https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps#creategateway

CREATING A VNET

• Create a Resource Group  –

  New-AzureRmResourceGroup -Name $RG -Location $Location

• Create the SUBNET configurations for the VNET  – e.g. Public, Private and Gateway Subnet
• Create a Virtual Network  –

  New-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG -Location $Location -AddressPrefix $VNetPrefix1,$VNetPrefix2 -Subnet $fesub, $besub, $gwsub -DnsServer 10.2.1.3

Next, Create a VPN Tunnel (use this post)

A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to it when creating your virtual network gateway. The IP address is dynamically assigned to the resource when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address allocation.

GENERATE CERTIFICATES – ROOT AND CLIENT

• Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. You upload the public key information of the root certificate to Azure. The public key is then considered ‘trusted’.
• Client certificates must be generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current User/Personal certificate store.
• Root Certificate – You can use either a root certificate that was generated using an enterprise solution (recommended), or you can generate a self-signed certificate.
• After creating the root certificate, export the public certificate data (not the private key) as a Base-64 encoded X.509 .cer file and upload the public certificate data to Azure.

Summary

It is straightforward to use powershell to spin up an Azure VNET. In addition, using a 3 step process outlined here, it is  possible to create your own VPN Tunnel to Azure. To encrypt traffic between the tunnel endpoints, use a client and a server certificate as outlined above.