Virtual Private Networks (VPNs) may not be the first consideration when designing secure and robust systems. However, they serve important use cases in various industries.
At Steer73, a VPN solution was recently implemented in a client project inherited from a third-party company to address a few critical challenges.
The project involved a desktop application that connected directly to an Azure SQL database without an intermediary API layer. This application needed to function not only within the client’s internal network but also externally. Ensuring secure database access while allowing external usage posed a significant challenge.
Leaving the database open to the public internet was not an option, as it introduced severe security risks. A solution was required to restrict access while maintaining usability.
Evaluating alternative solutions
Since the client’s system was hosted on Azure, one potential approach was Azure Bastion. Azure Bastion provides secure RDP (Remote Desktop Protocol) and SSH (Secure Shell) access to virtual machines (VMs) without exposing them to the public internet. However, while effective for securing VM access, Bastion does not address database security. Exploring such solutions, even if designed for different challenges, can provide insights for innovative problem-solving.
A more direct approach could have involved whitelisting the IP addresses of devices requiring database access through the Firewall in front of the Azure SQL instance. For instance, if 10 users needed access, their IPs could have been whitelisted while all others were denied. However, this method had several drawbacks:
- The users’ IP addresses were not static, requiring frequent updates.
- Manually maintaining whitelisted IPs would have introduced operational overhead.
- Automating this process using Dynamic DNS (DDNS) was an option, where each user would have a personal hostname (e.g.,
user1.dynamicdnsprovider.com), and a DDNS client installed on their PC would update their IP address dynamically. A PowerShell script running continuously at regular intervals in an Azure Automation Account could then update the NSG rules accordingly.
While feasible, this approach introduced a single point of failure – the DDNS provider. Additionally, it required ongoing user support, as issues with DDNS clients or hostname resolution could disrupt access.
Implementing a scalable VPN solution
To minimize maintenance and support requirements, a fully managed VPN solution was chosen. The VPN was designed to:
- Require no end-user interaction.
- Be centrally managed and deployed via Microsoft Intune.
- Scale to thousands of users.
- Provide per-device access revocation capabilities for security.
A Point-to-Site (P2S) VPN was selected, as it allowed each user’s PC to establish a secure connection to Azure. A Site-to-Site (S2S) VPN was not suitable because it would only secure traffic between the client’s internal network and Azure, leaving external users without access when working remotely.
To reduce support overhead, it was essential for the P2S VPN to authenticate and connect automatically, without requiring user input. This was achieved using certificate-based authentication, where each device was provisioned with a unique client certificate. Microsoft Intune was used to distribute both the certificates and the VPN configuration, ensuring an automated deployment process.
A key security consideration was the ability to revoke access if a device became compromised. By adding the certificate’s thumbprint to the revoked certificates list in the Azure portal, access could be immediately blocked.
Once connected to the VPN, devices could securely access resources within the virtual network. This approach not only secured database access but also provided additional benefits:
- Integration with other Azure services: The VPN allowed secure communication with other Azure-based resources such as Virtual Machines.
- Centralized access control: Since all traffic was routed through the VPN, access policies could be centrally managed in Azure, simplifying security administration.
- Private DNS zones: Users could resolve internal IP addresses of the resources via DNS queries, improving network flexibility while maintaining security.
- Scalability for future growth: The VPN solution was designed to scale, allowing additional users and services to be securely integrated without significant reconfiguration.
Conclusion
Implementing a VPN solution for this business-critical system provided a scalable, low-maintenance and highly secure method for external database access. While alternative approaches like IP whitelisting and Dynamic DNS were considered, they introduced operational challenges and single points of failure. A P2S VPN with certificate-based authentication enabled easy access management, strong security controls and minimal user involvement. By leveraging Azure’s built-in security features, the solution effectively restricted unauthorised access while ensuring reliable connectivity for users.