Technical Lab: Specify Azure Requirements for Always On VPN
Questionsβ
Question 1 β Multiple Choiceβ
A network team is planning the deployment of Always On VPN to allow corporate Windows 11 devices to automatically connect to Azure infrastructure. During planning, a discussion arises about the two available tunnel types and their responsibilities.
Which statement correctly describes the functional difference between Device Tunnel and User Tunnel?
A) Device Tunnel is established after user authentication and allows access to corporate resources; User Tunnel is established before logon and allows communication with domain controllers.
B) Device Tunnel is established before Windows logon and allows communication with domain controllers and management infrastructure; User Tunnel is established after user authentication and allows access to corporate resources.
C) Both tunnels are established simultaneously at logon time, but Device Tunnel uses certificate authentication and User Tunnel uses exclusively password authentication.
D) Device Tunnel requires Microsoft Entra ID as the identity provider; User Tunnel requires on-premises Active Directory as the identity provider.
Question 2 β Technical Scenarioβ
An organization wants to implement Always On VPN with certificate-based authentication. The administrator configured the VPN profile via Intune and the VPN gateway in Azure, but devices cannot automatically establish the tunnel after logon. When analyzing client logs, the following error is recorded:
Error 13806: IKE failed to find a valid machine certificate.
The machine certificate exists in the device's local repository. What is the most likely cause of the problem?
A) The IKEv2 protocol is not compatible with machine certificate authentication in Always On VPN; SSTP must be used.
B) The machine certificate does not have the correct Extended Key Usage (EKU) for client authentication, or the certificate chain is not trusted by the VPN gateway.
C) The VPN profile was distributed via Intune, which prevents certificate authentication; the profile must be distributed manually via PowerShell.
D) The error indicates that the device is not domain-joined, which is a mandatory condition for any type of authentication in Always On VPN.
Question 3 β True or Falseβ
Statement: In Always On VPN deployed with a gateway in Azure, Device Tunnel can be configured on Windows 10 or Windows 11 devices that are only Microsoft Entra ID joined (Entra-joined), without requiring on-premises Active Directory domain join (domain-joined).
True or False?
Question 4 β Technical Scenarioβ
A company is designing the Always On VPN solution in Azure and needs to define the type of VPN gateway to use. The requirements gathered are:
- Support for IKEv2 and SSTP connections simultaneously
- High availability with guaranteed uptime SLA
- Support for at least 1,000 simultaneous P2S connections
- Ability to scale connections as the company grows
The architect proposes using a VPN Gateway with Basic SKU. What is the problem with this choice?
A) The Basic SKU does not support the IKEv2 protocol, only SSTP, which prevents connectivity from macOS and Linux devices.
B) The Basic SKU does not offer uptime SLA, does not support IKEv2 for P2S, has a limit of 128 P2S connections, and does not allow scaling to higher SKUs without recreating the gateway.
C) The Basic SKU supports IKEv2 and SSTP, but limits P2S connections to 500, insufficient for the requirement of 1,000 connections.
D) The Basic SKU is adequate for the technical requirements, but does not support integration with Microsoft Entra ID for user authentication in Always On VPN.
Question 5 β Multiple Choiceβ
When designing Always On VPN in Azure, the administrator needs to choose the authentication method for the User Tunnel. The organization has identities managed in Microsoft Entra ID and wants to avoid dependence on internal PKI infrastructure for issuing user certificates.
Which authentication method meets this requirement?
A) Authentication by certificate issued by internal CA (Enterprise CA), as it is the only method compatible with User Tunnel in Azure VPN Gateway.
B) Microsoft Entra ID authentication (Azure AD authentication), which allows users to authenticate with Entra ID credentials without needing user certificates issued by internal PKI.
C) RADIUS authentication integrated with Microsoft Entra ID via proxy, being the only method that eliminates the need for internal PKI in User Tunnel.
D) Authentication by self-signed certificate generated by Azure VPN Gateway itself, automatically distributed via Intune.
Answer Key and Explanationsβ
Answer Key β Question 1β
Answer: B
The Device Tunnel is established before Windows interactive logon, using machine authentication (computer certificate). It exists to allow the device to reach domain controllers, DHCP servers, DNS, and management systems before the user even logs in. Without it, a remote domain-joined device could not process Group Policies or authenticate logon via Kerberos.
The User Tunnel, in turn, is established after user authentication and is the channel through which the user accesses corporate resources such as file servers, internal applications, and other services.
The main conceptual error in the distractors is reversing the responsibilities of the two tunnels (alternative A) or stating that both are simultaneous and that User Tunnel depends exclusively on password (alternative C). Alternative D is technically incorrect because Device Tunnel uses machine authentication via certificate and does not depend on Microsoft Entra ID as an exclusive requirement.
Answer Key β Question 2β
Answer: B
The error IKE failed to find a valid machine certificate indicates that the IKEv2 process could not locate or validate an appropriate machine certificate. Even if the certificate exists in the repository, it needs to meet specific requirements: it must contain the client authentication EKU (OID 1.3.6.1.5.5.7.3.2), and the complete certificate chain must be trusted by both the client and the VPN gateway in Azure.
If the VPN gateway does not trust the CA that issued the machine certificate, validation fails with this error, even if the certificate is technically valid on the client side.
Alternative A is wrong because IKEv2 is the recommended protocol and compatible with certificate authentication. Alternative C is a misconception about how Intune works. Alternative D is incorrect because on-premises domain join is not a universal condition for authentication in Always On VPN, and the error is certificate-specific, not domain association related.
Answer Key β Question 3β
Answer: False
The Device Tunnel requires the device to be joined to an on-premises Active Directory domain (domain-joined). Devices that are only Entra-joined (without on-premises domain join) do not support Device Tunnel, as this type of tunnel depends on machine authentication via certificate issued by the domain's PKI and communication with domain controllers before logon.
This is a critical decision point in solution design: organizations with exclusively Entra-joined devices need to adopt alternative remote access approaches, such as User Tunnel with Entra ID authentication or solutions like Microsoft Entra Private Access.
Answer Key β Question 4β
Answer: B
The Basic SKU of Azure VPN Gateway has limitations that make it inadequate for corporate Always On VPN scenarios:
| Characteristic | Basic SKU | Higher SKUs (e.g., VpnGw1+) |
|---|---|---|
| IKEv2 support (P2S) | No | Yes |
| P2S connection limit | 128 | 250 to 10,000+ |
| Uptime SLA | Does not offer | Yes |
| Migration to another SKU | Requires recreating gateway | Resizing supported |
The combination of absence of IKEv2, limit of 128 P2S connections, and absence of SLA rules out Basic SKU for any corporate requirement. Alternative C is wrong in the number (Basic supports 128, not 500). Alternative D is incorrect because Basic's limitation regarding Microsoft Entra ID relates to the absence of IKEv2 support, which is the protocol used in this authentication, not a direct integration restriction.
Answer Key β Question 5β
Answer: B
The Azure VPN Gateway supports authentication with Microsoft Entra ID for P2S (Point-to-Site) connections, including the User Tunnel of Always On VPN. This method uses the OpenVPN protocol and allows users to authenticate with their Entra ID credentials, eliminating the need for internal PKI for issuing user certificates.
Alternative A is incorrect because it is not the only compatible method. Alternative C describes a RADIUS authentication scenario that, while technically possible, does not natively eliminate PKI and is not the most direct method for Entra ID integration. Alternative D is incorrect because Azure VPN Gateway does not automatically generate and distribute self-signed user certificates via Intune; this process would require manual PKI configuration or use of organization-managed certificates.