Azure provides the ability to configure PSK shared key authentication for VPN connections through its Virtual Network Gateway. This allows you to establish a secure connection between your on-premises network and your Azure Virtual Network.
In this article, we will show you how to get and export the Azure VPN connection Pre-Shared Key (PSK), so you can easily retrieve the key if you forgot to store it.
Table of Contents
Introduction
When you plan to set up the Azure Virtual Private Network (VPN) connection, the configuration usually involves several steps. The basic steps to set up a VPN connection in Azure includes:
1) Create a virtual network (VNet) to enable communication between your Azure resources and your on-premises network.
2) Once you have created a VNet, you need to create a gateway subnet called (GatewaySubnet). This subnet is used to deploy the virtual network gateway, which enables the VPN connection. The gateway subnet must be at a minimum of /27 or larger (/27, /26, /24, etc.).
3) Next, you need to create the virtual network gateway. You need to specify the gateway type (VPN), the VPN type (Site-to-Site), and the SKU (Basic, Standard, or High Performance) when creating the gateway.
4) After creating the virtual network gateway, you must configure the connection. You need to specify the local network gateway (which represents your on-premises VPN device) and the shared key (used for authentication) when configuring the connection.
5) Once the virtual network gateway and the connection are configured in Azure, you must configure your on-premises VPN device to establish the VPN connection with Azure. The configuration of the on-premises VPN device will depend of course on the device you are using.
6) And finally, you should verify that the VPN connection is working correctly by testing the connectivity between your on-premises network and your Azure resources.
All of these aforementioned steps can be configured using the Azure portal, Azure PowerShell, Azure CLI, ARM templates, Bicep, or with Terraform.
Learn More: Designing and Implementing Azure Networking solutions.
Azure Connection Pre-Shared Key
Azure Connection Pre-Shared Key is a type of authentication method used to establish a secure connection between two endpoints in an Azure Virtual Network. It is commonly used to authenticate a Virtual Private Network (VPN) connection between an on-premises network and an Azure Virtual Network.
The PSK shared key is a pre-configured passphrase or string of characters shared between the connection’s two endpoints. Both endpoints use the same key to authenticate each other and establish a secure connection. This method of authentication is also known as symmetric key authentication.
Now when you create the Azure VPN connection, you need to set the Pre-Shared Key. The value must match the value that you’re using for your local on-premises VPN device, for example, ‘VPN123‘, which could be a mixture of letters and numbers, but you should use something more complex. It’s important that the value you specify here is the same value that you specify when configuring your VPN device.
As you noticed, the value of the shared key is not in clear text; it’s a secured string. So, once the connection is created, you cannot retrieve it from the Shared key page. The value is always secured.
Now, suppose you forget to store the Pre-Shared key in a secured location, and you want to replace your on-premises device and reconfigure the VPN connection. What would you do?
You can, of course, set a new shared key on the Azure side and use it on the new device, but if you still want to use the old key, you can easily export it.
Export The Azure VPN Connection Pre-Shared Key
Now, to export the Azure Connection Pre-Shared Key, you have a couple of options:
Note: Please note that the steps below do NOT apply to the Azure US Government tenants (https://portal.azure.us). This applies to Azure Commercial tenants.
Export Template
First, you can go to the connection resource, then from the left menu, under Automation, select the Export template. The export template feature takes the current state of a resource and generates a template to deploy it. Exporting a template can be a helpful way of quickly getting the JSON you need to deploy a resource.
As you noticed in the message below, the shared key cannot be exported yet and is not included in the template.
However, what you could do is search using (Ctrl+F) and type “SharedKey” as shown in the figure below, and you will see the Pre-Shared key in clear text. We have blur-boxed the value for obvious reasons.
You could also use the Azure Resource Explorer at https://resources.azure.com/ to discover the Azure API.
Once you launch the Azure Resource Explorer, select the desired subscription, and resource group, then select providers (Microsoft.Network), click on connections, and then select the desired connection name.
Next, search for the “SharedKey” as shown in the figure below and copy the value to your clipboard.
Azure REST API
The other option is you could use the Azure REST API to get the VirtualNetworkGatewayConnectionSharedKey as follows:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/connections/{virtualNetworkGatewayConnectionName}/sharedkey?api-version=2022-09-01You could try it by using the following link and signing in with your Azure account assuming you have the right permissions. You will get a response with status code: 200 and the Pre-shared key value is displayed in the Body as shown in the figure below. We have blur-boxed the value for obvious reasons.
Download VPN Configuration
The third option is to navigate to the Virtual Network Gateway resource for which you want to obtain the pre-shared key.
Select the “Connections” tab, which is located under the “Settings” section, then click on the specific connection for which you want to obtain the pre-shared key.
On the connection “Overview” page, click on “Download configuration” as shown in the figure below.
Choose the appropriate device vendor, device family, and firmware version of the device you want to connect to Azure. Then click on the “Download configuration” button to create the configuration file.
After the file is generated, download it to your local device. Open the configuration file in your favorite text editor and look for the “Pre-shared key” section as shown in the figure below. Copy the pre-shared key value to your clipboard.
That’s it there you have it! With these easy steps, you have successfully obtained and exported the pre-shared key for your Azure connection.
Summary
In this article, we showed you how to get and export the Azure connection PSK shared key, so you can easily retrieve the key if you forgot to store it and you need to replace and reconfigure your on-premises device.
Using PSK shared key authentication provides a simple and straightforward method for establishing a secure connection between two endpoints. It does not require any additional authentication servers or certificates. However, it is important to ensure that the shared key is kept secure and not shared with unauthorized parties.
> Learn More: Designing and Implementing Azure Networking solutions.
__
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.
-Charbel Nemnom-
I do not believe the above applies if the tenant is on the Gov platform (https://portal.azure.us). The page is very well done. You may want to state that this applies to Azure Commercial tenants.
Hello Al, thanks for the comment and feedback!
I will clarify this point for Azure Gov tenants.