Skip to content

Azure VPN Gateway Pre-Shared Key

Service Name: Azure VPN Gateway

Service Description: Azure VPN Gateway is a service that enables you to establish secure, cross-premises connectivity between your virtual network and on-premises networks. It provides site-to-site VPN connections using IPsec/IKE protocols and pre-shared keys for authentication.

Service Address: https://portal.azure.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the network security group level to control traffic to and from the VPN gateway.

Secret Access Scope: Grants authentication access to establish secure VPN tunnels between Azure virtual networks and on-premises networks.

Secret Revokement URL: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-portal#change-the-vpn-gateway-pre-shared-key

Secret Example: aZ9Q4bX7cY2dE5fG8hJ1kL3mN6pR9sT0

Suspicious Activity Investigation Instructions:

  • Review Azure Activity Logs for unusual configuration changes to VPN gateways
  • Check for unauthorized connection attempts in VPN gateway diagnostic logs
  • Monitor for unexpected traffic patterns through the VPN tunnel
  • Verify if there are any recent changes to network security groups associated with the VPN gateway
  • Examine Azure Security Center alerts related to network security

Mitigation Instructions:

  • Immediately rotate the pre-shared key in the Azure portal
  • Navigate to Virtual Network Gateway > Connections > Select the connection >

Shared key > Update

  • Update the corresponding pre-shared key on the on-premises VPN device
  • Consider implementing Azure Private Link for more secure connectivity if

applicable

  • Enable Azure DDoS Protection Standard for the virtual network containing the

VPN gateway

  • Implement Just-In-Time access for management of VPN gateway

configurations

  • Review and tighten network security group rules associated with the VPN

gateway