Securing Web App Using Private Endpoint And Connecting Through Point To Site VPN with Gateway Transit


Azure Webapps - Microsoft built and operates Azure Web Apps, a cloud computing-based platform for hosting websites. It's a platform as a service that lets you create Web apps that operate on a variety of frameworks and are written in a variety of programming languages, including Microsoft's own and third-party ones.

Hub virtual network: The hub virtual network is the hub of your on-premises network's connectivity. It's a location where services can be hosted that can be consumed by the various workloads running on the spoke virtual networks.

Spoke virtual networks: Spoke virtual networks isolate workloads in their own virtual networks that are controlled independently of other spokes. Each workload could have many layers, each connected via Azure load balancers to numerous subnets.

Virtual network peering: A peering link is used to connect two virtual networks. Peering connections between virtual networks are non-transitive and have a low latency. The virtual networks exchange traffic via the Azure backbone without the requirement for a router once they've been peering..

P2S VPN - A VPN gateway connection that is point-to-site (P2S) allows you to establish a secure connection to your virtual network from a single client machine.

Private Endpoint - You can use Private Endpoint to allow clients in your private network to safely access your Azure Web App using Private Link. An IP address from your Azure VNet address space is used by the Private Endpoint. Traffic between a client on your private network and the Web App is routed through the VNet and a Private Link on the Microsoft backbone network, avoiding public Internet exposure.

We're utilizing an Azure Web App, two Vnets as Hub and Spoke, and peering both VNets, as well as a VPN Gateway for Point to Site VPN and a Private Endpoint in this case.

The scenario's architectural diagram is shown Below,

I've already created a Resource Group called Article, and I'll be building the rest of the resources one by one.

Step 1 - Creating Hub VNet

Search Virtual Networks

Create virtual network

Next IP Address

So I'm giving the IP Address Space as

Add Subnet

Then Review + Create.

Step 2 - Creating Spoke VNet

Next IP Address

I’m giving the IP Address Space as

Add Subnet

Next Review + Create

Step 3 - Creating the Azure WebApp

Search App Services


Select Resource Group

Web App Name - myawebapp02

Publish – Code

Runtime Stack – ASP.NET V3.5

Operating System – Windows

Select Region

SKU & Size - Select P1V2

Next Review + Create

Step 4 - Add Gateway Subnet

Search Virtual Networks

Select HubVNet

Navigate to Address Space and Add Additional Address space for the gateway subnet


Navigate to subnet

Select Gateway Subnet

Click Save

Now You can see the gateway subnet

Step 5 - Virtual Network Gateway

Search virtual network gateway

Create Virtual Network Gateway

Select the below highlighted criteria’s,

Review + Create

This will take 20-40min to create the Virtual Network Gateway

Step 6 - Peering Hub Vnet and Spoke Vnet

Navigate to Virtual Networks and Select Hub Vnet

In HubVNet navigate to Peering’s


Select the values as Highlighted,

Click Add then it will add the Virtual Network Peering.

Now you can see the peering status as Connected and Gateway Transit Enabled.

Step 7 - Point to Site VPN

Search Virtual Network Gateway

Select the Create Virtual Network Gateway

Navigate to Point to site Configuration and Configure now

Select the Address Pool – (This address pool will use for VPN Client and VPN clients dynamically receive an IP address from the range that you specify)

Select Tunnel Type as Both SSTP & IKEv2

Authentication Type – Azure Certificate

Now leave this and create self-signed root and client certificate and get back to here.

Create Self-sign root & client certificate

As first step I am going to create root certificate. In Windows 10 machine I can run this to create root cert first.

Open Powershell ISE as run as Admin and run the below powershell command.

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature `

-Subject "CN=ARTICLEROOT" -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation "Cert:\CurrentUser\My" -KeyUsageProperty Sign -KeyUsage CertSign

This will create root cert and install it under current user cert store.

Then we need to create client certificate. We can do this using

New-SelfSignedCertificate -Type Custom -DnsName REBELCLIENT -KeySpec Signature `

-Subject "CN=ARTICLECLIENT" -KeyExportPolicy Exportable `

-HashAlgorithm sha256 -KeyLength 2048 `

-CertStoreLocation "Cert:\CurrentUser\My" `

-Signer $cert -TextExtension @("{text}")

This will create cert called REBELCLIENT and install in same store location.

Now we have certs in place. But we need to export these so we can upload it to Azure.

To export root certificate,

Right click on root cert inside certificate mmc.

Click on All Tasks- Export

In private key page, select not to export private key,

Select Base-64 encoded X.509 as export file format.

Complete the wizard and save the cert on pc.

 To export client certificate,

Right click on root cert inside certificate mmc.

Click on All Tasks- Export

In private key page, select Yes export the private key,

In file format page, leave the default as following and click Next

Define password for the pfx file and complete the wizard.


Only root cert will use in Azure VPN, client certificate can install on other computers or Clients which need Point to site connections.

Now open the exported root certificate as Notepad,

And Copy the certificate data

When you paste certificate data, do not copy -----BEGIN CERTIFICATE----- & -----END CERTIFICATE----- text.

Now go to the Azure portal where the configure now Point to site has ended, and under the Root Certificate Tab, give the certificate a name and paste the certificate data in the public certificate data tab.


Now Download the VPN Client

Extract the VPN Client and double click on the VPN client setup. In my case I am using 64bit vpn client

After that, we can see new connection under windows 10 VPN page.

Click on connect to VPN. Then it will open up this new window. Click on Connect in there.

Now you can see HubVnet is Connected.

Now Disconnect the VPN So we can check the deployed app service is running or not by browsing the app service URL in Browser.

Please Note: If you make any changes to Peering’s, Removed the existing VPN Client and Re download the VPN Client again and connect, since new changes come with the downloaded VPN Client XML.

Step 8 - Private Endpoint

Search App Service

And select the deployed App service

In Overview – Copy the URL

Paste the URL in the Web Browser and check the app service running or not.

Now you can see your app service is up and running

Now we need to secure the app service by private endpoint, so the app service is not accessible to public and it only access by privately.

Navigate to Networking in App Service,

Click Private endpoints

Click ADD

And select the below highlighted details,

Click OK

It will take 2 to 5min.

Now You can see connection state is Approved.

Also check from Networking Tab is show On.

Do Nslookup, then you will get the private IP and Name

Now click VNet integration under the Outbound Traffic.

Add VNet and Select the HUBVnet and click OK

Now you can see VNet Integrations status is On.

Step 9

Go to the Web App and copy the URL of the application, paste the URL, now we will receive an Error 403 – Forbidden page.

Now you can try the same as connecting the VPN Client. Then you will receive the WebApp service is up and running.

Please Note: If you receive 403 error code in the P2S client, Then add a Host Record and Try again. Then you will receive the WebApp service is up and running.

Host Record – You can see the assigned private IP in the private endpoint as

Add the Host record as below,


We learned how to deploy an Azure Webapp, set up a point-to-site VPN, set up VNet Peering with Gateway Transit, and configure a private endpoint in this tutorial. Please leave a comment in the comment box if you have any questions.

Similar Articles
IFS R&D International (Pvt) Ltd
IFS develops and delivers enterprise software for customers around the world