Point-to-Site VPN vs Azure AD Application Proxy
In this Blog-Post I will dive into the differences between a traditional Azure Point to Site VPN and the new, more modern approach of an reverse proxy especially the Azure AD Application Proxy.
Why Point-to-Site VPN is not ideal
Most Point-to-Site (P2S) VPN solutions are most of the times hard to manage and operate. So far, I have seen only a couple of companies that can manage the effort of operating such a solution at the expense of a very expensive solution itself and highly trained administrators.
Often the end-users of such P2S solutions are not very happy about it, since there is a lack of visibility regarding which applications respectively intranet solutions can be accessed using the VPN solution and which ones can’t be accessed. In addition, users often complain about network outages which results in the need to connect again and new versions of that need to be deployed on their end devices, which can be tablets, phones, or laptops etc.
Due to the nature of a VPN the solution needs proper network access to the application. This results in the need of proper routing, possibly VLAN Tagging, Inbound connections, ACLs etc. Which is most of the times very time consuming to configure and not very secure in historically grown flat networks.
Azure AD Application Proxy FTW
The Azure AD Application Proxy (AAD App Proxy) is completely different in nature. The connection is being initiated outbound by a connector, which is a lightweight agent that sits on a Windows Server inside the on-premise network or your virtual datacenter in Azure. And using only port 443/80 in doing so. Therefore, the need for inbound connections respectively a firewall or appliance is not needed.
The end user however is browsing the public website (https://myapps.microsoft.com) to access their apps. This website is being secured by Azure AD and the intranet apps can be found here. In addition, the intranet apps themselves can be configured to be secured by Azure AD as well. This leads to an easy integration of Multi-Factor Authentication and conditional access based on Azure AD, with a smooth management experience and a much-increased security!
Since the end user interface is a proxy solution managed by Microsoft, it reduces the attack surface for the solution itself massively! Problems regarding DDoS etc. are not the problem of the admin team any longer but Microsoft needs to and takes measures against such attacks.
The only drawback so far is also a positive one, since the AAD App Proxy only supports web protocols such as Port 80/443, the apps need to rely on those protocols to be published via the App Proxy. On the other hand, this reduces the attack surface as well, since other (not secure) protocols or network access is not available/possible.
If you or your company still relies on annoying P2S solutions for their end users, give Azure AD Application Proxy a try for a more modern and more secure access to intranet applications with less hassle.