Azure – Remove access from an Azure VNet with a Point-To-Site VPN connection

azurevpn

I've established a VNet on Azure with various associated site-to-site and point-to-site connections, more or less like it says here, and it's all working, so far, so good.

But let's say that I've got half a dozen employees accessing a DB server sitting inside the VNet, all coming in through different point-to-site connections.

So how do I remove access for any of those folks? If one of those employees gets fired or quits, ideally, I'd just want to deactivate their account. But that's not how the Azure point-to-site VPN works: you're not coming in using an account, but rather, using an X.509 certificate. Is it possible to deactivate that certificate somehow? Or…? What's the best way to handle this situation? I've searched through the Azure VNet/VPN documentation, and if it's in there anywhere, I've apparently missed it.

Best Answer

The following article has a full explanation on the process involved Technet However the following details the basic steps.

Download Azure Management Certificate

Get-AzurePublishSettingsFile

Import Azure Management Certificate

Import-AzurePublishSettingsFile "${env:USERPROFILE}\Documents\Azure.publishsettings"

Select Azure Subscription

$subscriptionName = (Get-AzureSubscription).SubscriptionName | Out-GridView -Title "Select Azure Subscription" -PassThru

Select-AzureSubscription -SubscriptionName $subscriptionName

Get Azure subscription information

$subscription = Get-AzureSubscription $subscriptionName -ExtendedDetails

$certificate = $subscription.Certificate

$subscriptionId = $subscription.SubscriptionId

Select Azure VNet for which to manage VPN certificates

$azureVNet = (Get-AzureVNetSite).Name | Out-GridView -Title "Select Azure VNet" -PassThru

Import saved copy of user's VPN client certificate

$certPassword = Read-Host "Enter VPN client certificate password" -AsSecureString

Import-PfxCertificate -FilePath "${env:USERPROFILE}\Documents\Azure\P2S VPN\VPN01Client.pfx" -CertStoreLocation Cert:CurrentUser\My -Exportable -Password $certPassword

Select VPN client certificate to Revoke

$vpnCertThumbprint = (Get-ChildItem Cert:\CurrentUser\My | Out-GridView -Title "Select VPN certificate to revoke" -PassThru).Thumbprint

Build web request header

$requestHeader = @{"x-ms-version" = "2012-03-01"}

Revoke a VPN Client Certificate

$revokeVPNCertUri = "https://management.core.windows.net/$subscriptionId/services/networking/$azureVNet/gateway/clientcertificates/$vpnCertThumbprint"

$response = Invoke-RestMethod -Uri $revokeVPNCertUri -Certificate $certificate -Method Post -Headers $requestHeader

Confirm Revoked VPN Client Certificates

$listRevokedVPNCertUri = "https://management.core.windows.net/$subscriptionId/services/networking/$azureVNet/gateway/clientcertificates"

$response = Invoke-RestMethod -Uri $listRevokedVPNCertUri -Certificate $certificate -Method Get -Headers $requestHeader

$response.ClientCertificates.Thumbprint
Related Topic