Introduction
Azure Webapps - Microsoft built and operates Azure Web Apps, a cloud computing-based platform for hosting websites. It's a platform as a service that lets you create Web apps that operate on a variety of frameworks and are written in a variety of programming languages, including Microsoft's own and third-party ones.
Hub virtual network: The hub virtual network is the hub of your on-premises network's connectivity. It's a location where services can be hosted that can be consumed by the various workloads running on the spoke virtual networks.
Spoke virtual networks: Spoke virtual networks isolate workloads in their own virtual networks that are controlled independently of other spokes. Each workload could have many layers, each connected via Azure load balancers to numerous subnets.
Virtual network peering: A peering link is used to connect two virtual networks. Peering connections between virtual networks are non-transitive and have a low latency. The virtual networks exchange traffic via the Azure backbone without the requirement for a router once they've been peering..
P2S VPN - A VPN gateway connection that is point-to-site (P2S) allows you to establish a secure connection to your virtual network from a single client machine.
Private Endpoint - You can use Private Endpoint to allow clients in your private network to safely access your Azure Web App using Private Link. An IP address from your Azure VNet address space is used by the Private Endpoint. Traffic between a client on your private network and the Web App is routed through the VNet and a Private Link on the Microsoft backbone network, avoiding public Internet exposure.
We're utilizing an Azure Web App, two Vnets as Hub and Spoke, and peering both VNets, as well as a VPN Gateway for Point to Site VPN and a Private Endpoint in this case.
The scenario's architectural diagram is shown Below,
![]()
I've already created a Resource Group called Article, and I'll be building the rest of the resources one by one.
Step 1 - Creating Hub VNet
Search Virtual Networks
![]()
Create virtual network
![]()
Next IP Address
So I'm giving the IP Address Space as 172.160.0.0/24
![]()
Add Subnet
![]()
Then Review + Create.
Step 2 - Creating Spoke VNet
![]()
Next IP Address
I’m giving the IP Address Space as 10.10.0.0/24
![]()
Add Subnet
![]()
Next Review + Create
Step 3 - Creating the Azure WebApp
Search App Services
![]()
Create
![]()
Select Resource Group
Web App Name - myawebapp02
Publish – Code
Runtime Stack – ASP.NET V3.5
Operating System – Windows
Select Region
SKU & Size - Select P1V2
![]()
Next Review + Create
Step 4 - Add Gateway Subnet
Search Virtual Networks
Select HubVNet
Navigate to Address Space and Add Additional Address space for the gateway subnet
![]()
Save
Navigate to subnet
![]()
Select Gateway Subnet
![]()
Click Save
Now You can see the gateway subnet
![]()
Step 5 - Virtual Network Gateway
Search virtual network gateway
![]()
Create Virtual Network Gateway
Select the below highlighted criteria’s,
![]()
Review + Create
This will take 20-40min to create the Virtual Network Gateway
Step 6 - Peering Hub Vnet and Spoke Vnet
Navigate to Virtual Networks and Select Hub Vnet
![]()
In HubVNet navigate to Peering’s
![]()
Add
Select the values as Highlighted,
![]()
![]()
Click Add then it will add the Virtual Network Peering.
Now you can see the peering status as Connected and Gateway Transit Enabled.
![]()
Step 7 - Point to Site VPN
Search Virtual Network Gateway
![]()
Select the Create Virtual Network Gateway
Navigate to Point to site Configuration and Configure now
![]()
Select the Address Pool – 192.168.0.0/24 (This address pool will use for VPN Client and VPN clients dynamically receive an IP address from the range that you specify)
Select Tunnel Type as Both SSTP & IKEv2
Authentication Type – Azure Certificate
![]()
Now leave this and create self-signed root and client certificate and get back to here.
Create Self-sign root & client certificate
As first step I am going to create root certificate. In Windows 10 machine I can run this to create root cert first.
Open Powershell ISE as run as Admin and run the below powershell command.
$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `
-Subject "CN=ARTICLEROOT" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign
This will create root cert and install it under current user cert store.
![]()
Then we need to create client certificate. We can do this using
New-SelfSignedCertificate -Type Custom -DnsName REBELCLIENT -KeySpec Signature `
-Subject "CN=ARTICLECLIENT" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
This will create cert called REBELCLIENT and install in same store location.
![]()
Now we have certs in place. But we need to export these so we can upload it to Azure.
To export root certificate,
Right click on root cert inside certificate mmc.
Click on All Tasks- Export
In private key page, select not to export private key,
![]()
Select Base-64 encoded X.509 as export file format.
![]()
Complete the wizard and save the cert on pc.
To export client certificate,
Right click on root cert inside certificate mmc.
Click on All Tasks- Export
In private key page, select Yes export the private key,
![]()
In file format page, leave the default as following and click Next
![]()
Define password for the pfx file and complete the wizard.
![]()
Only root cert will use in Azure VPN, client certificate can install on other computers or Clients which need Point to site connections.
Now open the exported root certificate as Notepad,
![]()
And Copy the certificate data
When you paste certificate data, do not copy -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- text.
Now go to the Azure portal where the configure now Point to site has ended, and under the Root Certificate Tab, give the certificate a name and paste the certificate data in the public certificate data tab.
![]()
Save.
Now Download the VPN Client
![]()
Extract the VPN Client and double click on the VPN client setup. In my case I am using 64bit vpn client
![]()
After that, we can see new connection under windows 10 VPN page.
![]()
Click on connect to VPN. Then it will open up this new window. Click on Connect in there.
![]()
Now you can see HubVnet is Connected.
![]()
Now Disconnect the VPN So we can check the deployed app service is running or not by browsing the app service URL in Browser.
Please Note: If you make any changes to Peering’s, Removed the existing VPN Client and Re download the VPN Client again and connect, since new changes come with the downloaded VPN Client XML.
Step 8 - Private Endpoint
Search App Service
![]()
And select the deployed App service
In Overview – Copy the URL
![]()
Paste the URL in the Web Browser and check the app service running or not.
![]()
Now you can see your app service is up and running
![]()
Now we need to secure the app service by private endpoint, so the app service is not accessible to public and it only access by privately.
Navigate to Networking in App Service,
![]()
Click Private endpoints
![]()
Click ADD
And select the below highlighted details,
![]()
Click OK
It will take 2 to 5min.
Now You can see connection state is Approved.
![]()
Also check from Networking Tab is show On.
![]()
Do Nslookup, then you will get the private IP and Name
![]()
Now click VNet integration under the Outbound Traffic.
![]()
Add VNet and Select the HUBVnet and click OK
![]()
Now you can see VNet Integrations status is On.
![]()
Step 9
Go to the Web App and copy the URL of the application, paste the URL, now we will receive an Error 403 – Forbidden page.
![]()
Now you can try the same as connecting the VPN Client. Then you will receive the WebApp service is up and running.
![]()
Please Note: If you receive 403 error code in the P2S client, Then add a Host Record and Try again. Then you will receive the WebApp service is up and running.
Host Record – You can see the assigned private IP in the private endpoint as 10.10.0.5
Add the Host record as below,
10.10.0.5 mywebapp02.azurewebsites.net
Summary
We learned how to deploy an Azure Webapp, set up a point-to-site VPN, set up VNet Peering with Gateway Transit, and configure a private endpoint in this tutorial. Please leave a comment in the comment box if you have any questions.