I'm currently exploring my options for running a client VPN server within Azure. I've examined the Point-to-Site VPN functionality, and it seems to be more of a method for administrators to dial in, rather than a fully-fledged client VPN solution.
One of the remaining options is to run a client VPN server within an Azure VM. Many of the client VPN options make use of IPsec in one way or another, which uses IP protocols other than TCP/UDP for operation (ESP/AH). As far as I can tell, Azure does not allow traffic other than TCP/UDP to your virtual machines. Endpoint-based ACLs only permit you to select TCP or UDP. I've just been investigating Network Security Groups (NSGs) in the hope they may offer a solution, but they also only offer 'TCP', 'UDP' or '*' as a protocol option within ACLs. This leads me to believe that it's not possible to run an IPsec server within Azure. Is this correct, or are there options available that I've not come across? Obviously there are options that only require TCP/UDP (Microsoft SSTP comes to mind), but specifically on the question of IPsec?
As a side-question, what other solutions have people settled on when it comes to providing a client VPN to resources hosted within Azure?
Best Answer
You are correct, only TCP and UDP connections are allowed to Azure virtual machines; they are also severely limited, as in "you can only open single ports and not whole port ranges", which effectively disallows the use of dynamic protocols.
You can work around the latter limitation by using an instance-level public IP, which allows all traffic on all ports to a VM (but be sure to turn on your firewall!); however, this will still only allow TCP and UDP traffic.
The only supported option (at the present time) for client VPN connections is to use Azure's built-in client VPN service, which BTW works fine, as long as you can get a client certificate to each of your clients.
Also, as you said, another option could be using HTTPS tunneling for your VPN server instead of IPSec; HTTPS VPNs (including Windows' SSTP) run on TCP port 443, thus they actually could work on Azure VMs; however, if you want to run a VPN server on an Azure VM, you could run into all sorts of networking issues, because Azure VMs really don't play nice when you try to do something not explicitly supported, especially when networking is involved.