To create a Point-to-Site connection, you have to perform the following steps:

1. Ensure you have a virtual network with a gateway subnet, but avoid IPs overlapping with your on-premises.
2. Build a virtual network gateway for the virtual network you've created.
3. Then, you need to generate a certificate to allow a client to authenticate the VNet over a Point-to-Site VPN connection. This can be done either by a CA server or self-signed certificate.
4. To create a self-signed certificate, you can run the following PowerShell cmdlet:

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature -Subject "CN=RootCert" -KeyExportPolicy Exportable -HashAlgorithm sha256 -KeyLength 2048 -CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign

5. Then, open Manage user certificates and navigate to Current User | Personal | Certificates where you can find the certificate you have just created, as shown in the following screenshot:

6. Right-click on the certificate you have created, then select All Tasks | Export..., as shown in the following screenshot:

7. You will be prompted by a welcome screen. Click on Next.

8. Then, select not to export the private key and click on Next, as shown in the following screenshot:

9. After that, you have to specify the certificate format and Base-64 encoded X.509 (.CER) will be selected, as shown in the following screenshot:

10. On the next screen, you have to specify the path to where the certificate will be exported, as shown in the following screenshot:

11. Finally, you will be presented with a summary of all the settings you have specified during the export process, as shown in the following screenshot:

12. After clicking on Finish, a wizard will pop up confirming that the export was successful, as shown in the following screenshot:

13. Navigate to where the certificate has been exported and open it with Notepad. Copy the certificate data, as shown in the following screenshot:

14. Navigate back to the virtual network gateway you have created on the Azure portal, and open Point-to-site configuration, as shown in the following screenshot:

15. Click on Configure now, and the following fields will appear in the same blade:
    • Address pool: The IP address range of your environment.
    • Tunnel type: Select the tunnel type that will fit the client/s that will connect to the VNet over the Point-to-Site VPN connection.
    • Authentication type: There are two authentication types—Azure certificate and RADIUS authentication, which is still in preview at the time of writing. Select Azure certificate as it will fit this scenario.
    • Root certificates: Specify a name for the certificates and paste the data you copied earlier under public certificate data.
    • Revoked certificates: You can revoke specific client certificates by entering a name for the certificate and its thumbprint:

16. Click on Save, and it will take a while to save the configuration. You will be able to Download VPN client, as shown in the following screenshot:

17. A zipped file will be downloaded. Unzip the file and three folders will be generated:
    • Generic: Contains general information about the VPN client configuration that was specified earlier, and a certificate that needs to be installed
    • WindowsAmd64: Contains the executable for all 64-bit Windows clients
    • WindowsX86: Contains the executable for all 32-bit Windows clients

18. Install the certificate in the Generic folder, all you need to do is accept its defaults.
19. Install the executable that will fit your OS.
20. Once it is installed, you will note that a VPN connection has been added to your connections, as shown in the following screenshot:

21. Click on the VPN connection, PP-VirtualNetwork, and click on Connect, as shown in the following screenshot:

22. Now, you can use a remote desktop to log on to any VM that exists within the virtual network you are connected to remotely, using its private IP address.