Connect Devices to Networks with Point to Site VPN Connections
Introduction
Guide to configuring Azure point-to-site VPNs, comparing protocols and authentication methods, and outlining the high-level setup and client provisioning steps.
Welcome to this lesson on connecting devices to networks using point-to-site (P2S) VPN connections.Azure point-to-site (P2S) VPNs are the recommended approach when individual users—such as remote employees, contractors, or developers—need secure access to resources inside an Azure virtual network without configuring a full site-to-site VPN between networks. A P2S connection lets a single device establish an encrypted VPN tunnel over the internet to your Azure VNets, enforcing the same network controls and route policies you configure in Azure.In this lesson we will:
Understand what point-to-site connections are and when to choose them.
Compare the supported VPN protocols and authentication methods for P2S.
Walk through the high-level configuration workflow to enable P2S in Azure.
When it comes to protocols, Azure P2S supports OpenVPN, SSTP, and IKEv2. For authentication you can use certificate-based authentication, Microsoft Entra ID (Azure AD), or a RADIUS server (for integration with existing identity systems). Below is a compact reference comparing the protocols and authentication options and when to use each.
Protocol
Typical use case
Client support / notes
OpenVPN
Cross-platform compatibility, flexible ports (TCP/UDP), good for non-Windows clients or restrictive networks
Works on Windows, macOS, Linux, iOS, Android. Can traverse restrictive outbound ports if configured on TCP/443. See OpenVPN for client options.
SSTP
Windows-native option when other protocols are blocked
Built into Windows clients; uses SSL/TLS over TCP 443 so it easily traverses strict firewalls but is limited to Windows platforms.
IKEv2
Strong performance and native mobile support
Native on many mobile and desktop OSes (iOS, macOS, some Android builds). Good for mobile scenarios with strong reconnection behavior.
Authentication method
Description
Pros
Cons
Certificate-based
Clients authenticate with user/device certificates derived from a trusted root certificate you upload
Strong security, no external identity provider required, works offline
Certificate lifecycle management and distribution required
Microsoft Entra ID (Azure AD)
Integrates Azure identity (user-based auth) for P2S connections
Requires Entra ID configuration and supported clients
RADIUS
Delegates authentication to on-prem or cloud RADIUS servers (LDAP, AD integration)
Works with existing enterprise auth systems and MFA appliances
Requires RADIUS server availability and network access from gateway
In later sections of this article we will step through the configuration workflow at a high level and provide practical notes for each step. Typical P2S setup steps include:
Create and configure the virtual network and gateway subnet.
Deploy an Azure VPN gateway (select an appropriate gateway SKU that supports P2S).
Enable point-to-site configuration on the gateway and define the address pool for clients.
Choose and configure an authentication method:
Certificate auth: generate and upload the root certificate and client certificates.
Microsoft Entra ID: register and configure the Entra app and permissions.
RADIUS: configure the gateway to reach your RADIUS server and validate access.
Generate and provision client VPN profiles / VPN client installers to users.
Test connectivity, verify routes, and monitor the gateway using Azure Monitor and logs.
For step-by-step deployment examples and client configuration downloads, see the Azure documentation linked below.
Point-to-site is best for individual device connectivity. For always-on connectivity between entire networks (for example, between two offices), site-to-site VPNs or ExpressRoute are more appropriate.
