Azure VPN Gateway configuration settings (2024)

Table of Contents
In this article Gateways and gateway types Gateway SKUs and performance VPN types Active-active mode gateways Connection types Connection modes Gateway subnet Local network gateways REST APIs, PowerShell cmdlets, and CLI Next steps FAQs
  • Article

VPN gateway connection architecture relies on the configuration of multiple resources, each of which contains configurable settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual network. You can find descriptions and topology diagrams for each connection solution in the VPN Gateway topology and design article.

The values in this article specifically apply to VPN gateways (virtual network gateways that use the -GatewayType Vpn). If you're looking for information about the following types of gateways, see the following articles:

  • For values that apply to -GatewayType 'ExpressRoute', see Virtual network gateways for ExpressRoute.
  • For zone-redundant gateways, see About zone-redundant gateways.
  • For Virtual WAN gateways, see About Virtual WAN.

Gateways and gateway types

A virtual network gateway is composed of two or more Azure-managed VMs that are automatically configured and deployed to a specific subnet that you create called the gateway subnet. The gateway VMs contain routing tables and run specific gateway services. When you create a virtual network gateway, the gateway VMs are automatically deployed to the gateway subnet (always named GatewaySubnet), and configured with the settings that you specified. The process can take 45 minutes or more to complete, depending on the gateway SKU that you selected.

One of the settings that you specify when creating a virtual network gateway is the gateway type. The gateway type determines how the virtual network gateway is used and the actions that the gateway takes. A virtual network can have two virtual network gateways; one VPN gateway and one ExpressRoute gateway. The -GatewayType 'Vpn' specifies that the type of virtual network gateway created is a VPN gateway. This distinguishes it from an ExpressRoute gateway.

Gateway SKUs and performance

See About Gateway SKUs article for the latest information about gateway SKUs, performance, and supported features.

See Also
403 Forbidden Microsoft Azure Application Gateway v2: What Does It Mean (and How To Fix)?502 Bad Gateway error for Azure Application GatewayAzure Well-Architected Framework - Microsoft Azure Well-Architected FrameworkComplete an Azure Well-Architected Review assessment - Microsoft Azure Well-Architected Framework

VPN types

Azure supports two different VPN types for VPN gateways: policy-based and route-based. Route-based VPN gateways are built on a different platform than policy-based VPN gateways. This results in different gateway specifications. The following table shows the gateway SKUs that support each of the VPN types, and associated supported IKE versions.

Gateway VPN typeGateway SKUIKE versions supported
Policy-based gatewayBasicIKEv1
Route-based gatewayBasicIKEv2
Route-based gatewayVpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5IKEv1 and IKEv2
Route-based gatewayVpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZIKEv1 and IKEv2

In most cases, you'll create a route-based VPN gateway. Previously, the older gateway SKUs didn't support IKEv1 for route-based gateways. Now, most of the current gateway SKUs support both IKEv1 and IKEv2.

  • As of Oct 1, 2023, policy-based gateways can only be configured using PowerShell or CLI, and aren't available in the Azure portal. To create a policy-based gateway, see Create a Basic SKU VPN gateway using PowerShell.

  • If you already have a policy-based gateway, you aren't required to change your gateway to route-based unless you want to use a configuration that requires a route-based gateway, such as point-to-site.

  • You can't convert a policy-based gateway to route-based. You must delete the existing gateway, and then create a new gateway as route-based.

Active-active mode gateways

Azure VPN gateways can be configured as active-standby or active-active. In an active-active configuration, both instances of the gateway VMs establish site-to-site VPN tunnels to your on-premises VPN device. Active-active mode gateways are a key part of highly available gateway connectivity design. For more information, see the following articles:

  • About active-active gateways
  • Design highly available gateway connectivity for cross-premises and VNet-to-VNet connections

Connection types

Each connection requires a specific virtual network gateway connection type. The available PowerShell values for New-AzVirtualNetworkGatewayConnection -Connection Type are: IPsec, Vnet2Vnet, ExpressRoute, VPNClient.

See Also
Azure Well-Architected | Microsoft Azure

Connection modes

The Connection Mode property only applies to route-based VPN gateways that use IKEv2 connections. Connection modes define the connection initiation direction and apply only to the initial IKE connection establishment. Any party can initiate rekeys and further messages. InitiatorOnly means the connection needs to be initiated by Azure. ResponderOnly means the connection needs to be initiated by the on-premises device. The Default behavior is to accept and dial whichever connects first.

Gateway subnet

Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Never deploy anything else (for example, more VMs) to the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know that this is the subnet to which it should deploy the virtual network gateway VMs and services.

When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP addresses than others.

When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all other SKUs require a gateway subnet of size /27 or larger (/27, /26, /25 etc.). You might want to create a gateway subnet larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.

The following PowerShell example shows a gateway subnet named GatewaySubnet. You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.

Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27

Considerations:

  • User-defined routes with a 0.0.0.0/0 destination and NSGs on the GatewaySubnet are not supported. Gateways with this configuration are blocked from being created. Gateways require access to the management controllers in order to function properly. BGP route propagation should be set to "Enabled" on the GatewaySubnet to ensure availability of the gateway. If BGP route propagation is set to disabled, the gateway won't function.

  • Diagnostics, data path, and control path can be affected if a user-defined route overlaps with the Gateway subnet range or the gateway public IP range.

Local network gateways

A local network gateway is different than a virtual network gateway. When you're working with a VPN gateway site-to-site architecture, the local network gateway usually represents your on-premises network and the corresponding VPN device.

When you configure a local network gateway, you specify the name, the public IP address or the fully qualified domain name (FQDN) of the on-premises VPN device, and the address prefixes that are located on the on-premises location. Azure looks at the destination address prefixes for network traffic, consults the configuration that you specified for your local network gateway, and routes packets accordingly. If you use Border Gateway Protocol (BGP) on your VPN device, you provide the BGP peer IP address of your VPN device and the autonomous system number (ASN) of your on-premises network. You also specify local network gateways for VNet-to-VNet configurations that use a VPN gateway connection.

The following PowerShell example creates a new local network gateway:

New-AzLocalNetworkGateway -Name LocalSite -ResourceGroupName testrg `-Location 'West US' -GatewayIpAddress '23.99.221.164' -AddressPrefix '10.5.51.0/24'

Sometimes you need to modify the local network gateway settings. For example, when you add or modify the address range, or if the IP address of the VPN device changes. For more information, see Modify local network gateway settings.

REST APIs, PowerShell cmdlets, and CLI

For technical resources and specific syntax requirements when using REST APIs, PowerShell cmdlets, or Azure CLI for VPN Gateway configurations, see the following pages:

  • PowerShell
  • Azure CLI
  • REST API

Next steps

For more information about available connection configurations, see About VPN Gateway.

Azure VPN Gateway configuration settings (2024)

FAQs

Which network configuration must be in place before configuring an Azure VPN? ›

Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings.

Read On
Which statement regarding an Azure VPN gateway is true? ›

Answer: The statement "the gateway connects an Azure VNet to an on-premises network" is true. Explanation: The statement "The gateway connects an Azure VNet to an on-premises network" is true regarding an Azure VPN Gateway.

Discover More Details
How to check Azure VPN configuration? ›

Verify the VPN connection

On the Azure portal menu, select All resources or search for and select All resources from any page. Select your virtual network gateway. On the pane for your virtual network gateway, select Connections. You can see the status of each connection.

Continue Reading
What are the requirements for Azure virtual network gateway subnet? ›

The Azure gateway subnet is needed by Azure to host the two virtual machines of your Azure gateway. Specify an address space with at least a 29-bit prefix length (example: 192.168. 15.248/29). A 28-bit or smaller prefix length is recommended, especially if you are planning to use ExpressRoute.

See Details
When configuring a VPN connection what information is required to complete the setup? ›

You'll need to know which kind of VPN connection your company or VPN service uses. For Type of sign-in info, choose the type of sign-in info (or credentials) to use. This might be a username and password, one-time password, certificate, or a smart card if you're connecting to a VPN for work.

Find Out More
How do I setup a VPN configuration? ›

How to Set up a VPN on Your Router
  1. Type your router's internet protocol (IP) address and password to log into your admin panel.
  2. Find the VPN option in the settings.
  3. Select the option for VPN client, not VPN server.
  4. Enter the correct settings. ...
  5. Complete any additional steps your router may request.
Jan 30, 2024

Tell Me More
Which of the following is a function of an Azure VPN gateway? ›

Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Show Me More
What is the difference between VPN gateway and Application Gateway in Azure? ›

Application Gateway is a Layer 7 load balancing service with advanced features like SSL termination. It's used to route client requests to your applications. Virtual Network Gateway is a VPN gateway for point-to-site (user) and site-to-site (office/datacenter) VPN connections to your own Azure VNETs.

Explore More
Is Azure VPN gateway or virtual network gateway? ›

A VPN gateway is a specific type of virtual network gateway that is used to send traffic between an Azure virtual network and an on-premises location over the public internet. You can also use a VPN gateway to send traffic between Azure virtual networks. Each virtual network can have at most one VPN gateway.

Continue Reading
Can you ping an Azure VPN gateway? ›

Now, to ping the Azure side internal gateway IP, you can use the ping utility in your operating system: Open a command prompt or terminal on your local machine. Replace with the actual IP address of the Azure VPN gateway that you obtained in the previous steps. Press Enter to execute the command.

Show Me More

What is the difference between subnet and gateway subnet in Azure? ›

About the gateway subnet

It contains the IP addresses that the virtual network gateway resources and services use. The subnet must be named 'GatewaySubnet' in order for Azure to deploy the gateway resources. You can't specify a different subnet to deploy the gateway resources to.

Read The Full Story
Where is Azure VPN config? ›

xml file in the %userprofile%\AppData\Local\Packages\Microsoft. AzureVpn_8wekyb3d8bbwe\LocalState folder, then run the following command: azurevpn -i azurevpnconfig. xml .

See Details
How do I enable private IP address in Azure VPN gateway? ›

If you have an active-active mode VPN gateway, you'll see two private IP addresses. To enable Use Azure Private IP Address on the connection, go to the Configuration page. Set Use Azure Private IP Address to Enabled, then select Save.

Get More Info Here
What is the gateway address of a VPN? ›

The IP address of a VPN gateway is usually the IP address of the network interface that connects to the Internet. You can also define a secondary IP address for the interface, and use that address as the local VPN gateway address, so that your existing setup is not affected by the VPN settings.

Continue Reading
What is the recommended subnet size for Azure Application Gateway? ›

- Azure reserves five IP addresses in each subnet for internal use. - Application Gateway (Standard or WAF SKU) can support up to 32 instances. Taking 32 instance IP addresses + 1 private front-end IP + 5 Azure reserved, a minimum subnet size of /26 is recommended.

View More
Which Azure resources are needed when configuring a site-to-site VPN? ›

Local Network Gateway:

The Local Network Gateway represents the on-premises VPN device in Azure. It defines the IP address, address space, and other parameters required to establish a secure connection between the on-premises network and Azure VNet.

View Details
Which network configuration must exist prior to deploying Azure firewall? ›

Set up the network. First, create a resource group to contain the resources needed to deploy the firewall. Then create a virtual network, subnets, and a test server.

See More
Which two components are required in order to configure a site-to-site VPN? ›

Creating an Internet-based Site-to-Site VPN

To create an internet-based site-to-site VPN, you make a tunnel that connects two networks, for which you need three components: A base network in one location. A satellite network in another location. A tunnel with security gateways on each end.

Learn More
Which items must be created before configuring a site-to-site aws VPN connection? ›

Tasks
  • Prerequisites.
  • Step 1: Create a customer gateway.
  • Step 2: Create a target gateway.
  • Step 3: Configure routing.
  • Step 4: Update your security group.
  • Step 5: Create a VPN connection.
  • Step 6: Download the configuration file.
  • Step 7: Configure the customer gateway device.

Discover More Details
Top Articles
What Is Sustainability? (And Why Is It Important)
5 Shocking Examples of Bad Leadership: Corporate Downfalls
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Shasta County Most Wanted 2022
Energy Healing Conference Utah
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Holzer Athena Portal
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Selly Medaline
Latest Posts
Stay safe when drinking
IRS Penalty and Interest Calculator | 20/20 Tax Resolution | Tax Pros
Article information

Author: Trent Wehner

Last Updated:

Views: 6186

Rating: 4.6 / 5 (56 voted)

Reviews: 87% of readers found this page helpful

Author information

Name: Trent Wehner

Birthday: 1993-03-14

Address: 872 Kevin Squares, New Codyville, AK 01785-0416

Phone: +18698800304764

Job: Senior Farming Developer

Hobby: Paintball, Calligraphy, Hunting, Flying disc, Lapidary, Rafting, Inline skating

Introduction: My name is Trent Wehner, I am a talented, brainy, zealous, light, funny, gleaming, attractive person who loves writing and wants to share my knowledge and understanding with you.