Enable multi-auth support when both OpenVPN and IkeV2 protocols are used (#21347)

* Enable multi-auth support when both OpenVPN and IkeV2 protocols are used

* Fix indentation

Author: PeterfengAz

src/Network/Network.Test/ScenarioTests/CortexTests.ps1

@@ -832,6 +832,7 @@ function Test-CortexExpressRouteCRUD
     $VpnServerConfiguration1Name = Get-ResourceName
     $VpnServerConfiguration2Name = Get-ResourceName
     $VpnServerConfigurationMultiAuthName = Get-ResourceName
+    $VpnServerConfiguration2MultiAuthName = Get-ResourceName
     $P2SVpnGatewayName = Get-ResourceName
     $vpnclientAuthMethod = "EAPTLS"
 
@@ -964,11 +965,30 @@ function Test-CortexExpressRouteCRUD
 		$authenticationTypes = $vpnServerConfigMultiAuth.VpnAuthenticationTypes
 		Assert-AreEqual 2 @($authenticationTypes).Count
 
-		# List all VpnServerConfigurations under Resource group
+		# Create the VpnServerConfiguration2MultiAuth with OpenVPN & IkeV2 and only AAD auth should throw error
+		Assert-ThrowsContains { New-AzVpnServerConfiguration -Name $VpnServerConfiguration2MultiAuthName -ResourceGroupName $rgName -VpnProtocol OpenVPN, IkeV2 -VpnAuthenticationType AAD -AadAudience $aadAudience -AadTenant $aadTenant -AadIssuer $aadIssuer -Location $rglocation } "Since AAD is only supported for OpenVPN, please choose one additional auth type or choose only OpenVPN protocol";
+		# check no new server configuration got created
 		$vpnServerConfigs = Get-AzVpnServerConfiguration -ResourceGroupName $rgName
 		Assert-NotNull $vpnServerConfigs
 		Assert-AreEqual 3 @($vpnServerConfigs).Count
 
+		# Create the VpnServerConfiguration2MultiAuth with a valid configuration to be used for testing Set later
+		# VpnProtocol is OpenVPN and auth type is AAD
+		New-AzVpnServerConfiguration -Name $VpnServerConfiguration2MultiAuthName -ResourceGroupName $rgName -VpnProtocol OpenVPN -VpnAuthenticationType AAD -AadAudience $aadAudience -AadTenant $aadTenant -AadIssuer $aadIssuer -Location $rglocation
+		$vpnServerConfig2MultiAuth = Get-AzVpnServerConfiguration -ResourceGroupName $rgName -Name $VpnServerConfiguration2MultiAuthName
+		Assert-AreEqual "Succeeded" $vpnServerConfig2MultiAuth.ProvisioningState
+		Assert-AreEqual $aadAudience $vpnServerConfig2MultiAuth.AadAuthenticationParameters.AadAudience
+		Assert-AreEqual $aadTenant $vpnServerConfig2MultiAuth.AadAuthenticationParameters.AadTenant
+		Assert-AreEqual $aadIssuer $vpnServerConfig2MultiAuth.AadAuthenticationParameters.AadIssuer
+		$protocols = $vpnServerConfig2MultiAuth.VpnProtocols
+		Assert-AreEqual 1 @($protocols).Count
+		Assert-AreEqual "OpenVPN" $protocols[0]
+
+		# List all VpnServerConfigurations under Resource group
+		$vpnServerConfigs = Get-AzVpnServerConfiguration -ResourceGroupName $rgName
+		Assert-NotNull $vpnServerConfigs
+		Assert-AreEqual 4 @($vpnServerConfigs).Count
+
 		# Create a PolicyGroup2 Object
 		$policyGroup2= New-Object -TypeName Microsoft.Azure.Commands.Network.Models.PSVpnServerConfigurationPolicyGroup
 		$policyGroup2.Name = "PolicyGroup2"
@@ -1037,6 +1057,12 @@ function Test-CortexExpressRouteCRUD
 		$authenticationTypes = $vpnServerConfigMultiAuth.VpnAuthenticationTypes
 		Assert-AreEqual 3 @($authenticationTypes).Count
 
+		# Update existing VpnServerConfiguration2MultiAuth to use OpenVPN and IkeV2 with only AAD should fail
+		Assert-ThrowsContains { Update-AzVpnServerConfiguration -Name $VpnServerConfiguration2MultiAuthName -ResourceGroupName $rgName -VpnProtocol OpenVPN, IkeV2 } "Since AAD is only supported for OpenVPN, please choose one additional auth type or choose only OpenVPN protocol";
+		$protocols = $vpnServerConfig2MultiAuth.VpnProtocols
+		Assert-AreEqual 1 @($protocols).Count
+		Assert-AreEqual "OpenVPN" $protocols[0]
+
 		# Update existing P2SVpnGateway  with new VpnClientAddressPool and CustomDnsServers using Update-AzP2sVpnGateway
 		$vpnClientAddressSpaces[1] = "192.168.4.0/24"
 		$updatedP2SVpnGateway = Update-AzP2sVpnGateway -ResourceGroupName $rgName -Name $P2SvpnGatewayName -VpnClientAddressPool $vpnClientAddressSpaces -CustomDnsServer 9.9.9.9 -DisableInternetSecurityFlag
@@ -1083,6 +1109,10 @@ function Test-CortexExpressRouteCRUD
 		$delete = Remove-AzVpnServerConfiguration -ResourceGroupName $rgName -Name $VpnServerConfigurationMultiAuthName -Force -PassThru
 		Assert-AreEqual $True $delete
 
+		# Delete VpnServerConfiguration2MultiAuth
+		$delete = Remove-AzVpnServerConfiguration -ResourceGroupName $rgName -Name $VpnServerConfiguration2MultiAuthName -Force -PassThru
+		Assert-AreEqual $True $delete
+
 		$vpnServerConfigs = Get-AzVpnServerConfiguration -ResourceGroupName $rgName
 		Assert-NotNull $vpnServerConfigs
 		Assert-AreEqual 1 @($vpnServerConfigs).Count

src/Network/Network.Test/ScenarioTests/VirtualNetworkGatewayTests.cs

@@ -171,5 +171,13 @@ public void TestVirtualNetworkGatewayPolicyGroupCRUD()
         {
             TestRunner.RunTestScript("Test-VirtualNetworkGatewayPolicyGroupCRUD");
         }
+
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.brooklynft_subset2)]
+        public void TestVirtualNetworkGatewayMultiAuth()
+        {
+            TestRunner.RunTestScript("Test-VirtualNetworkGatewayMultiAuth");
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/VirtualNetworkGatewayTests.ps1

@@ -1484,4 +1484,89 @@ param
         # Cleanup
         Clean-ResourceGroup $rgname
      }
+}
+
+<#
+.SYNOPSIS
+Virtual network gateway P2S multiauth test
+#>
+function Test-VirtualNetworkGatewayMultiAuth
+{
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $rname = Get-ResourceName
+    $domainNameLabel = Get-ResourceName
+    $vnetName = Get-ResourceName
+    $publicIpName = Get-ResourceName
+    $vnetGatewayConfigName = Get-ResourceName
+    $rglocation = Get-ProviderLocation ResourceManagement
+    $resourceTypeParent = "Microsoft.Network/virtualNetworkGateways"
+    $location = Get-ProviderLocation $resourceTypeParent
+
+	try 
+	{
+		# Create the resource group
+		$resourceGroup = New-AzResourceGroup -Name $rgname -Location $rglocation -Tags @{ testtag = "testval" }
+	
+		# AAD authentication configurations
+		$aadTenant = "https://login.microsoftonline.com/0ab2c4f4-81e6-44cc-a0b2-b3a47a1443f4"
+		$aadIssuer = "https://sts.windows.net/0ab2c4f4-81e6-44cc-a0b2-b3a47a1443f4/"
+		$aadAudience = "a21fce82-76af-45e6-8583-a08cb3b956f9"
+
+		# Create the Virtual Network
+		$subnet = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix 10.0.0.0/24
+		$vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+		$vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname      
+		$subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
+
+		# Create the IP config
+		$publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Dynamic -DomainNameLabel $domainNameLabel
+		$vnetIpConfig = New-AzVirtualNetworkGatewayIpConfig -Name $vnetGatewayConfigName -PublicIpAddress $publicip -Subnet $subnet
+        
+        	# Creating a P2S VPN gateway with AAD without OpenVPN protocol should throw error
+        	Assert-ThrowsContains { New-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname -location $location -IpConfigurations $vnetIpConfig -GatewayType Vpn -VpnType RouteBased -VpnClientProtocol IkeV2 -EnableBgp $false -GatewaySku VpnGw1 -VpnClientAddressPool 201.169.0.0/16 -AadTenantUri $aadTenant -AadIssuerUri $aadIssuer -AadAudienceId $aadAudience } "Virtual Network Gateway VpnClientProtocol should contain";
+
+        	# Creating a P2S VPN gateway with OpenVPN & IkeV2 with AAD auth only should throw error message
+        	Assert-ThrowsContains { New-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname -location $location -IpConfigurations $vnetIpConfig -GatewayType Vpn -VpnType RouteBased -VpnClientProtocol "OpenVPN", "IkeV2" -EnableBgp $false -GatewaySku VpnGw1 -VpnClientAddressPool 201.169.0.0/16 -AadTenantUri $aadTenant -AadIssuerUri $aadIssuer -AadAudienceId $aadAudience } "Since AAD is only supported for OpenVPN, please choose one additional auth type or choose only OpenVPN protocol";
+
+        	# Create a P2S VPN gateway with OpenVPN & AAD to be used to test Set-AzVirtualNetworkGateway
+		New-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname -location $location -IpConfigurations $vnetIpConfig -GatewayType Vpn -VpnType RouteBased -VpnClientProtocol OpenVPN -EnableBgp $false -GatewaySku VpnGw1 -VpnClientAddressPool 201.169.0.0/16 -AadTenantUri $aadTenant -AadIssuerUri $aadIssuer -AadAudienceId $aadAudience
+		$actual = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname
+		$protocols = $actual.VpnClientConfiguration.VpnClientProtocols
+		Assert-AreEqual 1 @($protocols).Count
+		Assert-AreEqual "OpenVPN" $protocols[0]
+		Assert-AreEqual "201.169.0.0/16" $actual.VpnClientConfiguration.VpnClientAddressPool.AddressPrefixes
+		Assert-AreEqual $aadTenant $actual.VpnClientConfiguration.AadTenant
+		Assert-AreEqual $aadIssuer $actual.VpnClientConfiguration.AadIssuer
+		Assert-AreEqual $aadAudience $actual.VpnClientConfiguration.AadAudience
+
+		# Set an existing P2S VPN gateway to use AAD without OpenVPN should throw error
+		Assert-ThrowsContains { Set-AzVirtualNetworkGateway -VirtualNetworkGateway $actual -VpnClientProtocol IkeV2 -AadAudience $aadAudience -AadTenant $aadTenant -AadIssuer $aadIssuer } "Virtual Network Gateway VpnClientProtocol should contain";
+        	# Check gateway protocol was not updated
+        	$actual = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname
+		$protocols = $actual.VpnClientConfiguration.VpnClientProtocols
+		Assert-AreEqual 1 @($protocols).Count
+		Assert-AreEqual "OpenVPN" $protocols[0]
+		Assert-AreEqual "201.169.0.0/16" $actual.VpnClientConfiguration.VpnClientAddressPool.AddressPrefixes
+		Assert-AreEqual $aadTenant $actual.VpnClientConfiguration.AadTenant
+		Assert-AreEqual $aadIssuer $actual.VpnClientConfiguration.AadIssuer
+		Assert-AreEqual $aadAudience $actual.VpnClientConfiguration.AadAudience
+
+		# Set an existing P2S VPN gateway to use OpenVPN & IkeV2 with AAD auth only should throw error message
+		Assert-ThrowsContains { Set-AzVirtualNetworkGateway -VirtualNetworkGateway $actual -VpnClientProtocol "OpenVPN", "IkeV2" } "Since AAD is only supported for OpenVPN, please choose one additional auth type or choose only OpenVPN protocol";
+        	# Check gateway protocol was not updated
+        	$actual = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $rname
+		$protocols = $actual.VpnClientConfiguration.VpnClientProtocols
+		Assert-AreEqual 1 @($protocols).Count
+		Assert-AreEqual "OpenVPN" $protocols[0]
+		Assert-AreEqual "201.169.0.0/16" $actual.VpnClientConfiguration.VpnClientAddressPool.AddressPrefixes
+		Assert-AreEqual $aadTenant $actual.VpnClientConfiguration.AadTenant
+		Assert-AreEqual $aadIssuer $actual.VpnClientConfiguration.AadIssuer
+		Assert-AreEqual $aadAudience $actual.VpnClientConfiguration.AadAudience
+	}
+	finally
+    {
+		# Cleanup
+        Clean-ResourceGroup $rgname
+    }
 }

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.CortexTests/TestP2SCortexCRUD.json

@@ -30,6 +30,7 @@
 * Updated `Reset-AzVpnGateway` to support IpConfigurationId.
 * Blocked some regions when creating/updating Basic Sku firewall
 * Fixed bugs related to auto learn IP prefixes and Snat
+* Updated multi-auth to be supported when both OpenVPN and IkeV2 protocols are used for VNG and VWAN VPN
 
 ## Version 5.5.0
 * Updated cmdlets to add new property of `Snat` in Azure Firewall Policy.

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.VirtualNetworkGatewayTests/TestVirtualNetworkGatewayMultiAuth.json

@@ -162,6 +162,32 @@ public override void Execute()
                 throw new PSArgumentException(string.Format(Properties.Resources.ResourceAlreadyPresentInResourceGroup, this.Name, this.ResourceGroupName));
             }
 
+            if (this.VpnAuthenticationType != null)
+            {
+                if (this.VpnAuthenticationType.Contains(MNM.VpnAuthenticationType.AAD))
+                {
+                    if ((this.VpnProtocol == null) ||
+                        (this.VpnProtocol != null &&
+                        this.VpnProtocol.Contains(MNM.VpnClientProtocol.IkeV2) &&
+                        this.VpnProtocol.Contains(MNM.VpnClientProtocol.OpenVPN) &&
+                        this.VpnProtocol.Count() == 2))
+                    {
+                        // In the case of multi-auth with OpenVPN and IkeV2, block user from configuring with just AAD since AAD is not supported for IkeV2
+                        if (this.VpnAuthenticationType.Count() == 1)
+                        {
+                            throw new ArgumentException(Properties.Resources.VpnMultiAuthIkev2OpenvpnOnlyAad);
+                        }
+                        else if (this.VpnAuthenticationType.Count() > 1)
+                        {
+                            if (!ShouldContinue(Properties.Resources.VpnMultiAuthIkev2OpenvpnAadWarning, Properties.Resources.ConfirmMessage))
+                            {
+                                return;
+                            }
+                        }
+                    }
+                }
+            }
+
             vpnServerConfigurationToCreate = this.CreateVpnServerConfigurationObject(
                 vpnServerConfigurationToCreate,
                 this.VpnProtocol,

src/Network/Network/ChangeLog.md

@@ -458,6 +458,25 @@ public override void Execute()
                     {
                         vpnServerConfigurationToUpdate.AadAuthenticationParameters.AadIssuer = this.AadIssuer;
                     }
+
+                    if (vpnServerConfigurationToUpdate.VpnProtocols != null &&
+                        vpnServerConfigurationToUpdate.VpnProtocols.Contains(MNM.VpnClientProtocol.IkeV2) &&
+                        vpnServerConfigurationToUpdate.VpnProtocols.Contains(MNM.VpnClientProtocol.OpenVPN) &&
+                        vpnServerConfigurationToUpdate.VpnProtocols.Count() == 2)
+                    {
+                        // In the case of multi-auth with OpenVPN and IkeV2, block user from configuring with just AAD since AAD is not supported for IkeV2
+                        if (vpnServerConfigurationToUpdate.VpnAuthenticationTypes.Count() == 1)
+                        {
+                            throw new ArgumentException(Properties.Resources.VpnMultiAuthIkev2OpenvpnOnlyAad);
+                        } 
+                        else if (vpnServerConfigurationToUpdate.VpnAuthenticationTypes.Count() > 1)
+                        {
+                            if (!ShouldContinue(Properties.Resources.VpnMultiAuthIkev2OpenvpnAadWarning, Properties.Resources.ConfirmMessage))
+                            {
+                                return;
+                            }
+                        }
+                    }
                 }
                 else
                 {

src/Network/Network/Cortex/VpnServerConfiguration/NewAzureRmVpnServerConfigurationCommand.cs

@@ -765,4 +765,13 @@
   <data name="InvalidVnetLocalRouteOverrideCriteriaValue" xml:space="preserve">
     <value>Permitted values for VnetLocalRouteOverrideCriteria are Equal and Contains.</value>
   </data>
+  <data name="VpnMultiAuthIkev2OpenvpnAadWarning" xml:space="preserve">
+    <value>Warning: VpnClientProtocol being configured are: OpenVPN, IkeV2. AAD is one of the auth types configured. Since AAD is only supported for OpenVPN, it will only be used for OpenVPN.</value>
+  </data>
+  <data name="VpnMultiAuthIkev2OpenvpnOnlyAad" xml:space="preserve">
+    <value>VpnClientProtocol being configured are : OpenVPN, IkeV2. VpnAuthenticationType being configured is AAD. Since AAD is only supported for OpenVPN, please choose one additional auth type or choose only OpenVPN protocol.</value>
+  </data>
+  <data name="ConfirmMessage" xml:space="preserve">
+    <value>Confirm</value>
+  </data>
 </root>