[Az.Network] Add support for certificate based authentication connections on Vpn Gateway (#28642)

Author: brandonv191

src/Network/Network.Test/ScenarioTests/Data/VpnGatewayAuthCert.cer

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIQHWaON77uI45Gb0Ei98299TANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtWUE5Sb290Q0EwMTAgFw0yNTEwMDIxNjExNDZaGA8yMjI1MTAw
+MjE2MjEzOFowFjEUMBIGA1UEAwwLVlBOUm9vdENBMDEwggEiMA0GCSqGSIb3DQEB
+AQUAA4IBDwAwggEKAoIBAQC4eU6WOksIAz1FtfW2LuEsVC0Yiaf7eQtTcFLm8YSC
+mwhkOJ1Jj25mNoMxhgPPwq35kELq4roSeizGqIQl4rCYRwyj0RtlM1DjF3QfxMe9
+OYLMNiOMf8cIWu17cRuGbiHMJrAdDBSSZ9lTeqd1NZ5XgCmw4evXkoY934IBdtuP
+DfqpVy7iqx3aU/sGXvGJER3KDcTD6NRopbW7VyGRCxXbMTt1l+bwWGFNElsgnNxn
+B/6Ic1ftKYsCB1XL2/yg9iiewTonH6HQnfg9uc09mwJhyTDFaQ3r6ss+AkexbCqQ
+mn7l+mPGwJQoV3BbMJItgsuWD2+h4Mux2mxGILg7LzcVAgMBAAGjRTBDMA4GA1Ud
+DwEB/wQEAwICBDASBgNVHRMBAf8ECDAGAQH/AgEEMB0GA1UdDgQWBBSutUa5Oc3X
+j50LIdlyfQVWu/n6EDANBgkqhkiG9w0BAQsFAAOCAQEAf7qXfQt32CLuZVWUJ0F3
+GibllX5WWdG3zr01X1qZYW0rTVYjPCBl85o9kXJmI377J0q6/7dYMz+bPIZg7KEd
+R7ZuOJ6Sxo5LwXzujd5CNZYeCMd7VnUFmQv3lqf3v7El+2Sym8O1hlLeRlVkws7/
+xBtgqnyxMHYB8QAWzrv3kFBomteKHLhOKP6mTO0c6+jUJxAwc9V/6I64LiQR9ne2
+C/mT7cXyqy5Lt0RBystiRSSW2wDvqz03UJvmqHiGQA3Nj2XYbFNzhMcwKFdSYLjY
++EmF2LWn8K/yQz18g9p3JStJDaCY9ZiHpuQkSy6NIT6snwWsdOUzuzmPOJscKcuz
+Og==
+-----END CERTIFICATE-----

src/Network/Network.Test/ScenarioTests/Data/VpnGatewayInboundCert.cer

@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDMTCCAhmgAwIBAgIQZ42yCTtjvqdE5GOHkoK6eTANBgkqhkiG9w0BAQsFADAW
+MRQwEgYDVQQDDAtWUE5Sb290Q0EwMTAgFw0yNTEwMDIxNjIyMTZaGA8yMjI1MTAw
+MjE2MzIwNFowHjEcMBoGA1UEAwwTSW5ib3VuZC1jZXJ0aWZpY2F0ZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBANgPsbE8OCeyLNMDiFd1DIk9vCgIYX+L
+fYPfYg240s4w51quwExGz+6T7JWis2YdZbIPxYWlH6mqTAiwzt1KBIjouvUTm1fH
+zZ2oucrNQBvn7KLMJTJbw69akSVDRqk99FvHq6L35OebTBJRCfz2oEZHnp08F3yP
+AAcCLRi9LSC/IUC+Ijc9wc8DmpOiLHx9zn15Rx1LMAFwkrA1Y4SHJnJky8J5EdwJ
+9TEg5toNUQa6u7wj7vI4DcfieXHN0+0xG1YK7w/YCoapBS8s5TSQ+VoGCyKh01//
+xlEBHnntrcgUnSkqCIv9grKxARTdDQIeA4LNnwSQ/S/2uhNf6PGJvJ0CAwEAAaNx
+MG8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
+ATAfBgNVHSMEGDAWgBSutUa5Oc3Xj50LIdlyfQVWu/n6EDAdBgNVHQ4EFgQUlWEZ
+ANRVD++Fts7pMBrLJ3EUiEYwDQYJKoZIhvcNAQELBQADggEBAG/ty9Qg5bUYtlYK
+y5BmN5ntj61h7t/pHiibqszOUqin8sL6t3T32UlvfB3b07LALQ/Q+PTnx1SyFs12
+yOPKLPzdYPkrnLQ45MMaTJFdDFeMc/Mk1QeRdqyk65XoFXDj3hqxhZvHZ6H1+OmX
+xKscuQdKQlFs4LviI6bQTBuKQFlmAqlLKLVSIHSDJlgFDZIqsfZAYmjkatM24RxN
+fV8HWbNVLDiInAgNXj+GL2zg8UUNVEjgh1M2ZqgRZpBqtNhkF+GoUn6bKFIkd/LF
++hgbehKSTWc8OlzmsZZMK1LWGK8ZIsGj2W6QrayyMGzOUy16BHg1fJLUwpibK7tt
+Qbc0oFE=
+-----END CERTIFICATE-----

src/Network/Network.Test/ScenarioTests/Data/VpnGatewayoutboundcert.pfx

@@ -113,5 +113,13 @@ public void TestVirtualNetworkGatewayConnectionGetIkeSa()
         {
             TestRunner.RunTestScript("Test-VirtualNetworkGatewayConnectionGetIkeSa");
         }
+
+        [Fact(Skip = "Test encounters managed identity authentication token issues in CI pipeline, unrelated to certificate authentication. Manually ran test, validated, and session recording available.")]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        [Trait(Category.Owner, NrpTeamAlias.brooklynft_subset4)]
+        public void TestVirtualNetworkGatewayConnectionWithCertificateAuth()
+        {
+            TestRunner.RunTestScript("Test-VirtualNetworkGatewayConnectionWithCertificateAuth");
+        }
     }
 }

src/Network/Network.Test/ScenarioTests/VirtualNetworkGatewayConnectionTests.cs

@@ -974,3 +974,123 @@ function Test-VirtualNetworkGatewayConnectionGetIkeSa
      }
 }
 
+function Test-VirtualNetworkGatewayConnectionWithCertificateAuth
+{
+    # Setup
+    $rgname = Get-ResourceGroupName
+    $vnetName = Get-ResourceName
+    $localnetName = Get-ResourceName
+    $vnetConnectionName = Get-ResourceName
+    $vnetGatewayName = Get-ResourceName
+    $publicIpName = Get-ResourceName
+    $identityName = Get-ResourceName
+    $vnetGatewayConfigName = Get-ResourceName
+    $rglocation = Get-ProviderLocation ResourceManagement
+    $resourceTypeParent = "Microsoft.Network/connections"
+    $location = Get-ProviderLocation $resourceTypeParent
+
+    try 
+    {
+
+        $resourceGroup = New-AzResourceGroup -Name $rgname -Location $rglocation -Tags @{ testtag = "testval" } 
+        
+        # Create managed identity
+        $identity = New-AzUserAssignedIdentity -ResourceGroupName $rgname -Name $identityName -Location $location
+
+        $keyVaultName = "kv" + $rgname.Substring(0, [Math]::Min(15, $rgname.Length))
+        $keyVault = New-AzKeyVault -ResourceGroupName $rgname -VaultName $keyVaultName -Location $location -EnabledForDeployment -Sku Standard -DisableRbacAuthorization
+
+        # 2. Grant managed identity access to Key Vault certificates
+        Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -ObjectId $identity.PrincipalId -PermissionsToCertificates get,list -PermissionsToSecrets get,list
+
+        $currentUser = (Get-AzContext).Account.Id
+        Set-AzKeyVaultAccessPolicy -VaultName $keyVaultName -UserPrincipalName $currentUser -PermissionsToCertificates get,list,create,delete,import
+
+        # 3. Import certificate 
+        $certFilePath = "./ScenarioTests/Data/VpnGatewayoutboundcert.pfx"
+        $certPassword = ConvertTo-SecureString -String "12345" -Force -AsPlainText
+        Import-AzKeyVaultCertificate -VaultName $keyVaultName -Name "vpn-gateway-cert" `
+            -FilePath $certFilePath -Password $certPassword
+     
+        # Create the Virtual Network
+        $subnet = New-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -AddressPrefix 10.0.0.0/24
+        $vnet = New-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname -Location $location -AddressPrefix 10.0.0.0/16 -Subnet $subnet
+        $vnet = Get-AzVirtualNetwork -Name $vnetName -ResourceGroupName $rgname
+        $subnet = Get-AzVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
+
+        $publicip = New-AzPublicIpAddress -ResourceGroupName $rgname -name $publicIpName -location $location -AllocationMethod Static -DomainNameLabel $publicIpName
+
+        # Create VirtualNetworkGateway with managed identity
+        $vnetIpConfig = New-AzVirtualNetworkGatewayIpConfig -Name $vnetGatewayConfigName -PublicIpAddress $publicip -Subnet $subnet
+        $actual = New-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $vnetGatewayName -location $location -IpConfigurations $vnetIpConfig -GatewayType Vpn -VpnType RouteBased -EnableBgp $false -GatewaySku VpnGw1 -UserAssignedIdentityId $identity.Id
+        $vnetGateway = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -name $vnetGatewayName
+
+        Assert-AreEqual "Succeeded" $vnetGateway.ProvisioningState
+        Assert-NotNull $vnetGateway.Identity
+
+        # Create LocalNetworkGateway
+        $localGateway = New-AzLocalNetworkGateway -ResourceGroupName $rgname -name $localnetName -location $location -AddressPrefix 192.168.0.0/16 -GatewayIpAddress 192.168.4.5
+
+        $cert = Get-AzKeyVaultCertificate -VaultName $keyVaultName -Name "vpn-gateway-cert"
+        $outboundCertUrl = $cert.Id
+        $certData = Get-AzKeyVaultCertificate -VaultName $keyVaultName -Name "vpn-gateway-cert"
+        $certBytes = [System.Convert]::ToBase64String($certData.Certificate.RawData)
+        $subjectName = $certData.Certificate.Subject
+
+        $inboundCert1Path = "./ScenarioTests/Data/VpnGatewayInboundCert.cer"
+        $inboundCert2Path = "./ScenarioTests/Data/VpnGatewayAuthCert.cer"
+        $inboundCert1Data = Get-Content -Path $inboundCert1Path -Raw
+        $inboundCert2Data = Get-Content -Path $inboundCert2Path -Raw
+        
+        # Remove PEM headers if present and get Base64 only
+        $inboundCert1Base64 = $inboundCert1Data -replace "-----BEGIN CERTIFICATE-----", "" -replace "-----END CERTIFICATE-----", ""
+        $inboundCert2Base64 = $inboundCert2Data -replace "-----BEGIN CERTIFICATE-----", "" -replace "-----END CERTIFICATE-----", ""
+        $certChain = @($inboundCert1Base64, $inboundCert2Base64) 
+
+        $certAuth = New-AzVirtualNetworkGatewayCertificateAuthentication `
+            -OutboundAuthCertificate $outboundCertUrl `
+            -InboundAuthCertificateSubjectName $subjectName `
+            -InboundAuthCertificateChain $certChain
+
+       # Verify certificate authentication object properties
+        Assert-AreEqual $outboundCertUrl $certAuth.OutboundAuthCertificate
+        Assert-AreEqual $subjectName $certAuth.InboundAuthCertificateSubjectName
+        Assert-AreEqual 2 $certAuth.InboundAuthCertificateChain.Count
+        Assert-NotNull $certAuth.InboundAuthCertificateChain[0]
+        Assert-NotNull $certAuth.InboundAuthCertificateChain[1]
+
+        # Create VirtualNetworkGatewayConnection with Certificate Authentication
+        $actual = New-AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName -location $location -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localGateway -ConnectionType IPsec -RoutingWeight 3 -AuthenticationType "Certificate" -CertificateAuthentication $certAuth
+        
+        # Verify connection was created successfully
+        $connection = Get-AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName
+        Assert-AreEqual $connection.ResourceGroupName $actual.ResourceGroupName	
+        Assert-AreEqual $connection.Name $actual.Name
+        Assert-AreEqual "Certificate" $connection.AuthenticationType
+        Assert-NotNull $connection.CertificateAuthentication
+        Assert-AreEqual $outboundCertUrl $connection.CertificateAuthentication.OutboundAuthCertificate
+        Assert-AreEqual $subjectName $connection.CertificateAuthentication.InboundAuthCertificateSubjectName
+        Assert-AreEqual 2 $connection.CertificateAuthentication.InboundAuthCertificateChain.Count
+
+        # Update with new certificate (just use same cert for test purposes)
+        $newCertAuth = New-AzVirtualNetworkGatewayCertificateAuthentication -OutboundAuthCertificate $outboundCertUrl -InboundAuthCertificateSubjectName $subjectName -InboundAuthCertificateChain $certChain
+        
+        $updatedConnection = Set-AzVirtualNetworkGatewayConnection -VirtualNetworkGatewayConnection $connection -AuthenticationType "Certificate" -CertificateAuthentication $newCertAuth -Force
+        
+        # Verify update
+        $verifyConnection = Get-AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName
+        Assert-AreEqual "Certificate" $verifyConnection.AuthenticationType
+        Assert-AreEqual $outboundCertUrl $verifyConnection.CertificateAuthentication.OutboundAuthCertificate
+        Assert-AreEqual $subjectName $verifyConnection.CertificateAuthentication.InboundAuthCertificateSubjectName
+
+        # List connections and verify
+        $list = Get-AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -Name "*"
+        Assert-True { $list.Count -ge 1 }
+        
+    }
+    finally
+    {
+        # Cleanup
+        Clean-ResourceGroup $rgname
+    }
+}

src/Network/Network.Test/ScenarioTests/VirtualNetworkGatewayConnectionTests.ps1

@@ -508,6 +508,7 @@ CmdletsToExport = 'Add-AzApplicationGatewayAuthenticationCertificate',
                'New-AzVirtualHubRoute', 'New-AzVirtualHubRouteTable', 
                'New-AzVirtualHubVnetConnection', 'New-AzVirtualNetwork', 
                'New-AzVirtualNetworkGateway', 
+               'New-AzVirtualNetworkGatewayCertificateAuthentication', 
                'New-AzVirtualNetworkGatewayConnection', 
                'New-AzVirtualNetworkGatewayIpConfig', 
                'New-AzVirtualNetworkGatewayMigrationParameter', 

src/Network/Network.Test/SessionRecords/Commands.Network.Test.ScenarioTests.VirtualNetworkGatewayConnectionTests/TestVirtualNetworkGatewayConnectionWithCertificateAuth.json

@@ -19,6 +19,10 @@
 --->
 
 ## Upcoming Release
+* Added certificate-based authentication support for VPN Gateway connections
+    - New cmdlet `New-AzVirtualNetworkGatewayCertificateAuthentication` to create certificate authentication configuration
+    - Added `-AuthenticationType` and `-CertificateAuthentication` parameters to `New-AzVirtualNetworkGatewayConnection` and `Set-AzVirtualNetworkGatewayConnection`
+    - Added `-UserAssignedIdentityId` parameter to `Set-AzVirtualNetworkGateway` and `New-AzVirtualNetworkGateway` for managed identity configuration
 * Upgraded the api version from 2024-10-01 to 2025-01-01
 
 ## Version 7.21.0

src/Network/Network/Az.Network.psd1

@@ -0,0 +1,32 @@
+// ----------------------------------------------------------------------------------
+//
+// Copyright Microsoft Corporation
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+// http://www.apache.org/licenses/LICENSE-2.0
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+// ----------------------------------------------------------------------------------
+
+using Microsoft.Azure.Management.Network.Models;
+using Microsoft.WindowsAzure.Commands.Common.Attributes;
+using System.Collections.Generic;
+
+namespace Microsoft.Azure.Commands.Network.Models
+{
+    public class PSCertificateAuthentication
+    {
+        [Ps1Xml(Label = "OutboundAuthCertificate", Target = ViewControl.Table, Position = 0)]
+        public string OutboundAuthCertificate { get; set; }
+
+        [Ps1Xml(Label = "InboundAuthCertificateSubjectName", Target = ViewControl.Table, Position = 1)]
+        public string InboundAuthCertificateSubjectName { get; set; }
+
+        [Ps1Xml(Label = "InboundAuthCertificateChain", Target = ViewControl.Table, Position = 2)]
+        public List<string> InboundAuthCertificateChain { get; set; }
+    }
+}

src/Network/Network/ChangeLog.md

@@ -87,6 +87,9 @@ public class PSVirtualNetworkGateway : PSTopLevelResource
         [Ps1Xml(Label = "AutoScaleConfiguration", Target = ViewControl.Table)]
         public PSVirtualNetworkGatewayAutoscaleConfiguration AutoScaleConfiguration { get; set; }
 
+        [Ps1Xml(Target = ViewControl.Table)]
+        public PSManagedServiceIdentity Identity { get; set; }
+
         [Ps1Xml(Target = ViewControl.Table)]
         public PSVirtualNetworkGatewayMigrationStatus VirtualNetworkGatewayMigrationStatus { get; set; }
 
@@ -150,6 +153,12 @@ public string AutoScaleConfigurationText
             get { return JsonConvert.SerializeObject(AutoScaleConfiguration, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
         }
 
+        [JsonIgnore]
+        public string IdentityText
+        {
+            get { return JsonConvert.SerializeObject(Identity, Formatting.Indented, new JsonSerializerSettings() { NullValueHandling = NullValueHandling.Ignore }); }
+        }
+
         [JsonIgnore]
         public string VirtualNetworkGatewayMigrationStatusText
         {