AAD certificates via conditional access + MEM to do device config.
Best thing is you can get it running in a about an hour and you can scale up to however many clients you need.
Not azure, but in AWS we setup a Linux instance based ipsec router in three different regions to connect our five physical offices together in one big VPN and it was super easy, I’m sure it would be similarly successful and useful in azure.
We implemented Always on VPN with device tunnels using certificates issued by internal CA. This allows group policy to apply at machine startup.
I’m implementing this now for a client, but I’m not sure why they want a Windows solution that requires multiple VMs instead of using the Virtual Network gateway that they already have for S2S.
Yes. We’ve implemented both OpenVPN and FortiGate VPN firewalls. FortiGate is a fair bit more expensive but gives you lots of features. You can get them as “appliances” in the Marketplace - ready to deploy.
Another Fortigate here. Two actually. One runs the user vpn access and one for the S2S stuff. We are considering using FG for our newest hub vs the new SKU2 azure firewall.
I just wrapped up a P2S gateway implementation with AAD login for authentication. 2/3 of the business is remote with only occasional need for VPN and this was a great solution for them. Allowed them to eliminate their FortiGate VPN at their corporate HQ and no need for them to create a S2S VPN between Corp and Azure.
Yeah - the unfortunate thing here is most the devices are Windows 10 Business/Pro - not Enterprise, for the device cert.
Do you use NAP policies to prevent an infected PC?
I think the gateway and a Radius server is needed for the Always on straight to Azure?
I guess the reason for this is cost?
Nice one! Does the AAD Auth VPN client need local admin to install?
These devices are fully controlled by domain policy, Intune and protected with Defender 365 so state isn’t an issue. NAP was intended more for BYOD devices which could be in any state. These days MDM is designed to take place of NAP and only fully trusted devices should VPN, everything else should go through an application gateway of some sort. I personally would like to get rid of the VPNs, but old ways die hard. People who use their personal devices connect through RD Gateway with MFA.
No but … the VPN client is installed through the Windows Store and you need to import an XML file for initial configuration.