\n\nThis page has been machine-translated from the original page.
\n
The other day I wrote this article about building a honeypot on Azure. From both an access-control and security perspective, it seemed better to connect to the honeypot over a VPN, so I used Azure Virtual Network Gateway to configure a P2S VPN connection to the virtual network.
\nWhile I was at it, I also thought it might be nice to use a server on AzureVM as a cloud proxy for extra security (a shallow thought, admittedly), so I built a proxy server on the Azure virtual network that I connect to over VPN.
\n\nFirst, create a virtual network.
\nThis time, I created a virtual network with 172.16.0.0/20 and created a subnet in it for virtual machines.
Next, I created a virtual network gateway.
\nAt this point, the address range configured for the gateway subnet must be both within the virtual network’s address space and not overlap with any existing subnet in that virtual network.
\nIf you check the certificate store on Windows, you will see the following two certificates registered.
\nFrom these, export a .cer file from the root certificate named P2SRootCert.
Right-click the root certificate, choose Export, and proceed by selecting Base64 Encode~.
Export it with settings like the following.
\nFor reference, my network security group looked like this.
\nI also opened the port for the proxy that I set up afterward.
\nSince Source is set to VirtualNetwork, it should reject connections over the global IP and only accept connections from terminals connected to the Azure virtual network over P2S VPN.
Because the connection also requires a client certificate corresponding to the registered root certificate, it feels pretty secure.
\nFinally, I wanted to turn the AzureVM into a proxy by setting up Squid on it.
\nThe machine is running Ubuntu 20.04.
\nFirst, update the machine.
\nsudo apt update && sudo apt upgrade -y\nsudo apt install git make vim -yNext, install Squid and edit the configuration file.
\nsudo apt install squid -y\nsudo cp /etc/squid/squid.conf /etc/squid/squid.conf.origin\nsudo vim /etc/squid/squid.confThis time I only wanted a minimal setup, so I changed the two entries http_port and http_access.
# Squid normally listens to port 3128\nhttp_port <VM private IP>:3128\n\nacl vGateways src <virtual network gateway IP range>\nhttp_access allow vGatewaysBy specifying http_port as <VM private IP>:3128, you can configure it to accept traffic only on a port bound to that specific interface.
Also, by setting the virtual network gateway IP range in http_access, only traffic coming over the VPN can use the proxy.
That is enough for the minimal configuration, so start Squid.
\nsudo systemctl enable squid\nsudo systemctl restart squidOn the Windows machine configured with the VPN, configure the server on AzureVM as a proxy.
\nWhen you access any site, if the source address changes to the global IP address assigned to the AzureVM, you are done.
\nReference: Access Information [Check Your Current IP Address]
\nThis time I set it up in the Japan East region, but if you follow the same steps and use a machine in an overseas region as the proxy, you might be able to connect using a foreign IP address as well.
\nThe steps are simple, so this is pretty useful.
","fields":{"slug":"/azure-vpn-setup-en","tagSlugs":["/tag/security-en/","/tag/azure-en/","/tag/備忘録/","/tag/english/"]},"frontmatter":{"date":"2022-03-04","description":"","tags":["Security (en)","Azure (en)","備忘録","English"],"title":"Notes on connecting to Azure over VPN with a virtual network gateway and building a cloud-proxy-like environment","socialImage":{"publicURL":"/static/8bdcaa17f32134944fca438991248aac/azure-vpn-setup.png"}}}},"pageContext":{"slug":"/azure-vpn-setup-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}