🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided AZ-700 Domain 2
Domain 2 — Module 2 of 6 33%
9 of 26 overall

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)

AZ-700 Study Guide

Domain 1: Core Networking Infrastructure

  • Virtual Networks: Your Cloud Foundation Free
  • IP Addressing: Public, Private & Prefixes Free
  • Name Resolution: Azure DNS Free
  • Routing: UDRs, Route Server & NAT Gateway Free
  • VNet Peering and Connectivity
  • Network Monitoring and Diagnostics
  • DDoS Protection and Security Posture

Domain 2: Connectivity Services

  • Site-to-Site VPN: Connecting On-Premises
  • Point-to-Site VPN: Remote Access
  • ExpressRoute Fundamentals
  • ExpressRoute: Advanced Features
  • Azure Virtual WAN
  • Choosing Your Hybrid Connection

Domain 3: Application Delivery Services

  • Azure Load Balancer: Layer 4
  • Traffic Manager: DNS-Based Routing
  • Application Gateway: Layer 7
  • Azure Front Door: Global Delivery
  • Choosing the Right Load Balancer

Domain 4: Private Access to Azure Services

  • Private Link and Private Endpoints
  • Private Endpoint DNS
  • Service Endpoints: When and How

Domain 5: Network Security Services

  • NSGs and Application Security Groups
  • Flow Logs, IP Flow Verify & Network Manager Security
  • Azure Firewall: SKUs and Deployment
  • Azure Firewall Manager and Policies
  • Web Application Firewall (WAF)
Domain 2: Connectivity Services Premium ⏱ ~13 min read

Point-to-Site VPN: Remote Access

Connect individual devices to Azure VNets with Point-to-Site VPN — tunnel types, authentication methods, Always On VPN, and troubleshooting.

Point-to-Site VPN: Remote Access

Point-to-Site (P2S) VPN connects individual devices (laptops, tablets) to your Azure VNet — no corporate VPN device needed. It’s perfect for remote workers who need access to Azure resources.

🎬 Video coming soon

Point-to-Site VPN Configuration

Point-to-Site VPN Configuration

~13:00
☕ Simple explanation

A point-to-site VPN connects a single computer to your Azure network — like giving someone a personal key to a specific building. Where site-to-site connects entire networks, point-to-site connects individual devices. A remote worker opens a VPN client, authenticates, and gets secure access to Azure resources.

Point-to-Site VPN creates an encrypted tunnel from an individual client to an Azure VPN Gateway. Supports three tunnel types (OpenVPN, IKEv2, SSTP) and three auth methods (certificate, RADIUS, Microsoft Entra ID). Entra ID auth requires OpenVPN. Useful for remote workers, developers, and supplementing S2S VPN.

Tunnel Types

P2S Tunnel Type Comparison
FeatureOpenVPNIKEv2SSTP
ProtocolTLS-based (port 443)IPsec (ports 500/4500)TLS-based (port 443)
WindowsYesYesYes
macOSYesYesNo
LinuxYesYes (manual)No
iOS / AndroidYesYesNo
Firewall-friendlyYes (HTTPS port 443)May be blocked by firewallsYes (HTTPS port 443)
Entra ID authYes — only tunnel type that supports itNoNo
Max connectionsSKU dependent (up to 10,000)SKU dependent128 max (regardless of SKU)
PerformanceGoodBest (native IPsec)Good

Exam Tip: If the question mentions Entra ID authentication, the answer is always OpenVPN — it’s the only tunnel type that supports it. If the question mentions SSTP, remember it’s Windows-only and limited to 128 connections. For cross-platform support, OpenVPN or IKEv2 are the choices.

Authentication Methods

MethodHow It WorksBest For
Azure certificateRoot CA cert uploaded to Azure, client certs installed on devicesSmall deployments, no RADIUS infra
RADIUSVPN Gateway forwards auth to your RADIUS server (NPS, etc.)Existing RADIUS infrastructure, MFA via NPS extension
Entra IDUsers sign in with Entra ID credentials, supports Conditional AccessModern auth, MFA, Conditional Access — OpenVPN only

Certificate Authentication — The 5 Steps

  1. Generate a self-signed root CA certificate (or use an enterprise CA)
  2. Export the root certificate public key (.cer format) and upload to Azure VPN Gateway
  3. Generate client certificates from the root CA (one per user/device)
  4. Install client certificates on each connecting device (including the private key)
  5. Download and install the VPN client configuration from the Azure portal

When a client connects, the VPN Gateway validates that the client certificate was signed by the uploaded root CA. If it matches, the connection is established.

Revoking access: Upload individual client certificate thumbprints to the gateway’s revocation list. Revoking the root certificate disconnects all clients.

Entra ID Authentication

☁️ Elena’s scenario: Skyline Logistics wants P2S VPN with Conditional Access — users must pass MFA and connect from compliant devices only. Entra ID auth makes this possible.

Setup steps:

  1. Enable the Azure VPN enterprise application in Entra ID
  2. Configure the VPN Gateway with Entra ID tenant, audience, and issuer
  3. Choose OpenVPN as the tunnel type (required for Entra ID)
  4. Users download the Azure VPN Client and sign in with their Entra ID credentials

Conditional Access bonus: Because auth goes through Entra ID, you can apply Conditional Access policies — require MFA, require compliant device, block risky sign-ins, restrict by location. This is a major advantage over certificate auth.

ℹ️ RADIUS Authentication Deep Dive

RADIUS (Remote Authentication Dial-In User Service) is the traditional enterprise auth method:

How it works:

  1. Client connects to VPN Gateway
  2. Gateway forwards credentials to your RADIUS server (e.g., Windows NPS)
  3. RADIUS server validates against Active Directory
  4. RADIUS returns Accept or Reject

MFA with RADIUS: Install the Azure MFA NPS Extension on your RADIUS server. When a user connects:

  • NPS validates AD credentials
  • MFA extension triggers a phone call, push notification, or TOTP verification
  • Only after both succeed does the VPN connect

When to choose RADIUS:

  • You already have NPS infrastructure
  • You need to authenticate against on-premises AD directly
  • You need MFA but can’t use Entra ID (e.g., OpenVPN not an option for legacy clients)

Limitation: Two RADIUS servers maximum per gateway for HA.

VPN Client Configuration

After configuring the gateway, you download a VPN client profile package:

ClientConfiguration
Windows (native)Import the VPN profile; supports IKEv2 and SSTP natively
Azure VPN ClientRequired for OpenVPN with Entra ID auth; supports Windows and macOS
OpenVPN clientWorks on all platforms; import the .ovpn file from the download package
strongSwanLinux IKEv2 client

P2S address pool: You must configure a non-overlapping address range for P2S clients (e.g., 172.16.201.0/24). Connected clients get IPs from this pool. This range must not overlap with your VNets or on-premises ranges.

Always On VPN

Always On VPN keeps the VPN connection active at all times — the user doesn’t have to manually connect.

Requirements:

  • Windows 10/11 Enterprise or Education edition
  • IKEv2 tunnel type (SSTP and OpenVPN don’t support Always On)
  • Device tunnel (connects before user sign-in, using machine certificates)
  • User tunnel (connects after sign-in, can use any auth method)

Device tunnel enables scenarios like pre-logon access to domain controllers for Group Policy and credential validation.

Azure Network Adapter

A simpler alternative for connecting individual Windows servers:

  • Uses Windows Admin Center
  • Creates a P2S connection to Azure without full VPN Gateway configuration
  • Self-signed certificate generated automatically
  • Useful for quickly connecting a single on-prem server to Azure

Troubleshooting P2S Issues

SymptomCommon CauseFix
Client can’t connect at allClient cert not from uploaded root CAVerify cert chain; re-export and reinstall
Connected but can’t reach resourcesDNS not resolving Azure private namesConfigure VPN client DNS settings or use split DNS
Connection drops frequentlyIdle timeoutIncrease idle timeout on gateway; enable keepalives
”Certificate revoked” errorClient cert thumbprint in revocation listRemove thumbprint from CRL or issue new cert
”Authentication failed” (Entra ID)Azure VPN app not granted consentAdmin-consent the Azure VPN enterprise app in Entra ID
Slow performanceRouting all traffic through VPN (full tunnel)Consider split tunneling for non-Azure traffic

Key Takeaways

  • OpenVPN is the only tunnel type supporting Entra ID authentication
  • SSTP is Windows-only and limited to 128 connections
  • Certificate auth: root cert on gateway, client certs on devices
  • Entra ID auth enables Conditional Access policies (MFA, compliant devices)
  • Always On VPN requires IKEv2 and Windows Enterprise/Education

Test Your Knowledge

Question

Which P2S tunnel type supports Entra ID authentication?

Click or press Enter to reveal answer

Answer

OpenVPN only. Neither IKEv2 nor SSTP support Entra ID authentication. OpenVPN uses TLS on port 443 and is the most versatile tunnel type.

Click to flip back
Question

What is the maximum number of P2S connections for SSTP?

Click or press Enter to reveal answer

Answer

128 connections maximum, regardless of VPN Gateway SKU. This is a hard limit. For more connections, use OpenVPN or IKEv2.

Click to flip back
Question

What are the requirements for Always On VPN?

Click or press Enter to reveal answer

Answer

Windows 10/11 Enterprise or Education, IKEv2 tunnel type, device tunnel (machine cert, connects before sign-in) and/or user tunnel (connects after sign-in).

Click to flip back
Question

How do you revoke a single user's P2S certificate access?

Click or press Enter to reveal answer

Answer

Add the individual client certificate's thumbprint to the gateway's certificate revocation list. Do not revoke the root certificate unless you want to disconnect ALL clients.

Click to flip back
Knowledge Check

Elena wants P2S VPN with Conditional Access requiring MFA and compliant devices. Which configuration must she use?
Knowledge Check

A P2S client connects successfully but cannot resolve Azure VM hostnames. What's the most likely cause?

Next up: ExpressRoute Fundamentals — Private, dedicated connectivity to Azure that doesn’t traverse the public internet.

← Previous

Site-to-Site VPN: Connecting On-Premises

Next →

ExpressRoute Fundamentals

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.