Setting up Azure’s P2S VPN Gateway with PowerShell -Part 1/3

Arlan Nugara
4 min readApr 4, 2022

Azure’s Point-to-Site (P2S) VPN gateway connection creates a secure connection to an Azure virtual network’s (VNet) resources from an individual client computer. A VPN gateway is created on its own subnet in an Azure VNet, and then configured to allow P2S connections. No VPN physical device is required and there are minimal, if any, changes required to be made to the on-prem network. A P2S VPN connection is established by starting it from the client computer. It is possible to also route a P2S VPN through a secure Azure VPN Gateway — but the software VPN Gateway is within the Azure subscription, not in the on-prem network.

The P2S VPN network connection is outlined in a red box in this diagram — note that P2S and Site to Site (S2S) VPN Gateways can co-exist within an On-Prem network with Azure Express Route:

A P2S solution is useful for connecting to Azure VNets from a remote location or when there are only a few clients that need to access an Azure VNet’s resources. We use a P2S connection as a proof-of-concept (POC) for a .Net Web App hosted within an Azure VM webserver to be able to connect to an on-prem Sql Database.

The following cmdlets and process flow is from an excellent article in Azure Documentation, Configure a Point-to-Site connection to a VNet using native Azure certificate authentication: PowerShell with detailed explanations for each of the following steps — we’ve just put it all together in an easy to follow list of PowerShell cmdlets to run sequentially in an elevated Windows PowerShell ISE session, to quickly set up a P2S Gateway — after changing the variables for each use case.

Download Zip of POSH cmdlets

There is also an ARM Quickstart Template Point-to-Site Gateway that will quickly provision a P2S Gateway on Azure for you covering Steps 2–7 below!

Azure Deployment Model: ARM
Client Authentication: P2S native Azure certification
Gateway SKU: VpnGw1
Client OS: Windows 10 Pro

PowerShell Steps for Creating P2S Connection:

1. Log in to Azure and set variables
2. Configure a VNet
3. Create the VPN Gateway
4. Add the VPN client address pool


  • An active Azure Subscription
  • The most current version of Resource Manager PowerShell cmdlets installed. Installation info here.

1. Login to Azure and set variables


Select-AzureRmSubscription -SubscriptionName "<subscriptionname>"

Declare Variables:

$VNetName = "VNet2"
$FESubName = "FrontEnd"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = ""
$FESubPrefix = ""
$GWSubPrefix = ""
$VPNClientAddressPool = ""
$RG = "VNet2-RG"$Location = "Canada Central"
$GWName = "VNet2GW"
$GWIPName = "VNet2GW-PIP"

2. Configure a VNet:

#A. Create a Resource Group

New-AzureRmResourceGroup -Name $RG -Location $Location

#B. Create Subnet configurations — prefixes must be part of the declared VNet address spaces

$fesub = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName -AddressPrefix $FESubPrefix
$gwsub = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName -AddressPrefix $GWSubPrefix

#C. Create virtual network

New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG `
-Location $Location -AddressPrefix $VNetPrefix `
-Subnet $fesub, $gwsub

#D. Specify the variables for the virtual network just created

$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG 
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet

#E. Request a dynamically assigned public IP address

$pip = New-AzureRmPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -AllocationMethod Dynamic
$ipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddress $pip

3. Create the Azure VPN Gateway

This can take up to 45 minutes according to documentation. For us, its never taken more than 15 minutes.

New-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location `
-IpConfigurations $ipconf -GatewayType Vpn `
-VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 `
-VpnClientProtocol "IkeV2"

4. Add the VPN client address pool

This is done after the VPN Gateway has been created — and before trying to upload an exported root certificate for authentication.

$Gateway = Get-AzureRmVirtualNetworkGateway -ResourceGroupName $RG -Name $GWNameSet-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $Gateway `
-VpnClientAddressPool $VPNClientAddressPool