DC1 VPN access

Question

DC1 VPN access

Closed this issue a month ago · 7 comments

helendduncan commented a month ago

✅ Checklist

I have searched open and closed issues for duplicates.
This is a problem observed when managing a Data Safe Haven.
I can reproduce this with the latest version.
I have read through the documentation.
This isn't an open-ended question (open a discussion if it is).

💻 System information

Operating System:
Data Safe Haven version:

📦 Packages

List of packages

Paste list of packages here

🚫 Describe the problem

Can no longer connect to the VPN for DC1 access for Prod4 (docs 4.2.2 link) as the client certificate expired on 31/10/2024

🚂 Workarounds or solutions

create a new self-signed certificate with the correct options (see Setup_SHM_Key_Vault_And_Emergency_Admin.ps1), replace the certificate in the keyvault then update the vpn gateway

Answer 1 · 2024-11-18T16:46:22.000Z

Just to confirm, you were able to generate a new cert and use that?

This infrastructure isn't present in the latest versions so I think there is nothing to fix here.

Answer 2 · 2024-11-18T16:50:21.000Z

There isn't a standalone script to generate a new certificate. Minimal solution using existing scripts would be to:

delete the expired certificate in the key vault
delete the VPN gateway
run ./Setup_SHM_Key_Vault_And_Emergency_Admin.ps1 to generate a new certificate
run ./Setup_SHM_Networking.ps1 to deploy a new VPN gateway with the certificate

Minimal solution without using existing scripts is as @helendduncan suggests above.

Answer 3 · 2024-11-19T11:29:00.000Z

There isn't a standalone script to generate a new certificate. Minimal solution using existing scripts would be to:

delete the expired certificate in the key vault

delete the VPN gateway

run ./Setup_SHM_Key_Vault_And_Emergency_Admin.ps1 to generate a new certificate

run ./Setup_SHM_Networking.ps1 to deploy a new VPN gateway with the certificate

Minimal solution without using existing scripts is as @helendduncan suggests above.

Failed to create virtual network gateway on final step.

Basic IP config not supported.

Link here

New-AzVirtualNetworkGateway: Basic IP configuration for VPN Virtual Network Gateways is not supported. Follow the link for more details :
https://go.microsoft.com/fwlink/p/?linkid=2241350
/subscriptions/4aea9c2f-9b6c-42e8-8b09-3594994fe238/resourceGroups/RG_SHM_PROD4_NETWORKING/providers/Microsoft.Network
/virtualNetworkGateways/VNET_SHM_PROD4_GW StatusCode: 400 ReasonPhrase: Bad Request ErrorCode:
PublicIpWithBasicSkuNotAllowedOnVPNGateways ErrorMessage: Basic IP configuration for VPN Virtual Network Gateways is
not supported. Follow the link for more details : https://go.microsoft.com/fwlink/p/?linkid=2241350
/subscriptions/4aea9c2f-9b6c-42e8-8b09-3594994fe238/resourceGroups/RG_SHM_PROD4_NETWORKING/providers/Microsoft.Network
/virtualNetworkGateways/VNET_SHM_PROD4_GW OperationID : e87607a9-8d7c-431c-ab5c-2d4406b9268a
2024-11-19 11:21:01 [FAILURE]: [x] Failed to create virtual network gateway 'VNET_SHM_PROD4_GW'!
Exception: Failed to create virtual network gateway 'VNET_SHM_PROD4_GW'!

Answer 4 · 2024-11-19T12:16:04.000Z

@craddm: I think you fixed the "Basic SKU" for IP addresses issue somewhere else? Is this in the latest v4 release? Can you follow up?

Answer 5 · 2024-11-19T13:04:01.000Z

its v4.2.2

Answer 6 · 2024-11-19T14:14:09.000Z

That's odd - it should have been fixed in 4.2.2, as of #1966

Answer 7 · 2024-11-19T14:47:08.000Z

Fixed by deleting _GW_PIP as well as per @craddm's initial suggestion