Azure App Service - Add VNET Connection - How to setup a Point-To-Site address for app service

Question

BACKGROUND: I have setup a Virtual Network connection in Azure to a local on-premise database. We are connecting an app service (web page) to a local on-premise database, a page is retrieving data from this on-premise database. It kept giving errors every week and the only way to fix it would be restarting the app service, and it would magically work again.

ISSUE: I wanted to try to upgrade the SKU from basic to VpnGw2 to possibly solve the issue where our app service would lose connection to our on-premise database. I set it up the same way I had before but it is asking for a Point-To-Site connection on the VNet Connection (screenshot below)

QUESTION: I am not sure how to set up a Point-to-Site configuration with an Azure app service. I am required to enter certificate data, how do I generate a certification on my Azure App Service that can be used for this? Or am I doing something wrong? From what I am reading online, a point-to-site is usually configured for a single machine, I haven't seen anything in regards to an actual app service being configured. Should I use Generate certificates for point-to-site using PowerShell via my Web Service Kudu console?

Some guides I've been using - Configure server settings for P2S VPN Gateway connections - certificate authentication - Azure portal

Answer 1

To set up a Point-to-Site configuration with an Azure app service with certification check the below workaround :

I have created app service and virtual nertwork gateway and created a virtual network once you add your virtual network it takes gateway subnet address range like below:

To generate a point to site certificate make use of below powershell script:

#Root Certificate: 
 $cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=Nameofyourp2s" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

#Client Certificate:
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=Nameofyourp2s" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Output:

   PSParentPath: Microsoft.PowerShell.Security\Certificate::CurrentUser\My

Thumbprint                                Subject                                                                                                                                    
----------                                -------                                                                                                                                    
5FE16DF849DA21B4CXXXXXXXXXXXXXXXXX        CN=mayp2s 

To export the root certificate follow this MsDocs in virtual network gateway copy the key data and paste like below:

Make sure to add address pool 172.16.31.0/24 save and download the Vpn client. In downloaded file -> Extact all ->WindowsAmd64->Vpn.exe -> Run and Vpn client will be install and connected successfully like below:

Now, In app service Vnet integration Once refresh, when I try to add subnet it associate successfully like below

"Gateway does not have point to site address" this error may occur if the vnet does not have enbled point to site and dynamic routing gateway Ensure to add address pool of virtual netwok gateway and check the firewall settings on the on-premises database server allowing traffic from the virtual network.Once you have completed these steps your app service should be able to connect to the on-premises database using the virtual network connection.

To upgrade sku from basic to VpnGw2 check this below In Basic sku P2S IKEv2/OpenVPN Connections, BGP and Zone redundant are not supported

References:

Configure P2S server configuration- Azure VPN Gateway | Microsoft Learn

About Azure Point-to-Site VPN connections | Microsoft Learn