DC1 VPN access

[helendduncan]

✅ Checklist

• I have searched open and closed issues for duplicates.
• This is a problem observed when managing a Data Safe Haven.
• I can reproduce this with the latest version.
• I have read through the documentation.
• This isn't an open-ended question (open a discussion if it is).

💻 System information

• Operating System:
• Data Safe Haven version:

📦 Packages

List of packages

Paste list of packages here

🚫 Describe the problem

Can no longer connect to the VPN for DC1 access for Prod4 (docs 4.2.2 link) as the client certificate expired on 31/10/2024

🚂 Workarounds or solutions

create a new self-signed certificate with the correct options (see Setup_SHM_Key_Vault_And_Emergency_Admin.ps1), replace the certificate in the keyvault then update the vpn gateway

[JimMadge]

Just to confirm, you were able to generate a new cert and use that?

This infrastructure isn't present in the latest versions so I think there is nothing to fix here.

[jemrobinson]

There isn't a standalone script to generate a new certificate. Minimal solution using existing scripts would be to:

• delete the expired certificate in the key vault
• delete the VPN gateway
• run ./Setup_SHM_Key_Vault_And_Emergency_Admin.ps1 to generate a new certificate
• run ./Setup_SHM_Networking.ps1 to deploy a new VPN gateway with the certificate

Minimal solution without using existing scripts is as @helendduncan suggests above.

[helendduncan]

There isn't a standalone script to generate a new certificate. Minimal solution using existing scripts would be to:

• delete the expired certificate in the key vault
• delete the VPN gateway
• run ./Setup_SHM_Key_Vault_And_Emergency_Admin.ps1 to generate a new certificate
• run ./Setup_SHM_Networking.ps1 to deploy a new VPN gateway with the certificate

Minimal solution without using existing scripts is as @helendduncan suggests above.

Failed to create virtual network gateway on final step.

Basic IP config not supported.

Link here

New-AzVirtualNetworkGateway: Basic IP configuration for VPN Virtual Network Gateways is not supported. Follow the link for more details :
https://go.microsoft.com/fwlink/p/?linkid=2241350
/subscriptions/4aea9c2f-9b6c-42e8-8b09-3594994fe238/resourceGroups/RG_SHM_PROD4_NETWORKING/providers/Microsoft.Network
/virtualNetworkGateways/VNET_SHM_PROD4_GW StatusCode: 400 ReasonPhrase: Bad Request ErrorCode:
PublicIpWithBasicSkuNotAllowedOnVPNGateways ErrorMessage: Basic IP configuration for VPN Virtual Network Gateways is
not supported. Follow the link for more details : https://go.microsoft.com/fwlink/p/?linkid=2241350
/subscriptions/4aea9c2f-9b6c-42e8-8b09-3594994fe238/resourceGroups/RG_SHM_PROD4_NETWORKING/providers/Microsoft.Network
/virtualNetworkGateways/VNET_SHM_PROD4_GW OperationID : e87607a9-8d7c-431c-ab5c-2d4406b9268a
2024-11-19 11:21:01 [FAILURE]: [x] Failed to create virtual network gateway 'VNET_SHM_PROD4_GW'!
Exception: Failed to create virtual network gateway 'VNET_SHM_PROD4_GW'!

[jemrobinson]

@craddm: I think you fixed the "Basic SKU" for IP addresses issue somewhere else? Is this in the latest v4 release? Can you follow up?

[helendduncan]

its v4.2.2

[craddm]

That's odd - it should have been fixed in 4.2.2, as of #1966

[helendduncan]

Fixed by deleting _GW_PIP as well as per @craddm's initial suggestion