Understanding VPNs in Azure: Site-to-Site vs Point-to-Site

There are two main types of VPN connections available. The Site-to-Site VPN securely connects entire networks, like an on-premises environment to an Azure virtual network. The Point-to-Site VPN, however, is designed for individual clients, such as laptops, connecting securely to your Azure network over the internet.

In my previous video, I covered how to deploy a site-to-site VPN using the Basic VPN Gateway. This video and post will focus on establishing a point-to-site VPN using the same Basic VPN Gateway SKU.

What Is an Azure VPN Gateway?

An Azure VPN Gateway is essentially the endpoint that creates and manages VPN tunnels. Azure offers several VPN Gateway SKUs, each providing different levels of bandwidth, features, and price points. Higher SKUs support availability zones and come with additional authentication options and better performance.

Microsoft plans to retire the older VPN Gateway SKUs (VPNGw1 through VPNGw5) by September 2026 and replace them with availability zone–supported versions.

For this tutorial, we’re using the Basic VPN Gateway SKU—the most affordable option. It comes with some limitations, primarily in performance and authentication options, supporting only certificate-based client authentication. Because of these constraints, it’s best suited for labs or very small deployments rather than production.

Also, unlike other SKUs, the Basic SKU cannot be deployed through the Azure Portal; you’ll need to use PowerShell or Azure CLI. I created a PowerShell script that automates this deployment, which we’ll walk through step by step below. (You’ll find a link to the script at the end of this post.)

Key Deployment Considerations

Before deploying, there are a few important prerequisites and settings to understand:

GatewaySubnet: The VPN Gateway requires a dedicated subnet called “GatewaySubnet” within your virtual network. For the Basic SKU, this subnet must be at least a /29, all other SKUs require a /27. I recommend making the IP address range larger to allow room for future growth.
Client IP Address Pool: You need to specify a private IP address range to assign to VPN clients when they connect. Make sure this range does not overlap with the address space of the VPN gateways’ virtual network or peered virtual networks. I also suggest avoiding common home network ranges such as 192.168.x.x to reduce IP conflicts.
Authentication Options: The Basic VPN Gateway only supports certificate-based authentication. You can either use an internal PKI if your organization has one, purchase certificates from a trusted Certificate Authority (CA), or create self-signed certificates for free—this example uses self-signed certificates.
Public IP Address: The VPN Gateway requires a public IP address. Azure is retiring the Basic Public IP SKU at the end of September 2025, but it may still be required for the Basic VPN Gateway at the time of writing. The PowerShell script used to deploy the VPN Gateway defaults to a Standard Public IP SKU. If your deployment fails, you can adjust the script to use a Basic Public IP SKU.

What We’ll Do in This Tutorial

Here’s a quick overview of the steps we’ll cover:

Use a PowerShell script to create the GatewaySubnet and deploy the Basic VPN Gateway.
Generate and export a self-signed root certificate and a client certificate.
Configure the Point-to-Site VPN settings on the Azure VPN Gateway using the certificates.
Configure the client by importing the client certificate and installing the VPN client.
Test connectivity to the Azure virtual network and a peered virtual network.

Step-by-Step Demo: Deploying a Basic VPN Gateway and Point-to-Site VPN

1. Deploy the Basic VPN Gateway

Skip this step if you already have a VPN Gateay.
The Basic SKU can only be deployed using PowerShell or Azure CLI. Use the PowerShell script linked below to deploy the gateway.
Gather these values from your existing virtual network in the Azure portal:
- Virtual Network resource group name
- Virtual Network name
- An unused IP range for the new GatewaySubnet (at least /29, recommended larger)
Run the script using a command similar to:

.New-azBasicVPNGateway.ps1 -rgName "MyResourceGroup" -vnetName "MyVNet" -gwName "MyVPNGateway" -addressPrefix "10.0.1.0/24"

The script verifies you have the required PowerShell modules and that you’re logged in with an account with the appropriate permissions.
The script will create a public IP address and the gateway subnet.
Once the script completes, verify in the portal that:
- The GatewaySubnet exists in your VNet
- The VPN Gateway and public IP are deployed (confirm SKU is Basic)
If deployment fails, it will remove the Basic VPN Gateway, Public IP Address, and gateway subnet.
- If it fails due to Standard Public IP SKU incompatibility, rerun the script with the -standard IP parameter set to $false to use a Basic Public IP SKU.

2. Create the Self-Signed Certificates

On a Windows machine, use PowerShell to create a self-signed root certificate (required for the VPN). The code is linked below.

# Create-self signed root cert 
$params = @{
    Type              = 'Custom'
    Subject           = 'CN=P2SRootCert'
    KeySpec           = 'Signature'
    KeyExportPolicy   = 'Exportable'
    KeyUsage          = 'CertSign'
    KeyUsageProperty  = 'Sign'
    KeyLength         = 2048
    HashAlgorithm     = 'sha256'
    NotAfter          = (Get-Date).AddMonths(24)
    CertStoreLocation = 'Cert:CurrentUserMy'
}
$cert = New-SelfSignedCertificate @params

Create a client certificate signed by the root certificate.

# Create self-signed client cert
$params = @{
    Type              = 'Custom'
    Subject           = 'CN=P2SClientCert'
    DnsName           = 'P2SClientCert'
    KeySpec           = 'Signature'
    KeyExportPolicy   = 'Exportable'
    KeyLength         = 2048
    HashAlgorithm     = 'sha256'
    NotAfter          = (Get-Date).AddMonths(24)
    CertStoreLocation = 'Cert:CurrentUserMy'
    Signer            = $cert
    TextExtension     = @(
        '2.5.29.37={text}1.3.6.1.5.5.7.3.2')
}
New-SelfSignedCertificate @params

Export the root certificate (.cer) and the client certificate (.pfx).
Save both certificates, they are used in upcoming steps.

3. Configure the Point-to-Site Settings on the VPN Gateway

In the Azure Portal, open your Basic VPN Gateway and open Point-to-site configuration.
Add an IP address pool for clients (e.g., 172.20.0.0/24).
Open the root certificate with a text editor such as Notepad. Copy the text between “BEGIN CERTIFICATE” and “END CERTIFICATE”. Add the root certificate data to the point-to-site configuration.

Save the configuration. It will take a few minutes for it to apply.

4. Configure the VPN Client on Your Machine

Download the VPN client package from the Point-to-site configuration page.

Copy the VPN client package and the client certificate (.pfx) to the VPN Client workstation.
Import the client certificate on your client machine (using the .pfx file).
- Double-click on the file to import.
Extract the package and run the appropriate installer (e.g., Windows 64-bit).
Configure the VPN connection in Windows using the installed client.

5. Test VPN Connectivity

Connect the VPN client to your Azure VPN Gateway by going to VPN under Network and Internet settings.

Test connectivity by pinging a VM’s private IP in the Azure virtual network.
If the VPN gateway virtual network is peered, test connectivity to the peered virtual networks.
Monitor active VPN sessions in the Azure Portal under the VPN Gateway’s monitoring section.

Final Thoughts on Using the Basic VPN Gateway for Point-to-Site Connections

The Basic VPN Gateway is a great learning tool or quick solution for labs and small environments. However, it’s not ideal for production use. Managing self-signed certificates can quickly become complicated as the number of users grows, especially when you need to revoke access for departing employees.

Another major drawback is that the Basic VPN requires local administrator rights on client machines to establish a connection, which is often unacceptable in enterprise environments.

If you need a more robust, scalable, and secure client VPN solution, the Standard VPN Gateway SKUs support additional authentication methods such as Entra ID integration and RADIUS with Active Directory. These features make managing client access much easier and more secure.

Thanks for reading! I hope this guide helps you understand how to set up a point-to-site VPN in Azure with the Basic VPN Gateway. If you want to see the full walkthrough, check out the video linked below. Feel free to leave questions or comments—I’m here to help!