Azure Limits
Azure Limits
Azure Limits
A VPN gateway is a specific type of virtual network gateway that is used to send encrypted traffic between an
Azure virtual network and an on-premises location over the public Internet. You can also use a VPN gateway to
send encrypted traffic between Azure virtual networks over the Microsoft network. Each virtual network can have
only one VPN gateway. However, you can create multiple connections to the same VPN gateway. When you
create multiple connections to the same VPN gateway, all VPN tunnels share the available gateway bandwidth.
Azure Supported Services Cloud Services and Virtual Cloud Services and Virtual Services list
Machines Machines
Typical Bandwidths Based on the gateway SKU Typically < 1 Gbps 50 Mbps, 100 Mbps, 200
aggregate Mbps, 500 Mbps, 1 Gbps, 2
Gbps, 5 Gbps, 10 Gbps
Typical use case Prototyping, dev / test / lab Dev / test / lab scenarios Access to all Azure services
scenarios for cloud services and small scale production (validated list), Enterprise-
and virtual machines workloads for cloud services class and mission critical
and virtual machines workloads, Backup, Big Data,
Azure as a DR site
Gateway SKUs
When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU
that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. For more
information about gateway SKUs, including supported features, production and dev-test, and configuration steps,
see Gateway SKUs.
Gateway SKUs by tunnel, connection, and throughput
S2S/VNET-TO-VNET P2S AGGREGATE
SKU TUNNELS CONNECTIONS THROUGHPUT BENCHMARK
(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.
(**) Contact support if additional connections are needed. This applies to IKEv2 only, number of
connections for SSTP cannot be increased.
Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a
single gateway. It is not a guaranteed throughput due to Internet traffic conditions and your application
behaviors.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
VpnGw1, VpnGw2, and VpnGw3 are supported for VPN gateways using the Resource Manager
deployment model only.
Multi-Site
This type of connection is a variation of the Site-to-Site connection. You create more than one VPN connection
from your virtual network gateway, typically connecting to multiple on-premises sites. When working with
multiple connections, you must use a RouteBased VPN type (known as a dynamic gateway when working with
classic VNets). Because each virtual network can only have one VPN gateway, all connections through the
gateway share the available bandwidth. This type of connection is often called a "multi-site" connection.
Deployment models and methods for Site -to -Site and Multi-Site
DEPLOYMENT
MODEL/METHOD AZURE PORTAL POWERSHELL AZURE CLI
(**) denotes that this method contains steps that require PowerShell.
(+) denotes that this article is written for multi-site connections.
RADIUS authentication
(+) denotes this deployment method is available only for VNets in the same subscription.
(*) denotes that this deployment method also requires PowerShell.
Pricing
You pay for two things: the hourly compute costs for the virtual network gateway, and the egress data transfer
from the virtual network gateway. Pricing information can be found on the Pricing page.
Virtual network gateway compute costs
Each virtual network gateway has an hourly compute cost. The price is based on the gateway SKU that you
specify when you create a virtual network gateway. The cost is for the gateway itself and is in addition to the data
transfer that flows through the gateway.
Data transfer costs
Data transfer costs are calculated based on egress traffic from the source virtual network gateway.
If you are sending traffic to your on-premises VPN device, it will be charged with the Internet egress data
transfer rate.
If you are sending traffic between virtual networks in different regions, the pricing is based on the region.
If you are sending traffic only between virtual networks that are in the same region, there are no data costs.
Traffic between VNets in the same region is free.
For more information about gateway SKUs for VPN Gateway, see Gateway SKUs.
FAQ
For frequently asked questions about VPN gateway, see the VPN Gateway FAQ.
Next steps
Plan your VPN gateway configuration. See VPN Gateway Planning and Design.
View the VPN Gateway FAQ for additional information.
View the Subscription and service limits.
Learn about some of the other key networking capabilities of Azure.
Create and Manage VPN gateway with the Azure
PowerShell module
8/31/2018 • 5 minutes to read • Edit Online
Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial
covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. You learn how
to:
Create a VPN gateway
Resize a VPN gateway
Reset a VPN gateway
The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.
Click the Cloud Shell button on the menu in the upper right
of the Azure portal.
If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version
5.3 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure
PowerShell module. If you are running PowerShell locally, you also need to run Login-AzureRmAccount to create a
connection with Azure.
IMPORTANT
Currently, you can only use a Dynamic public IP address for the gateway. Static IP address is not supported on Azure VPN
gateways.
$gwpip = New-AzureRmPublicIpAddress -Name $GwIP1 -ResourceGroupName $RG1 `
-Location $Location1 -AllocationMethod Dynamic
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' `
-VirtualNetwork $vnet
$gwipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GwIPConf1 `
-Subnet $subnet -PublicIpAddress $gwpip
Resizing a VPN gateway also takes about 30 to 45 minutes, although this operation will not interrupt or remove
existing connections and configurations.
Next steps
In this tutorial, you learned about basic VPN gateway creation and management such as how to:
Create a VPN gateway
Resize a VPN gateway
Reset a VPN gateway
Advance to the following tutorials to learn about S2S, VNet-to-VNet, and P2S connections.
Create S2S connections
Create VNet-to-VNet connections
Create P2S connections
Create and Manage S2S VPN connections with the
Azure PowerShell module
8/31/2018 • 5 minutes to read • Edit Online
Azure S2S VPN connections provide secure, cross-premises connectivity between customer premises and Azure.
This tutorial walks through IPsec S2S VPN connection life cycles such as creating and managing a S2S VPN
connection. You learn how to:
Create an S2S VPN connection
Update the connection property: pre-shared key, BGP, IPsec/IKE policy
Add more VPN connections
Delete a VPN connection
The following diagram shows the topology for this tutorial:
Click the Cloud Shell button on the menu in the upper right
of the Azure portal.
If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version
5.3 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure
PowerShell module. If you are running PowerShell locally, you also need to run Login-AzureRmAccount to create a
connection with Azure.
Requirements
Complete the first tutorial: "Create VPN gateway with Azure PowerShell" to create the following resources:
1. Resource group (TestRG1), virtual network (VNet1), and GatewaySubnet
2. VPN gateway (VNet1GW )
The virtual network parameter values are listed below. Note the additional values for the local network gateway to
represent your on-premises network. Change the values based on your environment and network setup.
# Virtual network
$RG1 = "TestRG1"
$VNet1 = "VNet1"
$Location1 = "East US"
$VNet1Prefix = "10.1.0.0/16"
$VNet1ASN = 65010
$Gw1 = "VNet1GW"
# On-premises network
$LNG1 = "VPNsite1"
$LNGprefix1 = "10.101.0.0/24"
$LNGprefix2 = "10.101.1.0/24"
$LNGIP1 = "YourDevicePublicIP"
# Connection
$Connection1 = "VNet1ToSite1"
Add the optional "-EnableBGP $True" property to enable BGP for the connection if you are using BGP. It is
disabled by default.
Update the VPN connection pre-shared key, BGP, and IPsec/IKE policy
View and update your pre -shared key
Azure S2S VPN connection uses a pre-shared key (secret) to authenticate between your on-premises VPN device
and the Azure VPN gateway. You can view and update the pre-shared key for a connection with Get-
AzureRmVirtualNetworkGatewayConnectionSharedKey and Set-
AzureRmVirtualNetworkGatewayConnectionSharedKey.
IMPORTANT
The pre-shared key is a string of printable ASCII characters no longer than 128 in length.
Get-AzureRmVirtualNetworkGatewayConnectionSharedKey `
-Name $Connection1 -ResourceGroupName $RG1
The output will be "Azure@!b2C3" following the example above. Use the command below to change the pre-
shared key value to "Azure@!_b2=C3":
Set-AzureRmVirtualNetworkGatewayConnectionSharedKey `
-Name $Connection1 -ResourceGroupName $RG1 `
-Value "Azure@!_b2=C3"
$connection = Get-AzureRmVirtualNetworkGatewayConnection `
-Name $Connection1 -ResourceGroupName $RG1
Refer to IPsec/IKE policy for S2S or VNet-to-VNet connections for a complete list of algorithms and instructions.
# On-premises network
$LNG2 = "VPNsite2"
$Location2 = "West US"
$LNGprefix21 = "10.102.0.0/24"
$LNGprefix22 = "10.102.1.0/24"
$LNGIP2 = "YourDevicePublicIP"
$Connection2 = "VNet1ToSite2"
There are now two S2S VPN connections to your Azure VPN gateway.
Delete a S2S VPN connection
Delete a S2S VPN connection with Remove-AzureRmVirtualNetworkGatewayConnection.
Delete the local network gateway if you no longer need it. You cannot delete a local network gateway if there are
other connections associated with it.
Next steps
In this tutorial, you learned about creating and managing S2S VPN connections such as how to:
Create an S2S VPN connection
Update the connection property: pre-shared key, BGP, IPsec/IKE policy
Add more VPN connections
Delete a VPN connection
Advance to the following tutorials to learn about S2S, VNet-to-VNet, and P2S connections.
Create VNet-to-VNet connections
Create P2S connections
Azure PowerShell samples for VPN Gateway
5/21/2018 • 2 minutes to read • Edit Online
Create a VPN gateway and P2S configuration - RADIUS Creates a route-based VPN gateway and a P2S configuration
that uses RADIUS username/password authentication.
Create a VPN gateway and P2S configuration - certificate Creates a route-based VPN gateway and a P2S configuration
authentication that uses native Azure certificate authentication.
Create a VPN gateway and Site-to-Site connection Creates a route-based VPN gateway and a S2S connection.
Planning and designing your cross-premises and VNet-to-VNet configurations can be either simple, or
complicated, depending on your networking needs. This article walks you through basic planning and design
considerations.
Planning
Cross-premises connectivity options
If you want to connect your on-premises sites securely to a virtual network, you have three different ways to do so:
Site-to-Site, Point-to-Site, and ExpressRoute. Compare the different cross-premises connections that are available.
The option you choose can depend on various considerations, such as:
What kind of throughput does your solution require?
Do you want to communicate over the public Internet via secure VPN, or over a private connection?
Do you have a public IP address available to use?
Are you planning to use a VPN device? If so, is it compatible?
Are you connecting just a few computers, or do you want a persistent connection for your site?
What type of VPN gateway is required for the solution you want to create?
Which gateway SKU should you use?
Planning table
The following table can help you decide the best connectivity option for your solution.
Azure Supported Services Cloud Services and Virtual Cloud Services and Virtual Services list
Machines Machines
Typical Bandwidths Based on the gateway SKU Typically < 1 Gbps 50 Mbps, 100 Mbps, 200
aggregate Mbps, 500 Mbps, 1 Gbps, 2
Gbps, 5 Gbps, 10 Gbps
Typical use case Prototyping, dev / test / lab Dev / test / lab scenarios Access to all Azure services
scenarios for cloud services and small scale production (validated list), Enterprise-
and virtual machines workloads for cloud services class and mission critical
and virtual machines workloads, Backup, Big Data,
Azure as a DR site
POINT-TO-SITE SITE-TO-SITE EXPRESSROUTE
Gateway SKUs
S2S/VNET-TO-VNET P2S AGGREGATE
SKU TUNNELS CONNECTIONS THROUGHPUT BENCHMARK
(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.
(**) Contact support if additional connections are needed. This applies to IKEv2 only, number of connections
for SSTP cannot be increased.
Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a
single gateway. It is not a guaranteed throughput due to Internet traffic conditions and your application
behaviors.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
VpnGw1, VpnGw2, and VpnGw3 are supported for VPN gateways using the Resource Manager
deployment model only.
Workflow
The following list outlines the common workflow for cloud connectivity:
1. Design and plan your connectivity topology and list the address spaces for all networks you want to connect.
2. Create an Azure virtual network.
3. Create a VPN gateway for the virtual network.
4. Create and configure connections to on-premises networks or other virtual networks (as needed).
5. Create and configure a Point-to-Site connection for your Azure VPN gateway (as needed).
Design
Connection topologies
Start by looking at the diagrams in the About VPN Gateway article. The article contains basic diagrams, the
deployment models for each topology, and the available deployment tools you can use to deploy your
configuration.
Design basics
The following sections discuss the VPN gateway basics.
Networking services limits
Scroll through the tables to view networking services limits. The limits listed may impact your design.
About subnets
When you are creating connections, you must consider your subnet ranges. You cannot have overlapping subnet
address ranges. An overlapping subnet is when one virtual network or on-premises location contains the same
address space that the other location contains. This means that you need your network engineers for your local on-
premises networks to carve out a range for you to use for your Azure IP addressing space/subnets. You need
address space that is not being used on the local on-premises network.
Avoiding overlapping subnets is also important when you are working with VNet-to-VNet connections. If your
subnets overlap and an IP address exists in both the sending and destination VNets, VNet-to-VNet connections
fail. Azure can't route the data to the other VNet because the destination address is part of the sending VNet.
VPN Gateways require a specific subnet called a gateway subnet. All gateway subnets must be named
GatewaySubnet to work properly. Be sure not to name your gateway subnet a different name, and don't deploy
VMs or anything else to the gateway subnet. See Gateway Subnets.
About local network gateways
The local network gateway typically refers to your on-premises location. In the classic deployment model, the local
network gateway is referred to as a Local Network Site. When you configure a local network gateway, you give it a
name, specify the public IP address of the on-premises VPN device, and specify the address prefixes that are in the
on-premises location. Azure looks at the destination address prefixes for network traffic, consults the configuration
that you have specified for the local network gateway, and routes packets accordingly. You can modify the address
prefixes as needed. For more information, see Local network gateways.
About gateway types
Selecting the correct gateway type for your topology is critical. If you select the wrong type, your gateway won't
work properly. The gateway type specifies how the gateway itself connects and is a required configuration setting
for the Resource Manager deployment model.
The gateway types are:
Vpn
ExpressRoute
About connection types
Each configuration requires a specific connection type. The connection types are:
IPsec
Vnet2Vnet
ExpressRoute
VPNClient
About VPN types
Each configuration requires a specific VPN type. If you are combining two configurations, such as creating a Site-
to-Site connection and a Point-to-Site connection to the same VNet, you must use a VPN type that satisfies both
connection requirements.
PolicyBased: PolicyBased VPNs were previously called static routing gateways in the classic deployment
model. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies
configured with the combinations of address prefixes between your on-premises network and the Azure
VNet. The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. The
value for a PolicyBased VPN type is PolicyBased. When using a PolicyBased VPN, keep in mind the
following limitations:
PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with
other gateway SKUs.
You can have only 1 tunnel when using a PolicyBased VPN.
You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN
Gateway configurations require a RouteBased VPN.
RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment
model. RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their
corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the
tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards). The
value for a RouteBased VPN type is RouteBased.
The following tables show the VPN type as it maps to each connection configuration. Make sure the VPN type for
your gateway matches the configuration that you want to create.
VPN type - Resource Manager deployment model
ROUTEBASED POLICYBASED
DYNAMIC STATIC
A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network
and your on-premises location across a public connection. You can also use a VPN gateway to send traffic
between virtual networks across the Azure backbone.
A VPN gateway connection relies on the configuration of multiple resources, each of which contains configurable
settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual
network created in Resource Manager deployment model. You can find descriptions and topology diagrams for
each connection solution in the About VPN Gateway article.
NOTE
The values in this article apply to virtual network gateways that use the -GatewayType 'Vpn'. This is why these particular
virtual network gateways are referred to as VPN gateways. The values for ExpressRoute gateways are not the same values
that you use for VPN gateways.
For values that apply to -GatewayType 'ExpressRoute', see Virtual Network Gateways for ExpressRoute.
Gateway types
Each virtual network can only have one virtual network gateway of each type. When you are creating a virtual
network gateway, you must make sure that the gateway type is correct for your configuration.
The available values for -GatewayType are:
Vpn
ExpressRoute
A VPN gateway requires the -GatewayType Vpn.
Example:
Gateway SKUs
When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. Select the
SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.
Gateway SKUs by tunnel, connection, and throughput
S2S/VNET-TO-VNET P2S AGGREGATE
SKU TUNNELS CONNECTIONS THROUGHPUT BENCHMARK
(*) Use Virtual WAN if you need more than 30 S2S VPN tunnels.
(**) Contact support if additional connections are needed. This applies to IKEv2 only, number of
connections for SSTP cannot be increased.
Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a
single gateway. It is not a guaranteed throughput due to Internet traffic conditions and your application
behaviors.
Pricing information can be found on the Pricing page.
SLA (Service Level Agreement) information can be found on the SLA page.
VpnGw1, VpnGw2, and VpnGw3 are supported for VPN gateways using the Resource Manager
deployment model only.
NOTE
The new VPN gateway SKUs (VpnGw1, VpnGw2, and VpnGw3) are supported for the Resource Manager deployment model
only. Classic virtual networks should continue to use the old (legacy) SKUs.
For information about working with the legacy gateway SKUs (Basic, Standard, and HighPerformance), see Working with
VPN gateway SKUs (legacy SKUs).
For ExpressRoute gateway SKUs, see Virtual Network Gateways for ExpressRoute.
SKU FEATURES
VpnGw1, VpnGw2, and VpnGw3 Route-based VPN: up to 30 tunnels (*), P2S, BGP, active-
active, custom IPsec/IKE policy, ExpressRoute/VPN coexistence
(*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway (VpnGw1, VpnGw2,
VpnGw3) to multiple on-premises policy-based firewall devices. Refer to Connect VPN gateways to multiple on-
premises policy-based VPN devices using PowerShell for details.
(**) The Basic SKU is considered a legacy SKU. The Basic SKU has certain feature limitations. You can't resize a
gateway that uses a Basic SKU to one of the new gateway SKUs, you must instead change to a new SKU, which
involves deleting and recreating your VPN gateway.
Gateway SKUs - Production vs. Dev-Test Workloads
Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:
WORKLOAD SKUS
(**) The Basic SKU is considered a legacy SKU and has feature limitations. Verify that the feature that you need is
supported before you use the Basic SKU.
If you are using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance.
For information and instructions for old SKUs, see Gateway SKUs (legacy).
Configure a gateway SKU
Azure portal
If you use the Azure portal to create a Resource Manager virtual network gateway, you can select the gateway
SKU by using the dropdown. The options you are presented with correspond to the Gateway type and VPN type
that you select.
PowerShell
The following PowerShell example specifies the -GatewaySku as VpnGw1. When using PowerShell to create a
gateway, you have to first create the IP configuration, then use a variable to refer to it. In this example, the
configuration variable is $gwipconfig.
Azure CLI
az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWPIP --resource-group TestRG1 --vnet
VNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait
You can also resize a gateway in the Azure portal by going to the Configuration page for your virtual network
gateway and selecting a different SKU from the dropdown.
To change from an old (legacy ) SKU to a new SKU
If you are working with the Resource Manager deployment model, you can change to the new gateway SKUs.
When you change from a legacy gateway SKU to a new SKU, you delete the existing VPN gateway and create a
new VPN gateway.
Workflow:
1. Remove any connections to the virtual network gateway.
2. Delete the old VPN gateway.
3. Create the new VPN gateway.
4. Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
5. Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this
gateway.
6. Download new client VPN configuration packages for P2S clients connecting to the virtual network through
this VPN gateway.
7. Recreate the connections to the virtual network gateway.
Considerations:
To move to the new SKUs, your VPN gateway must be in the Resource Manager deployment model.
If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway, however,
you can resize between the legacy SKUs. You cannot change to the new SKUs.
You will have connectivity downtime when you change from a legacy SKU to a new SKU.
When changing to a new gateway SKU, the public IP address for your VPN gateway will change. This happens
even if you specify the same public IP address object that you used previously.
Connection types
In the Resource Manager deployment model, each configuration requires a specific virtual network gateway
connection type. The available Resource Manager PowerShell values for -ConnectionType are:
IPsec
Vnet2Vnet
ExpressRoute
VPNClient
In the following PowerShell example, we create a S2S connection that requires the connection type IPsec.
VPN types
When you create the virtual network gateway for a VPN gateway configuration, you must specify a VPN type. The
VPN type that you choose depends on the connection topology that you want to create. For example, a P2S
connection requires a RouteBased VPN type. A VPN type can also depend on the hardware that you are using.
S2S configurations require a VPN device. Some VPN devices only support a certain VPN type.
The VPN type you select must satisfy all the connection requirements for the solution you want to create. For
example, if you want to create a S2S VPN gateway connection and a P2S VPN gateway connection for the same
virtual network, you would use VPN type RouteBased because P2S requires a RouteBased VPN type. You would
also need to verify that your VPN device supported a RouteBased VPN connection.
Once a virtual network gateway has been created, you can't change the VPN type. You have to delete the virtual
network gateway and create a new one. There are two VPN types:
PolicyBased: PolicyBased VPNs were previously called static routing gateways in the classic deployment
model. Policy-based VPNs encrypt and direct packets through IPsec tunnels based on the IPsec policies
configured with the combinations of address prefixes between your on-premises network and the Azure
VNet. The policy (or traffic selector) is usually defined as an access list in the VPN device configuration. The
value for a PolicyBased VPN type is PolicyBased. When using a PolicyBased VPN, keep in mind the
following limitations:
PolicyBased VPNs can only be used on the Basic gateway SKU. This VPN type is not compatible with
other gateway SKUs.
You can have only 1 tunnel when using a PolicyBased VPN.
You can only use PolicyBased VPNs for S2S connections, and only for certain configurations. Most VPN
Gateway configurations require a RouteBased VPN.
RouteBased: RouteBased VPNs were previously called dynamic routing gateways in the classic deployment
model. RouteBased VPNs use "routes" in the IP forwarding or routing table to direct packets into their
corresponding tunnel interfaces. The tunnel interfaces then encrypt or decrypt the packets in and out of the
tunnels. The policy (or traffic selector) for RouteBased VPNs are configured as any-to-any (or wild cards). The
value for a RouteBased VPN type is RouteBased.
The following PowerShell example specifies the -VpnType as RouteBased. When you are creating a gateway, you
must make sure that the -VpnType is correct for your configuration.
Gateway requirements
The following table lists the requirements for PolicyBased and RouteBased VPN gateways. This table applies to
both the Resource Manager and classic deployment models. For the classic model, PolicyBased VPN gateways are
the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.
Authentication Pre-shared key Pre-shared key for Pre-shared key for Pre-shared key for
method S2S connectivity, S2S connectivity, S2S connectivity,
Certificates for P2S Certificates for P2S Certificates for P2S
connectivity connectivity connectivity
ROUTEBASED ROUTEBASED HIGH
POLICYBASED BASIC ROUTEBASED BASIC STANDARD VPN PERFORMANCE VPN
VPN GATEWAY VPN GATEWAY GATEWAY GATEWAY
Maximum number 1 10 10 30
of S2S connections
Gateway subnet
Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP
addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway,
gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. You
must never deploy anything else (for example, additional VMs) to the gateway subnet. The gateway subnet must
be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know that
this is the subnet to deploy the virtual network gateway VMs and services to.
NOTE
Do not associate a route table that includes a route with a destination of 0.0.0.0/0 to the gateway subnet. Doing so prevents
the gateway from functioning properly.
When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP
addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations
require more IP addresses than others. Look at the instructions for the configuration that you want to create and
verify that the gateway subnet you want to create meets those requirements. Additionally, you may want to make
sure your gateway subnet contains enough IP addresses to accommodate possible future additional
configurations. While you can create a gateway subnet as small as /29, we recommend that you create a gateway
subnet of /28 or larger (/28, /27, /26 etc.). That way, if you add functionality in the future, you won't have to tear
your gateway, then delete and recreate the gateway subnet to allow for more IP addresses.
The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can
see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently
exist.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a
network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more information
about network security groups, see What is a network security group?
Sometimes you need to modify the local network gateway settings. For example, when you add or modify the
address range, or if the IP address of the VPN device changes. See Modify local network gateway settings using
PowerShell.
PowerShell PowerShell
Next steps
For more information about available connection configurations, see About VPN Gateway.
About VPN devices and IPsec/IKE parameters for
Site-to-Site VPN Gateway connections
8/27/2018 • 7 minutes to read • Edit Online
A VPN device is required to configure a Site-to-Site (S2S ) cross-premises VPN connection using a VPN
gateway. Site-to-Site connections can be used to create a hybrid solution, or whenever you want secure
connections between your on-premises networks and your virtual networks. This article provides a list of
validated VPN devices and a list of IPsec/IKE parameters for VPN gateways.
IMPORTANT
If you are experiencing connectivity issues between your on-premises VPN devices and VPN gateways, refer to Known
device compatibility issues.
In partnership with device vendors, we have validated a set of standard VPN devices. All of the devices in the
device families in the following list should work with VPN gateways. See About VPN Gateway Settings to
understand the VPN type use (PolicyBased or RouteBased) for the VPN Gateway solution you want to configure.
To help configure your VPN device, refer to the links that correspond to appropriate device family. The links to
configuration instructions are provided on a best-effort basis. For VPN device support, contact your device
manufacturer.
POLICYBASED ROUTEBASED
CONFIGURATION CONFIGURATION
VENDOR DEVICE FAMILY MINIMUM OS VERSION INSTRUCTIONS INSTRUCTIONS
A10 Networks, Inc. Thunder CFW ACOS 4.1.1 Not compatible Configuration guide
Barracuda Networks, Barracuda NextGen PolicyBased: 5.4.3 Configuration guide Configuration guide
Inc. Firewall F-series RouteBased: 6.2.0
POLICYBASED ROUTEBASED
CONFIGURATION CONFIGURATION
VENDOR DEVICE FAMILY MINIMUM OS VERSION INSTRUCTIONS INSTRUCTIONS
Barracuda Networks, Barracuda NextGen Barracuda Firewall 6.5 Configuration guide Not compatible
Inc. Firewall X-series
Brocade Vyatta 5400 vRouter Virtual Router 6.6R3 Configuration guide Not compatible
GA
Citrix NetScaler MPX, SDX, 10.1 and above Configuration guide Not compatible
VPX
Internet Initiative SEIL Series SEIL/X 4.60 Configuration guide Not compatible
Japan (IIJ) SEIL/B1 4.60
SEIL/x86 3.20
Palo Alto Networks All devices running PAN-OS Configuration guide Configuration guide
PAN-OS PolicyBased: 6.1.5 or
later
RouteBased: 7.1.4
SonicWall TZ Series, NSA Series SonicOS 5.8.x Not compatible Configuration guide
SuperMassive Series SonicOS 5.9.x
E-Class NSA Series SonicOS 6.x
NOTE
(*) Cisco ASA versions 8.4+ add IKEv2 support, can connect to Azure VPN gateway using custom IPsec/IKE policy with
"UsePolicyBasedTrafficSelectors" option. Refer to this how-to article.
(**) ISR 7200 Series routers only support PolicyBased VPNs.
NOTE
(*) Required: NarrowAzureTrafficSelectors and CustomAzurePolicies (IKE/IPsec)
IPsec/IKE parameters
IMPORTANT
1. The tables below contain the combinations of algorithms and parameters Azure VPN gateways use in default
configuration. For route-based VPN gateways created using the Azure Resource Management deployment model,
you can specify a custom policy on each individual connection. Please refer to Configure IPsec/IKE policy for detailed
instructions.
2. In addition, you must clamp TCP MSS at 1350. Or if your VPN devices do not support MSS clamping, you can
alternatively set the MTU on the tunnel interface to 1400 bytes instead.
8 AES256 SHA1 1
9 AES256 SHA1 2
10 AES256 SHA1 14
11 AES128 SHA1 1
- ENCRYPTION AUTHENTICATION PFS GROUP
12 AES128 SHA1 2
13 AES128 SHA1 14
14 3DES SHA1 1
15 3DES SHA1 2
16 3DES SHA256 2
17 AES256 SHA256 1
18 AES256 SHA256 2
19 AES256 SHA256 14
20 AES256 SHA1 24
21 AES256 SHA256 24
23 AES128 SHA256 1
24 AES128 SHA256 2
25 AES128 SHA256 14
26 3DES SHA1 14
You can specify IPsec ESP NULL encryption with RouteBased and HighPerformance VPN gateways. Null
based encryption does not provide protection to data in transit, and should only be used when maximum
throughput and minimum latency is required. Clients may choose to use this in VNet-to-VNet
communication scenarios, or when encryption is being applied elsewhere in the solution.
For cross-premises connectivity through the Internet, use the default Azure VPN gateway settings with
encryption and hashing algorithms listed in the tables above to ensure security of your critical
communication.
This article discusses how you can configure Azure VPN gateways to satisfy your cryptographic requirements for
both cross-premises S2S VPN tunnels and VNet-to-VNet connections within Azure.
About IPsec and IKE policy parameters for Azure VPN gateways
IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations. If
customers do not request a specific combination of cryptographic algorithms and parameters, Azure VPN
gateways use a set of default proposals. The default policy sets were chosen to maximize interoperability with a
wide range of third-party VPN devices in default configurations. As a result, the policies and the number of
proposals cannot cover all possible combinations of available cryptographic algorithms and key strengths.
The default policy set for Azure VPN gateway is listed in the document: About VPN devices and IPsec/IKE
parameters for Site-to-Site VPN Gateway connections.
Cryptographic requirements
For communications that require specific cryptographic algorithms or parameters, typically due to compliance or
security requirements, customers can now configure their Azure VPN gateways to use a custom IPsec/IKE policy
with specific cryptographic algorithms and key strengths, rather than the Azure default policy sets.
For example, the IKEv2 main mode policies for Azure VPN gateways utilize only Diffie-Hellman Group 2 (1024
bits), whereas customers may need to specify stronger groups to be used in IKE, such as Group 14 (2048-bit),
Group 24 (2048-bit MODP Group), or ECP (elliptic curve groups) 256 or 384 bit (Group 19 and Group 20,
respectively). Similar requirements apply to IPsec quick mode policies as well.
You can create an IPsec/IKE policy and apply to a new or existing connection.
Workflow
1. Create the virtual networks, VPN gateways, or local network gateways for your connectivity topology as
described in other how -to documents
2. Create an IPsec/IKE policy
3. You can apply the policy when you create a S2S or VNet-to-VNet connection
4. If the connection is already created, you can apply or update the policy to an existing connection
IPsec/IKE policy FAQ
Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?
Custom IPsec/IKE policy is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard, and
HighPerformance VPN gateways. The Basic SKU is not supported.
How many policies can I specify on a connection?
You can only specify one policy combination for a given connection.
Can I specify a partial policy on a connection? (for example, only IKE algorithms, but not IPsec)
No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial
policy specification is not allowed.
What are the algorithms and key strengths supported in the custom policy?
The following table lists the supported cryptographic algorithms and key strengths configurable by the customers.
You must select one option for every field.
IPSEC/IKEV2 OPTIONS
IMPORTANT
1. DHGroup2048 & PFS2048 are the same as Diffie-Hellman Group 14 in IKE and IPsec PFS. See Diffie-Hellman Groups for
the complete mappings.
2. For GCMAES algorithms, you must specify the same GCMAES algorithm and key length for both IPsec Encryption and
Integrity.
3. IKEv2 Main Mode SA lifetime is fixed at 28,800 seconds on the Azure VPN gateways
4. QM SA Lifetimes are optional parameters. If none was specified, default values of 27,000 seconds (7.5 hrs) and
102400000 KBytes (102GB) are used.
5. UsePolicyBasedTrafficSelector is an option parameter on the connection. See the next FAQ item for
"UsePolicyBasedTrafficSelectors"
Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device
configurations?
Your on-premises VPN device configuration must match or contain the following algorithms and parameters that
you specify on the Azure IPsec/IKE policy:
IKE encryption algorithm
IKE integrity algorithm
DH Group
IPsec encryption algorithm
IPsec integrity algorithm
PFS Group
Traffic Selector (*)
The SA lifetimes are local specifications only, do not need to match.
If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic
selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the
Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are
10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to
specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
For more information, see Connect multiple on-premises policy-based VPN devices.
Which Diffie -Hellman Groups are supported?
The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):
Next steps
See Configure IPsec/IKE policy for step-by-step instructions on configuring custom IPsec/IKE policy on a
connection.
See also Connect multiple policy-based VPN devices to learn more about the UsePolicyBasedTrafficSelectors
option.
Overview of BGP with Azure VPN Gateways
8/31/2017 • 7 minutes to read • Edit Online
This article provides an overview of BGP (Border Gateway Protocol) support in Azure VPN Gateways.
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability
information between two or more networks. When used in the context of Azure Virtual Networks, BGP enables
the Azure VPN Gateways and your on-premises VPN devices, called BGP peers or neighbors, to exchange
"routes" that will inform both gateways on the availability and reachability for those prefixes to go through the
gateways or routers involved. BGP can also enable transit routing among multiple networks by propagating
routes a BGP gateway learns from one BGP peer to all other BGP peers.
Support transit routing between your on-premises networks and multiple Azure VNets
BGP enables multiple gateways to learn and propagate prefixes from different networks, whether they are directly
or indirectly connected. This can enable transit routing with Azure VPN gateways between your on-premises sites
or across multiple Azure Virtual Networks.
The following diagram shows an example of a multi-hop topology with multiple paths that can transit traffic
between the two on-premises networks through Azure VPN gateways within the Microsoft Networks:
BGP FAQ
Is BGP supported on all Azure VPN Gateway SKUs?
No, BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways.
Basic SKU is NOT supported.
Can I use BGP with Azure Policy-Based VPN gateways?
No, BGP is supported on Route-Based VPN gateways only.
Can I use private ASNs (Autonomous System Numbers)?
Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual
networks.
Can I use 32-bit ASNs (Autonomous System Numbers)?
No, the Azure VPN Gateways support 16-Bit ASNs today.
Are there ASNs reserved by Azure?
Yes, the following ASNs are reserved by Azure for both internal and external peerings:
Public ASNs: 8074, 8075, 12076
Private ASNs: 65515, 65517, 65518, 65519, 65520
You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.
Are there any other ASNs that I can't use?
Yes, the following ASNs are reserved by IANA and can't be configured on your Azure VPN Gateway:
23456, 64496-64511, 65535-65551 and 429496729
Can I use the same ASN for both on-premises VPN networks and Azure VNets?
No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are
connecting them together with BGP. Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP
is enabled or not for your cross-premises connectivity. You can override this default by assigning a different ASN
when creating the VPN gateway, or change the ASN after the gateway is created. You will need to assign your on-
premises ASNs to the corresponding Azure Local Network Gateways.
What address prefixes will Azure VPN gateways advertise to me?
Azure VPN gateway will advertise the following routes to your on-premises BGP devices:
Your VNet address prefixes
Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route
or routes overlapped with any VNet prefix.
Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?
Yes.
Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs
from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.
Can I advertise the exact prefixes as my Virtual Network prefixes?
No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered
by the Azure platform. However you can advertise a prefix that is a superset of what you have inside your Virtual
Network.
For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. But you
cannot advertise 10.0.0.0/16 or 10.0.0.0/24.
Can I use BGP with my VNet-to -VNet connections?
Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.
Can I mix BGP with non-BGP connections for my Azure VPN gateways?
Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.
Does Azure VPN gateway support BGP transit routing?
Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default
routes to other BGP peers. To enable transit routing across multiple Azure VPN gateways, you must enable BGP
on all intermediate VNet-to-VNet connections.
Can I have more than one tunnel between Azure VPN gateway and my on-premises network?
Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises
network. Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN
gateways and you must enable BGP on both tunnels.
For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises
networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30
for HighPerformance).
Can I have multiple tunnels between two Azure VNets with BGP?
Yes, but at least one of the virtual network gateways must be in active-active configuration.
Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co -existence configuration?
Yes.
What address does Azure VPN gateway use for BGP Peer IP?
The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range defined for the virtual
network. By default, it is the second last address of the range. For example, if your GatewaySubnet is
10.12.255.0/27, ranging from 10.12.255.0 to 10.12.255.31, the BGP Peer IP address on the Azure VPN gateway
will be 10.12.255.30. You can find this information when you list the Azure VPN gateway information.
What are the requirements for the BGP Peer IP addresses on my VPN device?
Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device. Use a
different IP address on the VPN device for your BGP Peer IP. It can be an address assigned to the loopback
interface on the device, but please note that it cannot be an APIPA (169.254.x.x) address. Specify this address in the
corresponding Local Network Gateway representing the location.
What should I specify as my address prefixes for the Local Network Gateway when I use BGP?
Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. With BGP, you
must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises
network. If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the
localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. This is to
ensure that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.
What should I add to my on-premises VPN device for the BGP peering session?
You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S
VPN tunnel. For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for
"10.12.255.30" with a nexthop interface of the matching IPsec tunnel interface on your VPN device.
Next steps
See Getting started with BGP on Azure VPN gateways for steps to configure BGP for your cross-premises and
VNet-to-VNet connections.
Highly Available Cross-Premises and VNet-to-VNet
Connectivity
8/9/2018 • 5 minutes to read • Edit Online
This article provides an overview of Highly Available configuration options for your cross-premises and VNet-to-
VNet connectivity using Azure VPN gateways.
This configuration provides multiple active tunnels from the same Azure VPN gateway to your on-premises
devices in the same location. There are some requirements and constraints:
1. You need to create multiple S2S VPN connections from your VPN devices to Azure. When you connect
multiple VPN devices from the same on-premises network to Azure, you need to create one local network
gateway for each VPN device, and one connection from your Azure VPN gateway to each local network
gateway.
2. The local network gateways corresponding to your VPN devices must have unique public IP addresses in the
"GatewayIpAddress" property.
3. BGP is required for this configuration. Each local network gateway representing a VPN device must have a
unique BGP peer IP address specified in the "BgpPeerIpAddress" property.
4. The AddressPrefix property field in each local network gateway must not overlap. You should specify the
"BgpPeerIpAddress" in /32 CIDR format in the AddressPrefix field, for example, 10.200.200.254/32.
5. You should use BGP to advertise the same prefixes of the same on-premises network prefixes to your Azure
VPN gateway, and the traffic will be forwarded through these tunnels simultaneously.
6. Each connection is counted against the maximum number of tunnels for your Azure VPN gateway, 10 for Basic
and Standard SKUs, and 30 for HighPerformance SKU.
In this configuration, the Azure VPN gateway is still in active-standby mode, so the same failover behavior and
brief interruption will still happen as described above. But this setup guards against failures or interruptions on
your on-premises network and VPN devices.
Active -active Azure VPN gateway
You can now create an Azure VPN gateway in an active-active configuration, where both instances of the gateway
VMs will establish S2S VPN tunnels to your on-premises VPN device, as shown the following diagram:
In this configuration, each Azure gateway instance will have a unique public IP address, and each will establish an
IPsec/IKE S2S VPN tunnel to your on-premises VPN device specified in your local network gateway and
connection. Note that both VPN tunnels are actually part of the same connection. You will still need to configure
your on-premises VPN device to accept or establish two S2S VPN tunnels to those two Azure VPN gateway
public IP addresses.
Because the Azure gateway instances are in active-active configuration, the traffic from your Azure virtual network
to your on-premises network will be routed through both tunnels simultaneously, even if your on-premises VPN
device may favor one tunnel over the other. Note though the same TCP or UDP flow will always traverse the same
tunnel or path, unless a maintenance event happens on one of the instances.
When a planned maintenance or unplanned event happens to one gateway instance, the IPsec tunnel from that
instance to your on-premises VPN device will be disconnected. The corresponding routes on your VPN devices
should be removed or withdrawn automatically so that the traffic will be switched over to the other active IPsec
tunnel. On the Azure side, the switch over will happen automatically from the affected instance to the active
instance.
Dual-redundancy: active -active VPN gateways for both Azure and on-premises networks
The most reliable option is to combine the active-active gateways on both your network and Azure, as shown in
the diagram below.
Here you create and setup the Azure VPN gateway in an active-active configuration, and create two local network
gateways and two connections for your two on-premises VPN devices as described above. The result is a full mesh
connectivity of 4 IPsec tunnels between your Azure virtual network and your on-premises network.
All gateways and tunnels are active from the Azure side, so the traffic will be spread among all 4 tunnels
simultaneously, although each TCP or UDP flow will again follow the same tunnel or path from the Azure side.
Even though by spreading the traffic, you may see slightly better throughput over the IPsec tunnels, the primary
goal of this configuration is for high availability. And due to the statistical nature of the spreading, it is difficult to
provide the measurement on how different application traffic conditions will affect the aggregate throughput.
This topology will require two local network gateways and two connections to support the pair of on-premises
VPN devices, and BGP is required to allow the two connections to the same on-premises network. These
requirements are the same as the above.
This ensures there are always a pair of tunnels between the two virtual networks for any planned maintenance
events, providing even better availability. Even though the same topology for cross-premises connectivity requires
two connections, the VNet-to-VNet topology shown above will need only one connection for each gateway.
Additionally, BGP is optional unless transit routing over the VNet-to-VNet connection is required.
Next steps
See Configuring Active-Active VPN Gateways for Cross-Premises and VNet-to-VNet Connections for steps to
configure active-active cross-premises and VNet-to-VNet connections.
About Point-to-Site VPN
7/12/2018 • 15 minutes to read • Edit Online
A Point-to-Site (P2S ) VPN gateway connection lets you create a secure connection to your virtual network from
an individual client computer. A P2S connection is established by starting it from the client computer. This solution
is useful for telecommuters who want to connect to Azure VNets from a remote location, such as from home or a
conference. P2S VPN is also a useful solution to use instead of S2S VPN when you have only a few clients that
need to connect to a VNet. This article applies to the Resource Manager deployment model.
If you have a mixed client environment consisting of Windows and Mac devices, configure both SSTP and IKEv2.
NOTE
IKEv2 for P2S is available for the Resource Manager deployment model only. It is not available for the classic deployment
model.
Users use the native VPN clients on Windows and Mac devices for P2S. Azure provides a VPN client configuration
zip file that contains settings required by these native clients to connect to Azure.
For Windows devices, the VPN client configuration consists of an installer package that users install on their
devices.
For Mac devices, it consists of the mobileconfig file that users install on their devices.
The zip file also provides the values of some of the important settings on the Azure side that you can use to create
your own profile for these devices. Some of the values include the VPN gateway address, configured tunnel types,
routes, and the root certificate for gateway validation.
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for
point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site
connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
Aggregate Throughput Benchmark is based on measurements of multiple tunnels aggregated through a single
gateway. It is not a guaranteed throughput due to internet traffic conditions and your application behaviors.
Pricing information can be found on the Pricing page
SLA (Service Level Agreement) information can be found on the SLA page.
NOTE
The Basic SKU does not support IKEv2 or RADIUS authentication.
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
Next Steps
Configure a P2S connection - RADIUS authentication
Configure a P2S connection - Azure native certificate authentication
About Point-to-Site VPN routing
5/31/2018 • 6 minutes to read • Edit Online
This article helps you understand how Azure Point-to-Site VPN routing behaves. P2S VPN routing behavior is
dependent on the client OS, the protocol used for the VPN connection, and how the virtual networks (VNets) are
connected to each other.
Azure currently supports two protocols for remote access, IKEv2 and SSTP. IKEv2 is supported on many client
operating systems including Windows, Linux, MacOS, Android, and iOS. SSTP is only supported on Windows. If
you make a change to the topology of your network and have Windows VPN clients, the VPN client package for
Windows clients must be downloaded and installed again in order for the changes to be applied to the client.
NOTE
This article applies to IKEv2 only.
Address space
VNet1: 10.1.0.0/16
Routes added
Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24
Routes added to non-Windows clients: 10.1.0.0/16, 192.168.0.0/24
Access
Windows clients can access VNet1
Non-Windows clients can access VNet1
Address space:
VNet1: 10.1.0.0/16
VNet2: 10.2.0.0/16
VNet3: 10.3.0.0/16
VNet4: 10.4.0.0/16
Routes added
Routes added to Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.4.0.0/16, 192.168.0.0/24
Routes added to non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.4.0.0/16, 192.168.0.0/24
Access
Windows clients can access VNet1, VNet2, and VNet4, but the VPN client must be downloaded again for
any topology changes to take effect.
Non-Windows clients can access VNet1, VNet2, and VNet4
Address space
VNet1: 10.1.0.0/16
VNet2: 10.2.0.0/16
VNet3: 10.3.0.0/16
Routes added
Routes added to Windows clients: 10.1.0.0/16
Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 192.168.0.0/24
Access
Windows clients can access VNet1, VNet2, and VNet3, but routes to VNet2 and VNet3 will have to be
manually added.
Non-Windows clients can access VNet1, VNet2, and VNet3
Address space
VNet1: 10.1.0.0/16
Site1: 10.101.0.0/16
Routes added
Routes added to Windows clients: 10.1.0.0/16, 192.168.0.0/24
Routes added to Non-Windows clients: 10.1.0.0/16, 10.101.0.0/16, 192.168.0.0/24
Access
Windows clients can access only VNet1
Non-Windows clients can access VNet1 only
Address space
VNet1: 10.1.0.0/16
VNet2: 10.2.0.0/16
VNet3: 10.3.0.0/16
Site1: 10.101.0.0/16
Routes added
Routes added clients: 10.1.0.0/16, 192.168.0.0/24
Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.101.0.0/16, 192.168.0.0/24
Access
The Windows clients can access VNet1 only
Non-Windows clients can access VNet1 only
Address space
VNet1: 10.1.0.0/16
VNet2: 10.2.0.0/16
VNet3: 10.3.0.0/16
Site1: 10.101.0.0/16
Routes added
Routes added clients: 10.1.0.0/16, 192.168.0.0/24
Routes added to Non-Windows clients: 10.1.0.0/16, 10.2.0.0/16, 10.3.0.0/16, 10.101.0.0/16, 192.168.0.0/24
Access
The Windows clients can access VNet1, VNet2, VNet3, and Site1, but routes to VNet2, VNet3 and Site1
must be manually added to the client.
Non-Windows clients can access VNet1, Vnet2, VNet3, and Site1.
Next steps
See Create a P2S VPN using the Azure portal to begin creating your P2S VPN.
Create a Site-to-Site connection in the Azure portal
4/9/2018 • 19 minutes to read • Edit Online
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your
on-premises network to the VNet. The steps in this article apply to the Resource Manager deployment model.
You can also create this configuration using a different deployment tool or deployment model by selecting a
different option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual
network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located
on-premises that has an externally facing public IP address assigned to it. For more information about VPN
gateways, see About VPN gateway.
NOTE
In order for this VNet to connect to an on-premises location you need to coordinate with your on-premises network
administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address
range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. Additionally, if you
want to connect this VNet to another VNet, the address space cannot overlap with other VNet. Take care to plan your
network configuration accordingly.
1. From a browser, navigate to the Azure portal and sign in with your Azure account.
2. Click Create a resource. In the Search the marketplace field, type 'virtual network'. Locate Virtual
network from the returned list and click to open the Virtual Network page.
3. Near the bottom of the Virtual Network page, from the Select a deployment model list, select
Resource Manager, and then click Create. This opens the 'Create virtual network' page.
4. On the Create virtual network page, configure the VNet settings. When you fill in the fields, the red
exclamation mark becomes a green check mark when the characters entered in the field are valid.
Name: Enter the name for your virtual network. In this example, we use VNet1.
Address space: Enter the address space. If you have multiple address spaces to add, add your first
address space. You can add additional address spaces later, after creating the VNet. Make sure that the
address space that you specify does not overlap with the address space for your on-premises location.
Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by
using the drop-down.
Resource group: Select an existing resource group, or create a new one by typing a name for your
new resource group. If you are creating a new group, name the resource group according to your
planned configuration values. For more information about resource groups, visit Azure Resource
Manager Overview.
Location: Select the location for your VNet. The location determines where the resources that you
deploy to this VNet will reside.
Subnet: Add the first subnet name and subnet address range. You can add additional subnets and the
gateway subnet later, after creating this VNet.
5. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click
Create. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your
VNet. The tile changes as the VNet is being created.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. The GatewaySubnet
value is required in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled
Address range values to match your configuration requirements.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet.
Associating a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For
more information about network security groups, see What is a network security group?
4. Verify the settings. You can select Pin to dashboard at the bottom of the page if you want your gateway
to appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying
Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need
to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway appears as a connected device. You can click the connected device (your virtual network
gateway) to view more information.
3. On the Create local network gateway page, specify the values for your local network gateway.
Name: Specify a name for your local network gateway object.
IP address: This is the public IP address of the VPN device that you want Azure to connect to. Specify
a valid public IP address. The IP address cannot be behind NAT and has to be reachable by Azure. If
you don't have the IP address right now, you can use the values shown in the example, but you'll need
to go back and replace your placeholder IP address with the public IP address of your VPN device.
Otherwise, Azure will not be able to connect.
Address Space refers to the address ranges for the network that this local network represents. You
can add multiple address space ranges. Make sure that the ranges you specify here do not overlap with
ranges of other networks that you want to connect to. Azure will route the address range that you
specify to the on-premises VPN device IP address. Use your own values here if you want to connect to
your on-premises site, not the values shown in the example.
Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.
Subscription: Verify that the correct subscription is showing.
Resource Group: Select the resource group that you want to use. You can either create a new
resource group, or select one that you have already created.
Location: Select the location that this object will be created in. You may want to select the same
location that your VNet resides in, but you are not required to do so.
4. When you have finished specifying the values, click the Create button at the bottom of the page to create
the local network gateway.
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box
on the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection
using the 'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to
adjust additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
Next steps
For information about BGP, see the BGP Overview and How to configure BGP.
For information about forced tunneling, see About forced tunneling.
For information about Highly Available Active-Active connections, see Highly Available cross-premises and
VNet-to-VNet connectivity.
For information about how to limit network traffic to resources in a virtual network, see Network Security.
For information about how Azure routes traffic between Azure, on-premises, and Internet resources, see
Virtual network traffic routing.
For information about creating a Site-to-Site VPN connection using Azure Resource Manager template, see
Create a Site-to-Site VPN Connection.
For information about creating a Vnet-to-Vnet VPN connection using Azure Resource Manager template, see
Deploy HBase geo replication.
Create a VNet with a Site-to-Site VPN connection
using PowerShell
4/18/2018 • 17 minutes to read • Edit Online
This article shows you how to use PowerShell to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You
can also create this configuration using a different deployment tool or deployment model by selecting a different
option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-
premises that has an externally facing public IP address assigned to it. For more information about VPN
gateways, see About VPN gateway.
#Example values
VnetName = VNet1
ResourceGroup = TestRG1
Location = East US
AddressSpace = 10.1.0.0/16
SubnetName = Frontend
Subnet = 10.1.0.0/24
GatewaySubnet = 10.1.255.0/27
LocalNetworkGatewayName = Site1
LNG Public IP = <On-premises VPN device IP address>
Local Address Prefixes = 10.101.0.0/24, 10.101.1.0/24
Gateway Name = VNet1GW
PublicIP = VNet1GWPIP
Gateway IP Config = gwipconfig1
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = VNet1toSite1
NOTE
In order for this VNet to connect to an on-premises location, you need to coordinate with your on-premises network
administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address
range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. Additionally, if you
want to connect this VNet to another VNet, the address space cannot overlap with other VNet. Take care to plan your
network configuration accordingly.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
After running this command, it can take up to 45 minutes for the gateway configuration to complete.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
To modify IP address prefixes for a local network gateway
If the IP address prefixes that you want routed to your on-premises location change, you can modify the local
network gateway. Two sets of instructions are provided. The instructions you choose depend on whether you have
already created your gateway connection.
To modify local network gateway IP address prefixes - no gateway connection
To add additional address prefixes:
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page.
Set the variable for the VirtualNetworkGateway.
Create the connection. This example uses the variable $local that you set in step 2.
New-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite1 `
-ResourceGroupName TestRG1 -Location 'East US' `
-VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local `
-ConnectionType IPsec `
-RoutingWeight 10 -SharedKey 'abc123'
2. Modify the 'GatewayIpAddress' value. You can also modify the address prefixes at the same time. Be sure
to use the existing name of your local network gateway to overwrite the current settings. If you don't, you
create a new local network gateway, instead of overwriting the existing one.
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page. To obtain the VirtualNetworkGateway name, you can run the 'Get-
AzureRmVirtualNetworkGateway' cmdlet.
Set the variables.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see Virtual Machines.
For information about BGP, see the BGP Overview and How to configure BGP.
For information about creating a site-to-site VPN connection using Azure Resource Manager template, see
Create a Site-to-Site VPN Connection.
For information about creating a vnet-to-vnet VPN connection using Azure Resource Manager template, see
Deploy HBase geo replication.
Create a virtual network with a Site-to-Site VPN
connection using CLI
3/14/2018 • 15 minutes to read • Edit Online
This article shows you how to use the Azure CLI to create a Site-to-Site VPN gateway connection from your on-
premises network to the VNet. The steps in this article apply to the Resource Manager deployment model. You
can also create this configuration using a different deployment tool or deployment model by selecting a different
option from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-
premises that has an externally facing public IP address assigned to it. For more information about VPN gateways,
see About VPN gateway.
VnetName = TestVNet1
ResourceGroup = TestRG1
Location = eastus
AddressSpace = 10.11.0.0/16
SubnetName = Subnet1
Subnet = 10.11.0.0/24
GatewaySubnet = 10.11.255.0/27
LocalNetworkGatewayName = Site2
LNG Public IP = <VPN device IP address>
LocalAddrPrefix1 = 10.0.0.0/24
LocalAddrPrefix2 = 20.0.0.0/24
GatewayName = VNet1GW
PublicIP = VNet1GWIP
VPNType = RouteBased
GatewayType = Vpn
ConnectionName = VNet1toSite2
az login
If you have more than one Azure subscription, list the subscriptions for the account.
The following example creates a virtual network named 'TestVNet1' and a subnet, 'Subnet1'.
az network vnet create --name TestVNet1 --resource-group TestRG1 --address-prefix 10.11.0.0/16 --location
eastus --subnet-name Subnet1 --subnet-prefix 10.11.0.0/24
az network vnet subnet create --address-prefix 10.11.255.0/27 --name GatewaySubnet --resource-group TestRG1 --
vnet-name TestVNet1
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWIP --resource-group TestRG1 --vnet
TestVNet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw1 --no-wait
az network vpn-connection create --name VNet1toSite2 -resource-group TestRG1 --vnet-gateway1 VNet1GW -l eastus
--shared-key abc123 --local-gateway2 Site2
If you want to use another method to verify your connection, see Verify a VPN Gateway connection.
$VMs = Get-AzureRmVM
$Nics = Get-AzureRmNetworkInterface | Where VirtualMachine -ne $null
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
Common tasks
This section contains common commands that are helpful when working with site-to-site configurations. For the
full list of CLI networking commands, see Azure CLI - Networking.
To view local network gateways
To view a list of the local network gateways, use the az network local-gateway list command.
"gatewayIpAddress": "23.99.222.170",
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see Virtual Machines.
For information about BGP, see the BGP Overview and How to configure BGP.
For information about Forced Tunneling, see About Forced Tunneling.
For information about Highly Available Active-Active connections, see Highly Available cross-premises and
VNet-to-VNet connectivity.
For a list of networking Azure CLI commands, see Azure CLI.
For information about creating a site-to-site VPN connection using Azure Resource Manager template, see
Create a Site-to-Site VPN Connection.
For information about creating a vnet-to-vnet VPN connection using Azure Resource Manager template, see
Deploy HBase geo replication.
Download VPN device configuration scripts for S2S
VPN connections
4/9/2018 • 3 minutes to read • Edit Online
This article walks you through downloading VPN device configuration scripts for S2S VPN connections with
Azure VPN Gateways using Azure Resource Manager. The following diagram shows the high-level workflow.
IMPORTANT
The syntax for each VPN device configuration script is different, and heavily dependent on the models and firmware
versions. Pay special attention to your device model and version information against the available templates.
Some parameter values must be unique on the device, and cannot be determined without accessing the device. The
Azure-generated configuration scripts pre-fill these values, but you need to ensure the provided values are valid on your
device. For examples:
Interface numbers
Access control list numbers
Policy names or numbers, etc.
Look for the keyword, "REPLACE", embedded in the script to find the parameters you need to verify before applying the
script.
Some templates include a "CLEANUP" section you can apply to remove the configurations. The cleanup sections are
commented out by default.
4. Click on the "Download configuration" link as highlighted in red in the Connection overview page; this
opens the "Download configuration" page.
5. Select the model family and firmware version for your VPN device, then click on the "Download
configuration" button.
6. You are prompted to save the downloaded script (a text file) from your browser.
7. Once you downloaded the configuration script, open it with a text editor and search for the keyword
"REPLACE" to identify and examine the parameters that may need to be replaced.
Next steps
Continue configuring your Site-to-Site connection.
Configure a Point-to-Site connection to a VNet using
native Azure certificate authentication: Azure portal
9/10/2018 • 28 minutes to read • Edit Online
This article helps you securely connect individual clients running Windows, Linux, or Mac OS X to an Azure VNet.
Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such
when you are telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN
when you have only a few clients that need to connect to a VNet. Point-to-Site connections do not require a VPN
device or a public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling
Protocol), or IKEv2. For more information about Point-to-Site VPN, see About Point-to-Site VPN.
Architecture
Point-to-Site native Azure certificate authentication connections use the following items, which you configure in
this exercise:
A RouteBased VPN gateway.
The public key (.cer file) for a root certificate, which is uploaded to Azure. Once the certificate is uploaded, it is
considered a trusted certificate and is used for authentication.
A client certificate that is generated from the root certificate. The client certificate installed on each client
computer that will connect to the VNet. This certificate is used for client authentication.
A VPN client configuration. The VPN client configuration files contain the necessary information for the client
to connect to the VNet. The files configure the existing VPN client that is native to the operating system. Each
client that connects must be configured using the settings in the configuration files.
Example values
You can use the following values to create a test environment, or refer to these values to better understand the
examples in this article:
VNet Name: VNet1
Address space: 192.168.0.0/16
For this example, we use only one address space. You can have more than one address space for your VNet.
Subnet name: FrontEnd
Subnet address range: 192.168.1.0/24
Subscription: If you have more than one subscription, verify that you are using the correct one.
Resource Group: TestRG
Location: East US
GatewaySubnet: 192.168.200.0/24
DNS Server: (optional) IP address of the DNS server that you want to use for name resolution.
Virtual network gateway name: VNet1GW
Gateway type: VPN
VPN type: Route-based
Public IP address name: VNet1GWpip
Connection type: Point-to-site
Client address pool: 172.16.201.0/24
VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the client
address pool.
NOTE
If you want this VNet to connect to an on-premises location (in addition to creating a P2S configuration), you need to
coordinate with your on-premises network administrator to carve out an IP address range that you can use specifically for
this virtual network. If a duplicate address range exists on both sides of the VPN connection, traffic does not route the way
you may expect it to. Additionally, if you want to connect this VNet to another VNet, the address space cannot overlap with
other VNet. Take care to plan your network configuration accordingly.
1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
2. Click +. In the Search the marketplace field, type "Virtual Network". Locate Virtual Network from the
returned list and click to open the Virtual Network page.
3. Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource
Manager, and then click Create.
4. On the Create virtual network page, configure the VNet settings. When you fill in the fields, the red
exclamation mark becomes a green check mark when the characters entered in the field are valid. There
may be values that are auto-filled. If so, replace the values with your own. The Create virtual network
page looks similar to the following example:
12. After clicking Create, you will see a tile on your dashboard that will reflect the progress of your VNet. The
tile changes as the VNet is being created.
2. Add a gateway subnet
Before connecting your virtual network to a gateway, you first need to create the gateway subnet for the virtual
network to which you want to connect. The gateway services use the IP addresses specified in the gateway
subnet. If possible, create a gateway subnet using a CIDR block of /28 or /27 to provide enough IP addresses to
accommodate additional future configuration requirements.
1. In the portal, navigate to the Resource Manager virtual network for which you want to create a virtual
network gateway.
2. In the Settings section of your VNet page, click Subnets to expand the Subnets page.
3. On the Subnets page, click +Gateway subnet to open the Add subnet page.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required
in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range
values to match your configuration requirements, then click OK at the bottom of the page to create the
subnet.
3. On the Create virtual network gateway page, specify the values for your virtual network gateway.
Name: Name your gateway. This is not the same as naming a gateway subnet. It's the name of the
gateway object you are creating.
Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
VPN type: Select the VPN type that is specified for your configuration. Most configurations require a
Route-based VPN type.
SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on the
VPN type you select. For more information about gateway SKUs, see Gateway SKUs.
Location: You may need to scroll to see Location. Adjust the Location field to point to the location
where your virtual network is located. If the location is not pointing to the region where your virtual
network resides, when you select a virtual network in the next step, it will not appear in the drop-down
list.
Virtual network: Choose the virtual network to which you want to add this gateway. Click Virtual
network to open the 'Choose a virtual network' page. Select the VNet. If you don't see your VNet,
make sure the Location field is pointing to the region in which your virtual network is located.
Gateway subnet address range: You will only see this setting if you did not previously create a
gateway subnet for your virtual network. If you previously created a valid gateway subnet, this setting
will not appear.
First IP configuration: The 'Choose public IP address' page creates a public IP address object that
gets associated to the VPN gateway. The public IP address is dynamically assigned to this object
when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP
address allocation. However, this does not mean that the IP address changes after it has been
assigned to your VPN gateway. The only time the Public IP address changes is when the gateway is
deleted and re-created. It doesn't change across resizing, resetting, or other internal
maintenance/upgrades of your VPN gateway.
First, click Create gateway IP configuration to open the 'Choose public IP address' page, then
click +Create new to open the 'Create public IP address' page.
Next, input a Name for your public IP address. Leave the SKU as Basic unless there is a
specific reason to change it to something else, then click OK at the bottom of this page to
save your changes.
4. Verify the settings. You can select Pin to dashboard at the bottom of the page if you want your gateway
to appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying
Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need
to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway appears as a connected device. You can click the connected device (your virtual network
gateway) to view more information.
NOTE
The Basic SKU does not support IKEv2 or RADIUS authentication.
5. Generate certificates
Certificates are used by Azure to authenticate clients connecting to a VNet over a Point-to-Site VPN connection.
Once you obtain a root certificate, you upload the public key information to Azure. The root certificate is then
considered 'trusted' by Azure for connection over P2S to the virtual network. You also generate client certificates
from the trusted root certificate, and then install them on each client computer. The client certificate is used to
authenticate the client when it initiates a connection to the VNet.
1. Obtain the .cer file for the root certificate
You can use either a root certificate that was generated using an enterprise solution (recommended), or you can
generate a self-signed certificate. After creating the root certificate, export the public certificate data (not the
private key) as a Base-64 encoded X.509 .cer file and upload the public certificate data to Azure.
Enterprise certificate: If you are using an enterprise solution, you can use your existing certificate chain.
Obtain the .cer file for the root certificate that you want to use.
Self-signed root certificate: If you aren't using an enterprise certificate solution, you need to create a
self-signed root certificate. It's important that you follow the steps in one of the P2S certificate articles
below. Otherwise, the certificates you create won't be compatible with P2S connections and clients receive
a connection error when trying to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The
steps in the provided articles generate a compatible certificate:
Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to
generate certificates. Client certificates that are generated from the root certificate can be installed on
any supported P2S client.
MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to
generate certificates. MakeCert deprecated, but you can still use MakeCert to generate certificates.
Client certificates that are generated from the root certificate can be installed on any supported P2S
client.
Linux instructions
2. Generate a client certificate
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. The client
certificate is generated from the root certificate and installed on each client computer. If a valid client certificate is
not installed and the client tries to connect to the VNet, authentication fails.
You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients.
The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if
multiple clients are using the same client certificate and you need to revoke it, you have to generate and install
new certificates for all the clients that use that certificate to authenticate.
You can generate client certificates using the following methods:
Enterprise certificate:
If you are using an enterprise certificate solution, generate a client certificate with the common name
value format 'name@yourdomain.com', rather than the 'domain name\username' format.
Make sure the client certificate is based on the 'User' certificate template that has 'Client
Authentication' as the first item in the use list, rather than Smart Card Logon, etc. You can check the
certificate by double-clicking the client certificate and viewing Details > Enhanced Key Usage.
Self-signed root certificate: It's important that you follow the steps in one of the P2S certificate articles
below. Otherwise, the client certificates you create won't be compatible with P2S connections and clients
receive an error when trying to connect. The steps in either of the following articles generate a compatible
client certificate:
Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to
generate certificates. The certificates that are generated can be installed on any supported P2S client.
MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to
generate certificates. MakeCert deprecated, but you can still use MakeCert to generate certificates. The
certificates that are generated can be installed on any supported P2S client.
Linux instructions
When you generate a client certificate from a self-signed root certificate using the preceding instructions,
it's automatically installed on the computer that you used to generate it. If you want to install a client
certificate on another client computer, you need to export it as a .pfx, along with the entire certificate chain.
This creates a .pfx file that contains the root certificate information that is required for the client to
successfully authenticate. For steps to export a certificate, see Certificates - export a client certificate.
3. On the Point-to-site configuration page, in the Address pool box, add the private IP address range that
you want to use. VPN clients dynamically receive an IP address from the range that you specify. Click
Save to validate and save the setting.
NOTE
If you don't see Tunnel type or Authentication type in the portal on this page, your gateway is using the Basic SKU.
The Basic SKU does not support IKEv2 or RADIUS authentication.
4. Paste the certificate data into the Public Certificate Data field. Name the certificate, and then click Save.
You can add up to 20 trusted root certificates.
5. Click Save at the top of the page to save all of the configuration settings.
10. Install an exported client certificate
If you want to create a P2S connection from a client computer other than the one you used to generate the client
certificates, you need to install a client certificate. When installing a client certificate, you need the password that
was created when the client certificate was exported.
Make sure the client certificate was exported as a .pfx along with the entire certificate chain (which is the default).
Otherwise, the root certificate information isn't present on the client computer and the client won't be able to
authenticate properly.
For install steps, see Install a client certificate.
NOTE
You must have Administrator rights on the Windows client computer from which you are connecting.
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN
connection that you created. It is named the same name as your virtual network. Click Connect. A pop-up
message may appear that refers to using the certificate. Click Continue to use elevated privileges.
2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate
screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use
the drop-down arrow to select the correct certificate, and then click OK.
3. Your connection is established.
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the Point-to-Site VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using
the 'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to
adjust additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are
connecting. If the IP address is within the address range of the VNet that you are connecting to, or within the
address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your
address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
Verify that the VPN client configuration package was generated after the DNS server IP addresses were
specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client
configuration package.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
Point-to-Site FAQ
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows Server 2016 (64-bit only)
Windows 10
Mac OS X version 10.11 (El Capitan)
Mac OS X version 10.12 (Sierra)
Linux (StrongSwan)
iOS
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
This article helps you securely connect individual clients running Windows or Mac OS X to an Azure VNet. Point-
to-Site VPN connections are useful when you want to connect to your VNet from a remote location, such when
you are telecommuting from home or a conference. You can also use P2S instead of a Site-to-Site VPN when you
have only a few clients that need to connect to a VNet. Point-to-Site connections do not require a VPN device or a
public-facing IP address. P2S creates the VPN connection over either SSTP (Secure Socket Tunneling Protocol),
or IKEv2. For more information about Point-to-Site VPN, see About Point-to-Site VPN.
Architecture
Point-to-Site native Azure certificate authentication connections use the following items, which you configure in
this exercise:
A RouteBased VPN gateway.
The public key (.cer file) for a root certificate, which is uploaded to Azure. Once the certificate is uploaded, it is
considered a trusted certificate and is used for authentication.
A client certificate that is generated from the root certificate. The client certificate installed on each client
computer that will connect to the VNet. This certificate is used for client authentication.
A VPN client configuration. The VPN client configuration files contain the necessary information for the client
to connect to the VNet. The files configure the existing VPN client that is native to the operating system. Each
client that connects must be configured using the settings in the configuration files.
Connect-AzureRmAccount
Get-AzureRmSubscription
$VNetName = "VNet1"
$FESubName = "FrontEnd"
$BESubName = "Backend"
$GWSubName = "GatewaySubnet"
$VNetPrefix1 = "192.168.0.0/16"
$VNetPrefix2 = "10.254.0.0/16"
$FESubPrefix = "192.168.1.0/24"
$BESubPrefix = "10.254.1.0/24"
$GWSubPrefix = "192.168.200.0/26"
$VPNClientAddressPool = "172.16.201.0/24"
$RG = "TestRG"
$Location = "East US"
$GWName = "VNet1GW"
$GWIPName = "VNet1GWPIP"
$GWIPconfName = "gwipconf"
2. Configure a VNet
1. Create a resource group.
2. Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and
GatewaySubnet. These prefixes must be part of the VNet address space that you declared.
5. A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to
it when creating your virtual network gateway. The IP address is dynamically assigned to the resource
when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address
allocation. You cannot request a Static Public IP address assignment. However, it doesn't mean that the IP
address changes after it has been assigned to your VPN gateway. The only time the Public IP address
changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other
internal maintenance/upgrades of your VPN gateway.
Request a dynamically assigned public IP address.
5. Generate certificates
Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. You upload the public key
information of the root certificate to Azure. The public key is then considered 'trusted'. Client certificates must be
generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current
User/Personal certificate store. The certificate is used to authenticate the client when it initiates a connection to
the VNet.
If you use self-signed certificates, they must be created using specific parameters. You can create a self-signed
certificate using the instructions for PowerShell and Windows 10, or, if you don't have Windows 10, you can use
MakeCert. It's important that you follow the steps in the instructions when generating self-signed root certificates
and client certificates. Otherwise, the certificates you generate will not be compatible with P2S connections and
you receive a connection error.
1. Obtain the .cer file for the root certificate
You can use either a root certificate that was generated using an enterprise solution (recommended), or you can
generate a self-signed certificate. After creating the root certificate, export the public certificate data (not the
private key) as a Base-64 encoded X.509 .cer file and upload the public certificate data to Azure.
Enterprise certificate: If you are using an enterprise solution, you can use your existing certificate chain.
Obtain the .cer file for the root certificate that you want to use.
Self-signed root certificate: If you aren't using an enterprise certificate solution, you need to create a
self-signed root certificate. It's important that you follow the steps in one of the P2S certificate articles
below. Otherwise, the certificates you create won't be compatible with P2S connections and clients receive
a connection error when trying to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The
steps in the provided articles generate a compatible certificate:
Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to
generate certificates. Client certificates that are generated from the root certificate can be installed on
any supported P2S client.
MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to
generate certificates. MakeCert deprecated, but you can still use MakeCert to generate certificates.
Client certificates that are generated from the root certificate can be installed on any supported P2S
client.
Linux instructions
2. Generate a client certificate
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. The client
certificate is generated from the root certificate and installed on each client computer. If a valid client certificate is
not installed and the client tries to connect to the VNet, authentication fails.
You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients.
The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if
multiple clients are using the same client certificate and you need to revoke it, you have to generate and install
new certificates for all the clients that use that certificate to authenticate.
You can generate client certificates using the following methods:
Enterprise certificate:
If you are using an enterprise certificate solution, generate a client certificate with the common name
value format 'name@yourdomain.com', rather than the 'domain name\username' format.
Make sure the client certificate is based on the 'User' certificate template that has 'Client Authentication'
as the first item in the use list, rather than Smart Card Logon, etc. You can check the certificate by
double-clicking the client certificate and viewing Details > Enhanced Key Usage.
Self-signed root certificate: It's important that you follow the steps in one of the P2S certificate articles
below. Otherwise, the client certificates you create won't be compatible with P2S connections and clients
receive an error when trying to connect. The steps in either of the following articles generate a compatible
client certificate:
Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to
generate certificates. The certificates that are generated can be installed on any supported P2S client.
MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to
generate certificates. MakeCert deprecated, but you can still use MakeCert to generate certificates. The
certificates that are generated can be installed on any supported P2S client.
Linux instructions
When you generate a client certificate from a self-signed root certificate using the preceding instructions,
it's automatically installed on the computer that you used to generate it. If you want to install a client
certificate on another client computer, you need to export it as a .pfx, along with the entire certificate chain.
This creates a .pfx file that contains the root certificate information that is required for the client to
successfully authenticate. For steps to export a certificate, see Certificates - export a client certificate.
6. Upload the root certificate public key information
Verify that your VPN gateway has finished creating. Once it has completed, you can upload the .cer file (which
contains the public key information) for a trusted root certificate to Azure. Once a.cer file is uploaded, Azure can
use it to authenticate clients that have installed a client certificate generated from the trusted root certificate. You
can upload additional trusted root certificate files - up to a total of 20 - later, if needed.
1. Declare the variable for your certificate name, replacing the value with your own.
$P2SRootCertName = "P2SRootCert.cer"
2. Replace the file path with your own, and then run the cmdlets.
$filePathForCert = "C:\cert\P2SRootCert.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64
3. Upload the public key information to Azure. Once the certificate information is uploaded, Azure considers
this to be a trusted root certificate.
9. Connect to Azure
To connect from a Windows VPN client
NOTE
You must have Administrator rights on the Windows client computer from which you are connecting.
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection
that you created. It is named the same name as your virtual network. Click Connect. A pop-up message may
appear that refers to using the certificate. Click Continue to use elevated privileges.
2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate
screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use
the drop-down arrow to select the correct certificate, and then click OK.
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the Point-to-Site VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are
connecting. If the IP address is within the address range of the VNet that you are connecting to, or within the
address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your
address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
Verify that the VPN client configuration package was generated after the DNS server IP addresses were
specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client
configuration package.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
$filePathForCert = "C:\cert\P2SRootCert3.cer"
$cert = new-object System.Security.Cryptography.X509Certificates.X509Certificate2($filePathForCert)
$CertBase64_3 = [system.convert]::ToBase64String($cert.RawData)
$p2srootcert = New-AzureRmVpnClientRootCertificate -Name $P2SRootCertName -PublicCertData $CertBase64_3
2. Upload the file. You can only upload one file at a time.
Method 2
This method has more steps than Method 1, but has the same result. It is included in case you need to view the
certificate data.
1. Create and prepare the new root certificate to add to Azure. Export the public key as a Base-64 encoded
X.509 (.CER ) and open it with a text editor. Copy the values, as shown in the following example:
NOTE
When copying the certificate data, make sure that you copy the text as one continuous line without carriage returns
or line feeds. You may need to modify your view in the text editor to 'Show Symbol/Show all characters' to see the
carriage returns and line feeds.
2. Specify the certificate name and key information as a variable. Replace the information with your own, as
shown in the following example:
$P2SRootCertName2 = "ARMP2SRootCert2.cer"
$MyP2SCertPubKeyBase64_2 =
"MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMj
E5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBC
gKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/
yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5
WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+s
QEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA
1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqs
pkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1h
hh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMc
IPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
3. Add the new root certificate. You can only add one certificate at a time.
4. You can verify that the new certificate was added correctly by using the following example:
Get-AzureRmVpnClientRootCertificate -ResourceGroupName "TestRG" `
-VirtualNetworkGatewayName "VNet1GW"
$GWName = "Name_of_virtual_network_gateway"
$RG = "Name_of_resource_group"
$P2SRootCertName2 = "ARMP2SRootCert2.cer"
$MyP2SCertPubKeyBase64_2 =
"MIIC/zCCAeugAwIBAgIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAMBgxFjAUBgNVBAMTDU15UDJTUm9vdENlcnQwHhcNMTUxMj
E5MDI1MTIxWhcNMzkxMjMxMjM1OTU5WjAYMRYwFAYDVQQDEw1NeVAyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBC
gKCAQEAyjIXoWy8xE/GF1OSIvUaA0bxBjZ1PJfcXkMWsHPzvhWc2esOKrVQtgFgDz4ggAnOUFEkFaszjiHdnXv3mjzE2SpmAVIZPf2/
yPWqkoHwkmrp6BpOvNVOpKxaGPOuK8+dql1xcL0eCkt69g4lxy0FGRFkBcSIgVTViS9wjuuS7LPo5+OXgyFkAY3pSDiMzQCkRGNFgw5
WGMHRDAiruDQF1ciLNojAQCsDdLnI3pDYsvRW73HZEhmOqRRnJQe6VekvBYKLvnKaxUTKhFIYwuymHBB96nMFdRUKCZIiWRIy8Hc8+s
QEsAML2EItAjQv4+fqgYiFdSWqnQCPf/7IZbotgQIDAQABo00wSzBJBgNVHQEEQjBAgBAkuVrWvFsCJAdK5pb/eoCNoRowGDEWMBQGA
1UEAxMNTXlQMlNSb290Q2VydIIQKazxzFjMkp9JRiX+tkTfSzAJBgUrDgMCHQUAA4IBAQA223veAZEIar9N12ubNH2+HwZASNzDVNqs
pkPKD97TXfKHlPlIcS43TaYkTz38eVrwI6E0yDk4jAuPaKnPuPYFRj9w540SvY6PdOUwDoEqpIcAVp+b4VYwxPL6oyEQ8wnOYuoAK1h
hh20lCbo8h9mMy9ofU+RP6HJ7lTqupLfXdID/XevI8tW6Dm+C/wCeV3EmIlO9KUoblD/e24zlo3YzOtbyXwTIh34T0fO/zQvUuBqZMc
IPfM1cDvqcqiEFLWvWKoAnxbzckye2uk1gHO52d8AVL3mGiX8wBJkjc/pMdxrEvvCzJkltBmqxTM6XjDJALuVh16qFlqgTWCIcb7ju"
3. Use the following example to verify that the certificate was removed successfully.
$RevokedClientCert1 = "NameofCertificate"
$RevokedThumbprint1 = "51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
$GWName = "Name_of_virtual_network_gateway"
$RG = "Name_of_resource_group"
4. Add the thumbprint to the list of revoked certificates. You see "Succeeded" when the thumbprint has been
added.
5. Verify that the thumbprint was added to the certificate revocation list.
6. After the thumbprint has been added, the certificate can no longer be used to connect. Clients that try to
connect using this certificate receive a message saying that the certificate is no longer valid.
To reinstate a client certificate
You can reinstate a client certificate by removing the thumbprint from the list of revoked client certificates.
1. Declare the variables. Make sure you declare the correct thumbprint for the certificate that you want to
reinstate.
$RevokedClientCert1 = "NameofCertificate"
$RevokedThumbprint1 = "51ab1edd8da4cfed77e20061c5eb6d2ef2f778c7"
$GWName = "Name_of_virtual_network_gateway"
$RG = "Name_of_resource_group"
Point-to-Site FAQ
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows Server 2016 (64-bit only)
Windows 10
Mac OS X version 10.11 (El Capitan)
Mac OS X version 10.12 (Sierra)
Linux (StrongSwan)
iOS
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM
network overview.
For P2S troubleshooting information, Troubleshooting: Azure point-to-site connection problems.
Generate and export certificates for Point-to-Site
using PowerShell
9/10/2018 • 7 minutes to read • Edit Online
Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root
certificate and generate client certificates using PowerShell on Windows 10 or Windows Server 2016. If you are
looking for different certificate instructions, see Certificates - Linux or Certificates - MakeCert.
You must perform the steps in this article on a computer running Windows 10 or Windows Server 2016. The
PowerShell cmdlets that you use to generate certificates are part of the operating system and do not work on
other versions of Windows. The Windows 10 or Windows Server 2016 computer is only needed to generate the
certificates. Once the certificates are generated, you can upload them, or install them on any supported client
operating system.
If you do not have access to a Windows 10 or Windows Server 2016 computer, you can use MakeCert to
generate certificates. The certificates that you generate using either method can be installed on any supported
client operating system.
Example 2
If you are creating additional client certificates, or are not using the same PowerShell session that you used to
create your self-signed root certificate, use the following steps:
1. Identify the self-signed root certificate that is installed on the computer. This cmdlet returns a list of
certificates that are installed on your computer.
2. Locate the subject name from the returned list, then copy the thumbprint that is located next to it to a text
file. In the following example, there are two certificates. The CN name is the name of the self-signed root
certificate from which you want to generate a child certificate. In this case, 'P2SRootCert'.
Thumbprint Subject
AED812AD883826FF76B4D1D5A77B3C08EFA79F3F CN=P2SChildCert4
7181AA8C1B4D34EEDB2F3D3BEC5839F3FE52D655 CN=P2SRootCert
3. Declare a variable for the root certificate using the thumbprint from the previous step. Replace
THUMBPRINT with the thumbprint of the root certificate from which you want to generate a child
certificate.
For example, using the thumbprint for P2SRootCert in the previous step, the variable looks like this:
4. Modify and run the example to generate a client certificate. If you run the following example without
modifying it, the result is a client certificate named 'P2SChildCert'. If you want to name the child
certificate something else, modify the CN value. Do not change the TextExtension when running this
example. The client certificate that you generate is automatically installed in 'Certificates - Current
User\Personal\Certificates' on your computer.
New-SelfSignedCertificate -Type Custom -DnsName P2SChildCert -KeySpec Signature `
-Subject "CN=P2SChildCert" -KeyExportPolicy Exportable `
-HashAlgorithm sha256 -KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")
4. On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.
5. For File to Export, Browse to the location to which you want to export the certificate. For File name,
name the certificate file. Then, click Next.
9. If you open the exported certificate using Notepad, you see something similar to this example. The section
in blue contains the information that is uploaded to Azure. If you open your certificate with Notepad and
it does not look similar to this, typically this means you did not export it using the Base-64 encoded
X.509(.CER ) format. Additionally, if you want to use a different text editor, understand that some editors
can introduce unintended formatting in the background. This can create problems when uploaded the text
from this certificate to Azure.
Export the self-signed root certificate and private key to store it (optional)
You may want to export the self-signed root certificate and store it safely as backup. If need be, you can later
install it on another computer and generate more client certifiates. To export the self-signed root certificate as a
.pfx, select the root certificate and use the same steps as described in Export a client certificate.
3. Select Yes, export the private key, and then click Next.
4. On the Export File Format page, leave the defaults selected. Make sure that Include all certificates in
the certification path if possible is selected. This setting additionally exports the root certificate
information that is required for successful client authentication. Without it, client authentication fails
because the client doesn't have the trusted root certificate. Then, click Next.
5. On the Security page, you must protect the private key. If you select to use a password, make sure to
record or remember the password that you set for this certificate. Then, click Next.
6. On the File to Export, Browse to the location to which you want to export the certificate. For File name,
name the certificate file. Then, click Next.
7. Click Finish to export the certificate.
Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root
certificate and generate client certificates using MakeCert. If you are looking for different certificate instructions,
see Certificates - PowerShell or Certificates - Linux.
While we recommend using the Windows 10 PowerShell steps to create your certificates, we provide these
MakeCert instructions as an optional method. The certificates that you generate using either method can be
installed on any supported client operating system. However, MakeCert has the following limitation:
MakeCert is deprecated. This means that this tool could be removed at any point. Any certificates that you
already generated using MakeCert won't be affected when MakeCert is no longer available. MakeCert is only
used to generate the certificates, not as a validating mechanism.
3. Create and install a certificate in the Personal certificate store on your computer. The following example
creates a corresponding .cer file that you upload to Azure when configuring P2S. Replace 'P2SRootCert'
and 'P2SRootCert.cer' with the name that you want to use for the certificate. The certificate is located in
your 'Certificates - Current User\Personal\Certificates'.
3. Select No, do not export the private key, and then click Next.
4. On the Export File Format page, select Base-64 encoded X.509 (.CER)., and then click Next.
5. For File to Export, Browse to the location to which you want to export the certificate. For File name,
name the certificate file. Then, click Next.
6. Click Finish to export the certificate.
The exported.cer file must be uploaded to Azure. For instructions, see Configure a Point-to-Site connection. To
add an additional trusted root certificate, see this section of the article.
Export the self-signed certificate and private key to store it (optional)
You may want to export the self-signed root certificate and store it safely. If need be, you can later install it on
another computer and generate more client certificates, or export another .cer file. To export the self-signed root
certificate as a .pfx, select the root certificate and use the same steps as described in Export a client certificate.
makecert.exe -n "CN=P2SChildCert" -pe -sky exchange -m 96 -ss My -in "P2SRootCert" -is my -a sha256
4. On the Export File Format page, leave the defaults selected. Make sure that Include all certificates in
the certification path if possible is selected. This setting additionally exports the root certificate
information that is required for successful client authentication. Without it, client authentication fails
because the client doesn't have the trusted root certificate. Then, click Next.
5. On the Security page, you must protect the private key. If you select to use a password, make sure to
record or remember the password that you set for this certificate. Then, click Next.
6. On the File to Export, Browse to the location to which you want to export the certificate. For File
name, name the certificate file. Then, click Next.
7. Click Finish to export the certificate.
Next steps
Continue with your Point-to-Site configuration.
For Resource Manager deployment model steps, see Configure P2S using native Azure certificate
authentication.
For classic deployment model steps, see Configure a Point-to-Site VPN connection to a VNet (classic).
For P2S troubleshooting information, Troubleshooting Azure point-to-site connections.
Generate and export certificates for Point-to-Site
using Linux strongSwan CLI
9/10/2018 • 2 minutes to read • Edit Online
Point-to-Site connections use certificates to authenticate. This article shows you how to create a self-signed root
certificate and generate client certificates using the Linux CLI and strongSwan. If you are looking for different
certificate instructions, see the Powershell or MakeCert articles.
NOTE
The steps in this article require strongSwan.
The computer configuration used for the steps for this article was the following:
Install strongSwan
1. apt-get install strongswan-ikev2 strongswan-plugin-eap-tls
2. apt-get install libstrongswan-standard-plugins
For information about how to install strongSwan using the GUI, see the steps in the Client configuration article.
2. Print the CA certificate in base64 format. This is the format that is supported by Azure. You will later
upload this to Azure as part of your P2S configuration.
4. Generate a p12 bundle containing the user certificate. This bundle will be used in the next steps when
working with the Client configuration files.
openssl pkcs12 -in "${USERNAME}Cert.pem" -inkey "${USERNAME}Key.pem" -certfile caCert.pem -export -out
"${USERNAME}.p12" -password "pass:${PASSWORD}"
Next steps
Continue with your Point-to-Site configuration to Create and install VPN client configuration files.
Install client certificates for P2S certificate
authentication connections
9/10/2018 • 2 minutes to read • Edit Online
All clients that connect to a virtual network using Point-to-Site Azure certificate authentication require a client
certificate. This article helps you install a client certificate that is used for authentication when connecting to a
VNet using P2S.
Windows
If you want to create a P2S connection from a client computer other than the one you used to generate the client
certificates, you need to install a client certificate. When installing a client certificate, you need the password that
was created when the client certificate was exported.
1. Locate and copy the .pfx file to the client computer. On the client computer, double-click the.pfx file to install.
Leave the Store Location as Current User, and then click Next.
2. On the File to import page, don't make any changes. Click Next.
3. On the Private key protection page, input the password for the certificate, or verify that the security principal
is correct, then click Next.
4. On the Certificate Store page, leave the default location, and then click Next.
5. Click Finish. On the Security Warning for the certificate installation, click Yes. You can feel comfortable
clicking 'Yes' because you generated the certificate. The certificate is now successfully imported.
Mac
NOTE
Mac VPN clients are supported for the Resource Manager deployment model only. They are not supported for the classic
deployment model.
When installing a client certificate, you need the password that was created when the client certificate was
exported.
1. Locate the .pfx certificate file and copy it to your Mac. You can get the certificate to the Mac in several ways, for
example, you can email the certificate file.
2. After the certificate copied to the Mac, double-click the certificate to open the Add Certificates box, the
click Add to begin the install.
3. Enter the password that you created when the client certificate was exported. The password protects the
private key of the certificate. Click OK to complete the installation.
Linux
The Linux client certificate is installed on the client as part of the client configuration. See Client configuration -
Linux for instructions.
Next steps
Continue with the Point-to-Site configuration steps to Create and install VPN client configuration files.
Create and install VPN client configuration files for
native Azure certificate authentication P2S
configurations
9/10/2018 • 8 minutes to read • Edit Online
VPN client configuration files are contained in a zip file. Configuration files provide the settings required for a
native Windows, Mac IKEv2 VPN, or Linux clients to connect to a VNet over Point-to-Site connections that use
native Azure certificate authentication. For more information about Point-to-Site connections, see About Point-to-
Site VPN.
IMPORTANT
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for
point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site
connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
NOTE
Client configuration files are specific to the VPN configuration for the VNet. If there are any changes to the Point-to-Site VPN
configuration after you generate the VPN client configuration files, such as the VPN protocol type or authentication type, be
sure to generate new VPN client configuration files for your user devices.
$profile.VPNProfileSASUrl
2. Copy the URL to your browser to download the zip file, then unzip the file to view the folders.
Windows
You can use the same VPN client configuration package on each Windows client computer, as long as the version
matches the architecture for the client. For the list of client operating systems that are supported, see the Point-to-
Site section of the VPN Gateway FAQ.
NOTE
You must have Administrator rights on the Windows client computer from which you want to connect.
Use the following steps to configure the native Windows VPN client for certificate authentication:
1. Select the VPN client configuration files that correspond to the architecture of the Windows computer. For a
64-bit processor architecture, choose the 'VpnClientSetupAmd64' installer package. For a 32-bit processor
architecture, choose the 'VpnClientSetupX86' installer package.
2. Double-click the package to install it. If you see a SmartScreen popup, click More info, then Run anyway.
3. On the client computer, navigate to Network Settings and click VPN. The VPN connection shows the name of
the virtual network that it connects to.
4. Before you attempt to connect, verify that you have installed a client certificate on the client computer. A client
certificate is required for authentication when using the native Azure certificate authentication type. For more
information about generating certificates, see Generate Certificates. For information about how to install a
client certificate, see Install a client certificate.
Mac (OS X)
You have to manually configure the native IKEv2 VPN client on every Mac that will connect to Azure. Azure does
not provide mobileconfig file for native Azure certificate authentication. The Generic contains all of the
information that you need for configuration. If you don't see the Generic folder in your download, it's likely that
IKEv2 was not selected as a tunnel type. Once IKEv2 is selected, generate the zip file again to retrieve the Generic
folder.
The Generic folder contains the following files:
VpnSettings.xml, which contains important settings like server address and tunnel type.
VpnServerRoot.cer, which contains the root certificate required to validate the Azure VPN Gateway during
P2S connection setup.
Use the following steps to configure the native VPN client on Mac for certificate authentication. You have to
complete these steps on every Mac that will connect to Azure:
1. Import the VpnServerRoot root certificate to your Mac. This can be done by copying the file over to your
Mac and double-clicking on it.
Click Add to import.
NOTE
Double-clicking on the certificate may not display the Add dialog, but the certificate is installed in the correct store.
You can check for the certificate in the login keychain under the certificates category.
2. Verify that you have installed a client certificate that was issued by the root certificate that you uploaded to
Azure when you configured you P2S settings. This is different from the VPNServerRoot that you installed
in the previous step. The client certificate is used for authentication and is required. For more information
about generating certificates, see Generate Certificates. For information about how to install a client
certificate, see Install a client certificate.
3. Open the Network dialog under Network Preferences and click '+' to create a new VPN client
connection profile for a P2S connection to the Azure VNet.
The Interface value is 'VPN' and VPN Type value is 'IKEv2'. Specify a name for the profile in the Service
Name field, then click Create to create the VPN client connection profile.
4. In the Generic folder, from the VpnSettings.xml file, copy the VpnServer tag value. Paste this value in the
Server Address and Remote ID fields of the profile.
5. Click Authentication Settings and select Certificate.
6. Click Select… to choose the client certificate that you want to use for authentication. This is the certificate
that you installed in Step 2.
7. Choose An Identity displays a list of certificates for you to choose from. Select the proper certificate, then
click Continue.
8. In the Local ID field, specify the name of the certificate (from Step 6). In this example, it is
"ikev2Client.com". Then, click Apply button to save the changes.
9. On the Network dialog, click Apply to save all changes. Then, click Connect to start the P2S connection to the
Azure VNet.
C:\ OpenSLL-Win64\bin> openssl pkcs12 -in clientcert.pfx -nocerts -out privatekey.pem -nodes
4. Now run the following command to extract the public cert and save it to a new file:
C:\ OpenSLL-Win64\bin> openssl pkcs12 -in clientcert.pfx -nokeys -out publiccert.pem -nodes
2. Select the Network Manager icon (up-arrow/down-arrow ), then select Edit Connections.
4. Select IPsec/IKEv2 (strongswan) from the drop-down menu, and then click Create. You can rename your
connection in this step.
5. Open the VpnSettings.xml file from the Generic folder contained in the downloaded client configuration
files. Find the tag called VpnServer and copy the name, beginning with 'azuregateway' and ending with
'.cloudapp.net'.
6. Paste this name into the Address field of your new VPN connection in the Gateway section. Next, select the
folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.
7. In the Client section of the connection, for Authentication, select Certificate/private key. For
Certificate and Private key, choose the certificate and the private key that were created earlier. In
Options, select Request an inner IP address. Then, click Add.
8. Click the Network Manager icon (up-arrow/down-arrow ) and hover over VPN Connections. You see the
VPN connection that you created. Click to initiate the connection.
# ipsec restart
# ipsec up azure
Next steps
Return to the article to complete your P2S configuration.
To troubleshoot P2S connections, see the following articles:
Troubleshooting Azure point-to-site connections
Troubleshoot VPN connections from Mac OS X VPN clients
Configure a Point-to-Site connection to a VNet using
RADIUS authentication: PowerShell
6/11/2018 • 18 minutes to read • Edit Online
This article shows you how to create a VNet with a Point-to-Site connection that uses RADIUS authentication.
This configuration is only available for the Resource Manager deployment model.
A Point-to-Site (P2S ) VPN gateway lets you create a secure connection to your virtual network from an individual
client computer. Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote
location, such as when you are telecommuting from home or a conference. A P2S VPN is also a useful solution to
use instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet.
A P2S VPN connection is started from Windows and Mac devices. Connecting clients can use the following
authentication methods:
RADIUS server
VPN Gateway native certificate authentication
This article helps you configure a P2S configuration with authentication using RADIUS server. If you want to
authenticate using generated certificates and VPN gateway native certificate authentication instead, see Configure
a Point-to-Site connection to a VNet using VPN gateway native certificate authentication.
Point-to-Site connections do not require a VPN device or a public-facing IP address. P2S creates the VPN
connection over either SSTP (Secure Socket Tunneling Protocol), or IKEv2.
SSTP is an SSL -based VPN tunnel that is supported only on Windows client platforms. It can penetrate
firewalls, which makes it an ideal option to connect to Azure from anywhere. On the server side, we
support SSTP versions 1.0, 1.1, and 1.2. The client decides which version to use. For Windows 8.1 and
above, SSTP uses 1.2 by default.
IKEv2 VPN, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices
(OSX versions 10.11 and above).
P2S connections require the following:
A RouteBased VPN gateway.
A RADIUS server to handle user authentication. The RADIUS server can be deployed on-premises, or in the
Azure VNet.
A VPN client configuration package for the Windows devices that will connect to the VNet. A VPN client
configuration package provides the settings required for a VPN client to connect over P2S.
IMPORTANT
Only a VPN Site-to-Site connection can be used for connecting to a RADIUS server on-premises. An ExpressRoute
connection cannot be used.
Before beginning
Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can
activate your MSDN subscriber benefits or sign up for a free account.
Install the latest version of the Azure Resource Manager PowerShell cmdlets. For more information about
installing PowerShell cmdlets, see How to install and configure Azure PowerShell.
Log in
Before beginning this configuration, you must sign in to your Azure account. The cmdlet prompts you for the sign-
in credentials for your Azure account. After signing in, it downloads your account settings so they are available to
Azure PowerShell. For more information, see Using Windows PowerShell with Resource Manager.
To sign in, open your PowerShell console with elevated privileges, and connect to your account. Use the following
example to help you connect:
Connect-AzureRmAccount
If you have multiple Azure subscriptions, check the subscriptions for the account.
Get-AzureRmSubscription
Example values
You can use the example values to create a test environment, or refer to these values to better understand the
examples in this article. You can either use the steps as a walk-through and use the values without changing them,
or change them to reflect your environment.
Name: VNet1
Address space: 192.168.0.0/16 and 10.254.0.0/16
For this example, we use more than one address space to illustrate that this configuration works with multiple
address spaces. However, multiple address spaces are not required for this configuration.
Subnet name: FrontEnd
Subnet address range: 192.168.1.0/24
Subnet name: BackEnd
Subnet address range: 10.254.1.0/24
Subnet name: GatewaySubnet
The Subnet name GatewaySubnet is mandatory for the VPN gateway to work.
GatewaySubnet address range: 192.168.200.0/24
VPN client address pool: 172.16.201.0/24
VPN clients that connect to the VNet using this Point-to-Site connection receive an IP address from the VPN
client address pool.
Subscription: If you have more than one subscription, verify that you are using the correct one.
Resource Group: TestRG
Location: East US
DNS Server: IP address of the DNS server that you want to use for name resolution for your VNet.
(optional)
GW Name: Vnet1GW
Public IP name: VNet1GWPIP
VpnType: RouteBased
2. Create the subnet configurations for the virtual network, naming them FrontEnd, BackEnd, and
GatewaySubnet. These prefixes must be part of the VNet address space that you declared.
4. A VPN gateway must have a Public IP address. You first request the IP address resource, and then refer to
it when creating your virtual network gateway. The IP address is dynamically assigned to the resource
when the VPN gateway is created. VPN Gateway currently only supports Dynamic Public IP address
allocation. You cannot request a Static Public IP address assignment. However, this does not mean that the
IP address changes after it has been assigned to your VPN gateway. The only time the Public IP address
changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other
internal maintenance/upgrades of your VPN gateway.
Specify the variables to request a dynamically assigned Public IP address.
2. You are prompted to enter the RADIUS secret. The characters that you enter will not be displayed and
instead will be replaced by the "*" character.
RadiusSecret:***
3. Add the VPN client address pool and the RADIUS server information.
For SSTP configurations:
6. Connect to Azure
To connect from a Windows VPN client
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN
connection that you created. It is named the same name as your virtual network. Enter your domain
credentials and click'Connect'. A pop-up message requesting elevated rights appears. Accept it and enter
the credentials.
foreach($Nic in $Nics)
{
$VM = $VMs | Where-Object -Property Id -eq $Nic.VirtualMachine.Id
$Prv = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAddress
$Alloc = $Nic.IpConfigurations | Select-Object -ExpandProperty PrivateIpAllocationMethod
Write-Output "$($VM.Name): $Prv,$Alloc"
}
2. Verify that you are connected to your VNet using the Point-to-Site VPN connection.
3. Open Remote Desktop Connection by typing "RDP" or "Remote Desktop Connection" in the search box on
the taskbar, then select Remote Desktop Connection. You can also open Remote Desktop Connection using the
'mstsc' command in PowerShell.
4. In Remote Desktop Connection, enter the private IP address of the VM. You can click "Show Options" to adjust
additional settings, then connect.
To troubleshoot an RDP connection to a VM
If you are having trouble connecting to a virtual machine over your VPN connection, check the following:
Verify that your VPN connection is successful.
Verify that you are connecting to the private IP address for the VM.
Use 'ipconfig' to check the IPv4 address assigned to the Ethernet adapter on the computer from which you are
connecting. If the IP address is within the address range of the VNet that you are connecting to, or within the
address range of your VPNClientAddressPool, this is referred to as an overlapping address space. When your
address space overlaps in this way, the network traffic doesn't reach Azure, it stays on the local network.
If you can connect to the VM using the private IP address, but not the computer name, verify that you have
configured DNS properly. For more information about how name resolution works for VMs, see Name
Resolution for VMs.
Verify that the VPN client configuration package was generated after the DNS server IP addresses were
specified for the VNet. If you updated the DNS server IP addresses, generate and install a new VPN client
configuration package.
For more information about RDP connections, see Troubleshoot Remote Desktop connections to a VM.
FAQ
This FAQ applies to P2S using RADIUS authentication
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows Server 2016 (64-bit only)
Windows 10
Mac OS X version 10.11 (El Capitan)
Mac OS X version 10.12 (Sierra)
Linux (StrongSwan)
iOS
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM
network overview.
Create and install VPN client configuration files for
P2S RADIUS authentication
6/8/2018 • 11 minutes to read • Edit Online
To connect to a virtual network over point-to-site (P2S ), you need to configure the client device that you'll connect
from. You can create P2S VPN connections from Windows, Mac OS X, and Linux client devices.
When you're using RADIUS authentication, there are multiple authentication options: username/password
authentication, certificate authentication, and other authentication types. The VPN client configuration is different
for each type of authentication. To configure the VPN client, you use client configuration files that contain the
required settings. This article helps you create and install the VPN client configuration for the RADIUS
authentication type that you want to use.
IMPORTANT
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for
point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site
connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
IMPORTANT
If there are any changes to the point-to-site VPN configuration after you generate the VPN client configuration profile, such
as the VPN protocol type or authentication type, you must generate and install a new VPN client configuration on your
users' devices.
To use the sections in this article, first decide which type of authentication you want to use: username/password,
certificate, or other types of authentication. Each section has steps for Windows, Mac OS X, and Linux (limited
steps available at this time).
Username/password authentication
You can configure username/password authentication to either use Active Directory or not use Active Directory.
With either scenario, make sure that all connecting users have username/password credentials that can be
authenticated through RADIUS.
When you configure username/password authentication, you can only create a configuration for the EAP -
MSCHAPv2 username/password authentication protocol. In the commands, -AuthenticationMethod is
EapMSChapv2 .
Running the command returns a link. Copy and paste the link to a web browser to download
VpnClientConfiguration.zip. Unzip the file to view the following folders:
WindowsAmd64 and WindowsX86: These folders contain the Windows 64-bit and 32-bit installer packages,
respectively.
Generic: This folder contains general information that you use to create your own VPN client configuration.
You don't need this folder for username/password authentication configurations.
Mac: If you configured IKEv2 when you created the virtual network gateway, you see a folder named Mac that
contains a mobileconfig file. You use this file to configure Mac clients.
If you already created client configuration files, you can retrieve them by using the
Get-AzureRmVpnClientConfiguration cmdlet. But if you make any changes to your P2S VPN configuration, such as
the VPN protocol type or authentication type, the configuration isn’t updated automatically. You must run the
New-AzureRmVpnClientConfiguration cmdlet to create a new configuration download.
To retrieve previously generated client configuration files, use the following command:
4. Select Continue to trust the sender of the profile and proceed with the installation.
5. During profile installation, you have the option to specify the username and password for VPN
authentication. It's not mandatory to enter this information. If you do, the information is saved and
automatically used when you initiate a connection. Select Install to proceed.
6. Enter a username and password for the privileges that are required to install the profile on your computer.
Select OK.
7. After the profile is installed, it's visible in the Profiles dialog box. You can also open this dialog box later
from System Preferences.
8. To access the VPN connection, open the Network dialog box from System Preferences.
9. The VPN connection appears as IkeV2-VPN. You can change the name by updating the mobileconfig file.
10. Select Authentication Settings. Select Username in the list and enter your credentials. If you entered the
credentials earlier, then Username is automatically chosen in the list and the username and password are
prepopulated. Select OK to save the settings.
11. Back in the Network dialog box, select Apply to save the changes. To initiate the connection, select Connect.
Linux VPN client setup through strongSwan
The following instructions were created through strongSwan 5.5.1 on Ubuntu 17.0.4. Actual screens might be
different, depending on your version of Linux and strongSwan.
1. Open the Terminal to install strongSwan and its Network Manager by running the command in the
example. If you receive an error that's related to libcharon-extra-plugins , replace it with
strongswan-plugin-eap-mschapv2 .
2. Select the Network Manager icon (up-arrow/down-arrow ), and select Edit Connections.
3. Select the Add button to create a new connection.
4. Select IPsec/IKEv2 (strongswan) from the drop-down menu, and then select Create. You can rename
your connection in this step.
5. Open the VpnSettings.xml file from the Generic folder of the downloaded client configuration files. Find
the tag called VpnServer and copy the name, beginning with azuregateway and ending with .cloudapp.net .
6. Paste this name into the Address field of your new VPN connection in the Gateway section. Next, select the
folder icon at the end of the Certificate field, browse to the Generic folder, and select the VpnServerRoot file.
7. In the Client section of the connection, select EAP for Authentication, and enter your username and
password. You might have to select the lock icon on the right to save this information. Then, select Save.
8. Select the Network Manager icon (up-arrow/down-arrow ) and hover over VPN Connections. You see
the VPN connection that you created. To initiate the connection, select it.
Certificate authentication
You can create VPN client configuration files for RADIUS certificate authentication that uses the EAP -TLS
protocol. Typically, an enterprise-issued certificate is used to authenticate a user for VPN. Make sure that all
connecting users have a certificate installed on their devices, and that your RADIUS server can validate the
certificate.
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support
only TLS 1.2. Only point-to-site connections are impacted; site-to-site connections will not be affected. If you’re using TLS for
point-to-site VPNs on Windows 10 clients, you don’t need to take any action. If you are using TLS for point-to-site
connections on Windows 7 and Windows 8 clients, see the VPN Gateway FAQ for update instructions.
In the commands, -AuthenticationMethod is EapTls . During certificate authentication, the client validates the
RADIUS server by validating its certificate. -RadiusRootCert is the .cer file that contains the root certificate that's
used to validate the RADIUS server.
Each VPN client device requires an installed client certificate. Sometimes a Windows device has multiple client
certificates. During authentication, this can result in a pop-up dialog box that lists all the certificates. The user must
then choose the certificate to use. The correct certificate can be filtered out by specifying the root certificate that
the client certificate should chain to.
-ClientRootCert is the .cer file that contains the root certificate. It's an optional parameter. If the device that you
want to connect from has only one client certificate, you don't have to specify this parameter.
1. Generate VPN client configuration files
Generate VPN client configuration files for use with certificate authentication. You can generate the VPN client
configuration files by using the following command:
Running the command returns a link. Copy and paste the link to a web browser to download
VpnClientConfiguration.zip. Unzip the file to view the following folders:
WindowsAmd64 and WindowsX86: These folders contain the Windows 64-bit and 32-bit installer packages,
respectively.
GenericDevice: This folder contains general information that's used to create your own VPN client
configuration.
If you already created client configuration files, you can retrieve them by using the
Get-AzureRmVpnClientConfiguration cmdlet. But if you make any changes to your P2S VPN configuration, such as
the VPN protocol type or authentication type, the configuration isn’t updated automatically. You must run the
New-AzureRmVpnClientConfiguration cmdlet to create a new configuration download.
To retrieve previously generated client configuration files, use the following command:
2. Each client requires a client certificate for authentication. Install the client certificate on the client device.
3. Open the Network dialog box under Network Preferences. Select + to create a new VPN client
connection profile for a P2S connection to the Azure virtual network.
The Interface value is VPN, and the VPN Type value is IKEv2. Specify a name for the profile in the
Service Name box, and then select Create to create the VPN client connection profile.
4. In the Generic folder, from the VpnSettings.xml file, copy the VpnServer tag value. Paste this value in the
Server Address and Remote ID boxes of the profile. Leave the Local ID box blank.
7. Choose An Identity displays a list of certificates for you to choose from. Select the proper certificate, and
then select Continue.
8. In the Local ID box, specify the name of the certificate (from Step 6). In this example, it's ikev2Client.com.
Then, select the Apply button to save the changes.
9. In the Network dialog box, select Apply to save all changes. Then, select Connect to start the P2S connection
to the Azure virtual network.
Working with other authentication types or protocols
To use a different authentication type (for example, OTP ), or to use a different authentication protocol (such as
PEAP -MSCHAPv2 instead of EAP -MSCHAPv2), you must create your own VPN client configuration profile. To
create the profile, you need information such as the virtual network gateway IP address, tunnel type, and split-
tunnel routes. You can get this information by using the following steps:
1. Use the Get-AzureRmVpnClientConfiguration cmdlet to generate the VPN client configuration for
EapMSChapv2. For instructions, see this section of the article.
2. Unzip the VpnClientConfiguration.zip file and look for the GenenericDevice folder. Ignore the folders that
contain the Windows installers for 64-bit and 32-bit architectures.
3. The GenenericDevice folder contains an XML file called VpnSettings. This file contains all the required
information:
VpnServer: FQDN of the Azure VPN gateway. This is the address that the client connects to.
VpnType: Tunnel type that you use to connect.
Routes: Routes that you have to configure in your profile so that only traffic that's bound for the Azure
virtual network is sent over the P2S tunnel.
The GenenericDevice folder also contains a .cer file called VpnServerRoot. This file contains the root
certificate that's required to validate the Azure VPN gateway during P2S connection setup. Install the
certificate on all devices that will connect to the Azure virtual network.
Next steps
Return to the article to complete your P2S configuration.
For P2S troubleshooting information, see Troubleshooting Azure point-to-site connections.
Integrate Azure VPN gateway RADIUS authentication
with NPS server for Multi-Factor Authentication
7/13/2018 • 2 minutes to read • Edit Online
The article describes how to integrate Network Policy Server (NPS ) with Azure VPN gateway RADIUS
authentication to deliver Multi-Factor Authentication (MFA) for point-to-site VPN connections.
Prerequisite
To enable MFA, the users must be in Azure Active Directory (Azure AD ), which must be synced from either the on-
premises or cloud environment. Also, the user must have already completed the auto-enrollment process for MFA.
For more information, see Set up my account for two-step verification
Detailed steps
Step 1: Create a virtual network gateway
1. Log on to the Azure portal.
2. In the virtual network that will host the virtual network gateway, select Subnets, and then select Gateway
subnet to create a subnet.
4. Go to Policies > Network Policies, double-click Connections to Microsoft Routing and Remote
Access server policy, select Grant access, and then click OK.
Step 3 Configure the virtual network gateway
1. Log on to Azure portal.
2. Open the virtual network gateway that you created. Make sure that the gateway type is set to VPN and that the
VPN type is route-based.
3. Click Point to site configuration > Configure now, and then specify the following settings:
Address pool: Type the gateway subnet you created in the step 1.
Authentication type: Select RADIUS authentication.
Server IP address: Type the IP address of the NPS server.
Next steps
Azure Multi-Factor Authentication
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication
Configure a VNet-to-VNet VPN gateway connection
using the Azure portal
4/18/2018 • 18 minutes to read • Edit Online
This article helps you connect virtual networks by using the VNet-to-VNet connection type. The virtual networks
can be in the same or different regions, and from the same or different subscriptions. When connecting VNets
from different subscriptions, the subscriptions do not need to be associated with the same Active Directory
tenant.
The steps in this article apply to the Resource Manager deployment model and use the Azure portal. You can also
create this configuration using a different deployment tool or deployment model by selecting a different option
from the following list:
This article helps you connect VNets using the VNet-to-VNet connection type. When using these steps as an
exercise, you can use the example settings values. In the example, the virtual networks are in the same
subscription, but in different resource groups. If your VNets are in different subscriptions, you can't create the
connection in the portal. You can use PowerShell or CLI. For more information about VNet-to-VNet connections,
see the VNet-to-VNet FAQ at the end of this article.
Example settings
Values for TestVNet1:
VNet Name: TestVNet1
Address space: 10.11.0.0/16
Subscription: Select the subscription you want to use
Resource Group: TestRG1
Location: East US
Subnet Name: FrontEnd
Subnet Address range: 10.11.0.0/24
Gateway Subnet name: GatewaySubnet (this will auto-fill in the portal)
Gateway Subnet address range: 10.11.255.0/27
DNS Server: Use the IP address of your DNS Server
Virtual Network Gateway Name: TestVNet1GW
Gateway Type: VPN
VPN type: Route-based
SKU: Select the Gateway SKU you want to use
Public IP address name: TestVNet1GWIP
Connection Name: TestVNet1toTestVNet4
Shared key: You can create the shared key yourself. For this example, we'll use abc123. The important thing is
that when you create the connection between the VNets, the value must match.
Values for TestVNet4:
VNet Name: TestVNet4
Address space: 10.41.0.0/16
Subscription: Select the subscription you want to use
Resource Group: TestRG4
Location: West US
Subnet Name: FrontEnd
Subnet Address range: 10.41.0.0/24
GatewaySubnet name: GatewaySubnet (this will auto-fill in the portal)
GatewaySubnet address range: 10.41.255.0/27
DNS Server: Use the IP address of your DNS Server
Virtual Network Gateway Name: TestVNet4GW
Gateway Type: VPN
VPN type: Route-based
SKU: Select the Gateway SKU you want to use
Public IP address name: TestVNet4GWIP
Connection Name: TestVNet4toTestVNet1
Shared key: You can create the shared key yourself. For this example, we'll use abc123. The important thing is
that when you create the connection between the VNets, the value must match.
NOTE
In order for this VNet to connect to an on-premises location you need to coordinate with your on-premises network
administrator to carve out an IP address range that you can use specifically for this virtual network. If a duplicate address
range exists on both sides of the VPN connection, traffic does not route the way you may expect it to. Additionally, if you
want to connect this VNet to another VNet, the address space cannot overlap with other VNet. Take care to plan your
network configuration accordingly.
1. From a browser, navigate to the Azure portal and, if necessary, sign in with your Azure account.
2. Click +. In the Search the marketplace field, type "Virtual Network". Locate Virtual Network from the
returned list and click to open the Virtual Network page.
3. Near the bottom of the Virtual Network page, from the Select a deployment model list, select Resource
Manager, and then click Create.
4. On the Create virtual network page, configure the VNet settings. When you fill in the fields, the red
exclamation mark becomes a green check mark when the characters entered in the field are valid. There
may be values that are auto-filled. If so, replace the values with your own. The Create virtual network
page looks similar to the following example:
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required
in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range
values to match your configuration requirements, then click OK at the bottom of the page to create the
subnet.
4. Verify the settings. You can select Pin to dashboard at the bottom of the page if you want your gateway
to appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying
Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need
to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway appears as a connected device. You can click the connected device (your virtual network
gateway) to view more information.
3. On the Add connection page, in the name field, type a name for your connection. For example,
TestVNet1toTestVNet4.
4. For Connection type, select VNet-to-VNet from the dropdown.
5. The First virtual network gateway field value is automatically filled in because you are creating this
connection from the specified virtual network gateway.
6. The Second virtual network gateway field is the virtual network gateway of the VNet that you want to
create a connection to. Click Choose another virtual network gateway to open the Choose virtual
network gateway page.
7. View the virtual network gateways that are listed on this page. Notice that only virtual network gateways that
are in your subscription are listed. If you want to connect to a virtual network gateway that is not in your
subscription, please use the PowerShell article.
8. Click the virtual network gateway that you want to connect to.
9. In the Shared key field, type a shared key for your connection. You can generate or create this key yourself. In
a site-to-site connection, the key you use would be exactly the same for your on-premises device and your
virtual network gateway connection. The concept is similar here, except that rather than connecting to a VPN
device, you are connecting to another virtual network gateway.
10. Click OK at the bottom of the page to save your changes.
When data begins flowing, you see values for Data in and Data out.
VNet-to-VNet FAQ
View the FAQ details for additional information about VNet-to-VNet connections.
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Can I establish a VNet-to -VNet connection across AAD Tenants?
Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you can’t
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these
scenarios, consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or
cloud services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Next steps
See Network Security for information about how you can limit network traffic to resources in a virtual network.
See Virtual network traffic routing for information about how Azure routes traffic between Azure, on-premises,
and Internet resources.
Configure a VNet-to-VNet VPN gateway connection
using PowerShell
9/6/2018 • 17 minutes to read • Edit Online
This article helps you connect virtual networks by using the VNet-to-VNet connection type. The virtual networks
can be in the same or different regions, and from the same or different subscriptions. When connecting VNets
from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
The steps in this article apply to the Resource Manager deployment model and use PowerShell. You can also
create this configuration using a different deployment tool or deployment model by selecting a different option
from the following list:
VNets that reside in different subscriptions: The steps for this configuration use TestVNet1 and TestVNet5.
$Sub1 = "Replace_With_Your_Subcription_Name"
$RG1 = "TestRG1"
$Location1 = "East US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection14 = "VNet1toVNet4"
$Connection15 = "VNet1toVNet5"
2. Connect to your account. Use the following example to help you connect:
Connect-AzureRmAccount
Get-AzureRmSubscription
4. Create the subnet configurations for TestVNet1. This example creates a virtual network named TestVNet1
and three subnets, one called GatewaySubnet, one called FrontEnd, and one called Backend. When
substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet.
If you name it something else, your gateway creation fails.
The following example uses the variables that you set earlier. In this example, the gateway subnet is using a
/27. While it is possible to create a gateway subnet as small as /29, we recommend that you create a larger
subnet that includes more addresses by selecting at least /28 or /27. This will allow for enough addresses
to accommodate possible additional configurations that you may want in the future.
5. Create TestVNet1.
6. Request a public IP address to be allocated to the gateway you will create for your VNet. Notice that the
AllocationMethod is Dynamic. You cannot specify the IP address that you want to use. It's dynamically
allocated to your gateway.
7. Create the gateway configuration. The gateway configuration defines the subnet and the public IP address
to use. Use the example to create your gateway configuration.
8. Create the gateway for TestVNet1. In this step, you create the virtual network gateway for your TestVNet1.
VNet-to-VNet configurations require a RouteBased VpnType. Creating a gateway can often take 45
minutes or more, depending on the selected gateway SKU.
$RG4 = "TestRG4"
$Location4 = "West US"
$VnetName4 = "TestVNet4"
$FESubName4 = "FrontEnd"
$BESubName4 = "Backend"
$GWSubName4 = "GatewaySubnet"
$VnetPrefix41 = "10.41.0.0/16"
$VnetPrefix42 = "10.42.0.0/16"
$FESubPrefix4 = "10.41.0.0/24"
$BESubPrefix4 = "10.42.0.0/24"
$GWSubPrefix4 = "10.42.255.0/27"
$GWName4 = "VNet4GW"
$GWIPName4 = "VNet4GWIP"
$GWIPconfName4 = "gwipconf4"
$Connection41 = "VNet4toVNet1"
4. Create TestVNet4.
7. Create the TestVNet4 gateway. Creating a gateway can often take 45 minutes or more, depending on the
selected gateway SKU.
2. Create the TestVNet1 to TestVNet4 connection. In this step, you create the connection from TestVNet1 to
TestVNet4. You'll see a shared key referenced in the examples. You can use your own values for the shared
key. The important thing is that the shared key must match for both connections. Creating a connection can
take a short while to complete.
3. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are
creating the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. The connection
will be established after a few minutes.
4. Verify your connection. See the section How to verify your connection.
$Sub5 = "Replace_With_the_New_Subcription_Name"
$RG5 = "TestRG5"
$Location5 = "Japan East"
$VnetName5 = "TestVNet5"
$FESubName5 = "FrontEnd"
$BESubName5 = "Backend"
$GWSubName5 = "GatewaySubnet"
$VnetPrefix51 = "10.51.0.0/16"
$VnetPrefix52 = "10.52.0.0/16"
$FESubPrefix5 = "10.51.0.0/24"
$BESubPrefix5 = "10.52.0.0/24"
$GWSubPrefix5 = "10.52.255.0/27"
$GWName5 = "VNet5GW"
$GWIPName5 = "VNet5GWIP"
$GWIPconfName5 = "gwipconf5"
$Connection51 = "VNet5toVNet1"
2. Connect to subscription 5. Open your PowerShell console and connect to your account. Use the following
sample to help you connect:
Connect-AzureRmAccount
Get-AzureRmSubscription
5. Create TestVNet5.
Copy the output of the following elements and send these to the administrator of Subscription 5 via email
or another method.
$vnet1gw.Name
$vnet1gw.Id
These two elements will have values similar to the following example output:
PS D:\> $vnet1gw.Name
VNet1GW
PS D:\> $vnet1gw.Id
/subscriptions/b636ca99-6f88-4df4-a7c3-
2f8dc4545509/resourceGroupsTestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW
2. [Subscription 5] Get the virtual network gateway for Subscription 5. Log in and connect to Subscription 5
before running the following example:
Copy the output of the following elements and send these to the administrator of Subscription 1 via email
or another method.
$vnet5gw.Name
$vnet5gw.Id
These two elements will have values similar to the following example output:
PS C:\> $vnet5gw.Name
VNet5GW
PS C:\> $vnet5gw.Id
/subscriptions/66c8e4f1-ecd6-47ed-9de7-
7e530de23994/resourceGroups/TestRG5/providers/Microsoft.Network/virtualNetworkGateways/VNet5GW
3. [Subscription 1] Create the TestVNet1 to TestVNet5 connection. In this step, you create the connection
from TestVNet1 to TestVNet5. The difference here is that $vnet5gw cannot be obtained directly because it
is in a different subscription. You will need to create a new PowerShell object with the values
communicated from Subscription 1 in the steps above. Use the example below. Replace the Name, Id, and
shared key with your own values. The important thing is that the shared key must match for both
connections. Creating a connection can take a short while to complete.
Connect to Subscription 1 before running the following example:
4. [Subscription 5] Create the TestVNet5 to TestVNet1 connection. This step is similar to the one above,
except you are creating the connection from TestVNet5 to TestVNet1. The same process of creating a
PowerShell object based on the values obtained from Subscription 1 applies here as well. In this step, be
sure that the shared keys match.
Connect to Subscription 5 before running the following example:
$vnet1gw = New-Object -TypeName Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway
$vnet1gw.Name = "VNet1GW"
$vnet1gw.Id = "/subscriptions/b636ca99-6f88-4df4-a7c3-
2f8dc4545509/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW "
$Connection51 = "VNet5toVNet1"
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection51 -ResourceGroupName $RG5 -
VirtualNetworkGateway1 $vnet5gw -VirtualNetworkGateway2 $vnet1gw -Location $Location5 -ConnectionType
Vnet2Vnet -SharedKey 'AzureA1b2C3'
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in
order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
VNet-to-VNet FAQ
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Can I establish a VNet-to -VNet connection across AAD Tenants?
Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you can’t
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these
scenarios, consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or
cloud services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See the Virtual
Machines documentation for more information.
For information about BGP, see the BGP Overview and How to configure BGP.
Configure a VNet-to-VNet VPN gateway connection
using Azure CLI
2/16/2018 • 16 minutes to read • Edit Online
This article helps you connect virtual networks by using the VNet-to-VNet connection type. The virtual networks
can be in the same or different regions, and from the same or different subscriptions. When connecting VNets
from different subscriptions, the subscriptions do not need to be associated with the same Active Directory tenant.
The steps in this article apply to the Resource Manager deployment model and use Azure CLI. You can also create
this configuration using a different deployment tool or deployment model by selecting a different option from the
following list:
VNets that reside in different subscriptions: The steps for this configuration use TestVNet1 and TestVNet5.
az login
2. If you have more than one Azure subscription, list the subscriptions for the account.
2. Create TestVNet1 and the subnets for TestVNet1. This example creates a virtual network named TestVNet1
and a subnet named FrontEnd.
3. Create an additional address space for the backend subnet. Notice that in this step, we specify both the
address space that we created earlier, and the additional address space that we want to add. This is because
the az network vnet update command overwrites the previous settings. Make sure to specify all of the
address prefixes when using this command.
az network vnet subnet create --vnet-name TestVNet1 -n BackEnd -g TestRG1 --address-prefix 10.12.0.0/24
5. Create the gateway subnet. Notice that the gateway subnet is named 'GatewaySubnet'. This name is
required. In this example, the gateway subnet is using a /27. While it is possible to create a gateway subnet
as small as /29, we recommend that you create a larger subnet that includes more addresses by selecting at
least /28 or /27. This will allow for enough addresses to accommodate possible additional configurations
that you may want in the future.
6. Request a public IP address to be allocated to the gateway you will create for your VNet. Notice that the
AllocationMethod is Dynamic. You cannot specify the IP address that you want to use. It's dynamically
allocated to your gateway.
7. Create the virtual network gateway for TestVNet1. VNet-to-VNet configurations require a RouteBased
VpnType. If you run this command using the '--no-wait' parameter, you don't see any feedback or output.
The '--no-wait' parameter allows the gateway to create in the background. It does not mean that the VPN
gateway finishes creating immediately. Creating a gateway can often take 45 minutes or more, depending
on the gateway SKU that you use.
2. Create TestVNet4.
In the output, find the "id:" line. The values within the quotes are needed to create the connection in the next
section. Copy these values to a text editor, such as Notepad, so that you can easily paste them when creating
your connection.
Example output:
"activeActive": false,
"bgpSettings": {
"asn": 65515,
"bgpPeeringAddress": "10.12.255.30",
"peerWeight": 0
},
"enableBgp": false,
"etag": "W/\"ecb42bc5-c176-44e1-802f-b0ce2962ac04\"",
"gatewayDefaultSite": null,
"gatewayType": "Vpn",
"id": "/subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW",
"ipConfigurations":
"id": "/subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"
2. Get the Resource ID of VNet4GW and copy the values to a text editor.
4. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are creating
the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. It takes a few minutes to
establish the connection.
2. Create the TestVNet4 to TestVNet1 connection. This step is similar to the one above, except you are creating
the connection from TestVNet4 to TestVNet1. Make sure the shared keys match. It takes a few minutes to
establish the connection.
2. Create TestVNet5.
3. Add subnets.
Copy the output for "id:". Send the ID and the name of the VNet gateway (VNet1GW ) to the administrator
of Subscription 5 via email or another method.
Example output:
"id": "/subscriptions/d6ff83d6-713d-41f6-a025-
5eb76334fda9/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"
2. [Subscription 5] Log in and connect to Subscription 5. Run the following command to get the name and
ID of the Gateway from the output:
Copy the output for "id:". Send the ID and the name of the VNet gateway (VNet5GW ) to the administrator
of Subscription 1 via email or another method.
3. [Subscription 1] In this step, you create the connection from TestVNet1 to TestVNet5. You can use your
own values for the shared key, however, the shared key must match for both connections. Creating a
connection can take a short while to complete. Make sure you connect to Subscription 1.
4. [Subscription 5] This step is similar to the one above, except you are creating the connection from
TestVNet5 to TestVNet1. Make sure that the shared keys match and that you connect to Subscription 5.
You can verify that your connection succeeded by using the az network vpn-connection show command. In the
example,'--name'refers to the name of the connection that you want to test. When the connection is in the process
of being established, its connection status shows 'Connecting'. Once the connection is established, the status
changes to 'Connected'.
VNet-to-VNet FAQ
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Can I establish a VNet-to -VNet connection across AAD Tenants?
Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you can’t
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these
scenarios, consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see the Virtual Machines documentation.
For information about BGP, see the BGP Overview and How to configure BGP.
Connect virtual networks from different deployment
models using the portal
4/18/2018 • 21 minutes to read • Edit Online
This article shows you how to connect classic VNets to Resource Manager VNets to allow the resources located in
the separate deployment models to communicate with each other. The steps in this article primarily use the Azure
portal, but you can also create this configuration using the PowerShell by selecting the article from this list.
Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site
location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can create a
connection between VNets that are in different subscriptions and in different regions. You can also connect VNets
that already have connections to on-premises networks, as long as the gateway that they have been configured
with is dynamic or route-based. For more information about VNet-to-VNet connections, see the VNet-to-VNet
FAQ at the end of this article.
If you do not already have a virtual network gateway and do not want to create one, you may want to instead
consider connecting your VNets using VNet Peering. VNet peering does not use a VPN gateway. For more
information, see VNet peering.
Before you begin
These steps assume that both VNets have already been created. If you are using this article as an exercise and
don't have VNets, there are links in the steps to help you create them.
Verify that the address ranges for the VNets do not overlap with each other, or overlap with any of the ranges
for other connections that the gateways may be connected to.
Install the latest PowerShell cmdlets for both Resource Manager and Service Management (classic). In this
article, we use both the Azure portal and PowerShell. PowerShell is required to create the connection from the
classic VNet to the Resource Manager VNet. For more information, see How to install and configure Azure
PowerShell.
Example settings
You can use these values to create a test environment, or refer to them to better understand the examples in this
article.
Classic VNet
VNet name = ClassicVNet
Address space = 10.0.0.0/24
Subnet name = Subnet-1
Subnet address range = 10.0.0.0/27
Subscription = the subscription you want to use
Resource Group = ClassicRG
Location = West US
GatewaySubnet = 10.0.0.32/28
Local site = RMVNetLocal
Resource Manager VNet
VNet name = RMVNet
Address space = 192.168.0.0/16
Resource Group = RG1
Location = East US
Subnet name = Subnet-1
Address range = 192.168.1.0/24
GatewaySubnet = 192.168.0.0/26
Virtual network gateway name = RMGateway
Gateway type = VPN
VPN type = Route-based
SKU = VpnGw1
Location = East US
Virtual network = RMVNet
(associate the VPN gateway to this VNet) First IP configuration = rmgwpip
(gateway public IP address) Local network gateway = ClassicVNetLocal
Connection name = RMtoClassic
Connection overview
For this configuration, you create a VPN gateway connection over an IPsec/IKE VPN tunnel between the virtual
networks. Make sure that none of your VNet ranges overlap with each other, or with any of the local networks that
they connect to.
The following table shows an example of how the example VNets and local sites are defined:
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
3. Click Subnet - Configure required settings to open the Add subnet page. The Name is already configured
with the required value: GatewaySubnet.
4. The Address range refers to the range for the gateway subnet. Although you can create a gateway subnet with
a /29 address range (3 addresses), we recommend creating a gateway subnet that contains more IP addresses.
This will accommodate future configurations that may require more available IP addresses. If possible, use /27
or /28. If you are using these steps as an exercise, you can refer to the Example values. For this example, we use
'10.0.0.32/28'. Click OK to create the gateway subnet.
5. On the Gateway configuration page, Size refers to the gateway SKU. Select the gateway SKU for your VPN
gateway.
6. Verify the Routing Type is Dynamic, then click OK to return to the New VPN Connection page.
7. On the New VPN Connection page, click OK to begin creating your VPN gateway. Creating a VPN gateway
can take up to 45 minutes to complete.
4. Copy the virtual network gateway Public IP address
After the virtual network gateway has been created, you can view the gateway IP address.
1. Navigate to your classic VNet, and click Overview.
2. Click VPN connections to open the VPN connections page. On the VPN connections page, you can view the
Public IP address. This is the Public IP address assigned to your virtual network gateway. Make a note of the IP
address. You use it in later steps when you work with your Resource Manager local network gateway
configuration settings.
3. You can view the status of your gateway connections. Notice the local network site you created is listed as
'Connecting'. The status will change after you have created your connections. You can close this page when you
are finished viewing the status.
4. The Name for your subnet is automatically filled in with the value 'GatewaySubnet'. This value is required
in order for Azure to recognize the subnet as the gateway subnet. Adjust the auto-filled Address range
values to match your configuration requirements, then click OK at the bottom of the page to create the
subnet.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating
a network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more
information about network security groups, see What is a network security group?
4. Verify the settings. You can select Pin to dashboard at the bottom of the page if you want your gateway to
appear on the dashboard.
5. Click Create to begin creating the VPN gateway. The settings are validated and you'll see the "Deploying
Virtual network gateway" tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need
to refresh your portal page to see the completed status.
After the gateway is created, view the IP address that has been assigned to it by looking at the virtual network in
the portal. The gateway appears as a connected device. You can click the connected device (your virtual network
gateway) to view more information.
4. Create a local network gateway
Example values: Local network gateway = ClassicVNetLocal
3. On the Create local network gateway page, specify the values for your local network gateway.
Name: Specify a name for your local network gateway object. If possible, use something intuitive, such
as ClassicVNetLocal or TestVNet1Local. This makes it easier for you to identify the local network
gateway in the portal.
IP address: Specify a valid Public IP address for the VPN device or virtual network gateway to
which you want to connect.
If this local network represents an on-premises location: Specify the Public IP address of
the VPN device that you want to connect to. It cannot be behind NAT and has to be reachable by
Azure.
If this local network represents another VNet: Specify the Public IP address that was
assigned to the virtual network gateway for that VNet.
If you don't yet have the IP address: You can make up a valid placeholder IP address, and then
come back and modify this setting before connecting.
Address Space refers to the address ranges for the network that this local network represents. You can
add multiple address space ranges. Make sure that the ranges you specify here do not overlap with
ranges of other networks to which you connect.
Configure BGP settings: Use only when configuring BGP. Otherwise, don't select this.
Subscription: Verify that the correct subscription is showing.
Resource Group: Select the resource group that you want to use. You can either create a new resource
group, or select one that you have already created.
Location: Select the location that this object will be created in. You may want to select the same location
that your VNet resides in, but you are not required to do so.
4. Click Create to create the local network gateway.
4. On the Site-to-site VPN connections page, click the name of the site.
5. On the connection page for your local site, click the name of the local site to open the Local site page.
6. On the Local site page, replace the VPN gateway IP address with the IP address of the Resource
Manager gateway.
Connect-AzureRmAccount
Get-AzureRmSubscription
If you have more than one subscription, specify the subscription that you want to use.
Next, log in to use the classic PowerShell cmdlets (Service Management). Use the following command to add your
Azure account for the classic deployment model:
Add-AzureAccount
Get a list of your subscriptions. This step may be necessary when adding the Service Management cmdlets,
depending on your Azure module install.
Get-AzureSubscription
If you have more than one subscription, specify the subscription that you want to use.
Open the file with a text editor and view the name for your classic VNet. Use the names in the network
configuration file when running your PowerShell cmdlets.
VNet names are listed as VirtualNetworkSite name =
Site names are listed as LocalNetworkSite name=
3. Create the connection
Set the shared key and create the connection from the classic VNet to the Resource Manager VNet. You cannot set
the shared key using the portal. Make sure you run these steps while logged in using the classic version of the
PowerShell cmdlets. To do so, use Add-AzureAccount. Otherwise, you will not be able to set the '-
AzureVNetGatewayKey'.
In this example, -VNetName is the name of the classic VNet as found in your network configuration file.
The -LocalNetworkSiteName is the name you specified for the local site, as found in your network
configuration file.
The -SharedKey is a value that you generate and specify. For this example, we used abc123, but you can
generate something more complex. The important thing is that the value you specify here must be the same
value that you specified when creating your Resource Manager to classic connection.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
To verify the connection from your Resource Manager VNet to your classic VNet
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
VNet-to-VNet FAQ
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Can I establish a VNet-to -VNet connection across AAD Tenants?
Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you can’t
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these
scenarios, consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or
cloud services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Connect virtual networks from different deployment
models using PowerShell
4/18/2018 • 14 minutes to read • Edit Online
This article helps you connect classic VNets to Resource Manager VNets to allow the resources located in the
separate deployment models to communicate with each other. The steps in this article use PowerShell, but you can
also create this configuration using the Azure portal by selecting the article from this list.
Connecting a classic VNet to a Resource Manager VNet is similar to connecting a VNet to an on-premises site
location. Both connectivity types use a VPN gateway to provide a secure tunnel using IPsec/IKE. You can create a
connection between VNets that are in different subscriptions and in different regions. You can also connect VNets
that already have connections to on-premises networks, as long as the gateway that they have been configured
with is dynamic or route-based. For more information about VNet-to-VNet connections, see the VNet-to-VNet
FAQ at the end of this article.
If you do not already have a virtual network gateway and do not want to create one, you may want to instead
consider connecting your VNets using VNet Peering. VNet peering does not use a VPN gateway. For more
information, see VNet peering.
Add-AzureAccount
Get-AzureSubscription
If you have more than one subscription, select the subscription that you want to use.
2. Export your Azure network configuration file by running the following command. You can change the
location of the file to export to a different location if necessary.
3. Open the .xml file that you downloaded to edit it. For an example of the network configuration file, see the
Network Configuration Schema.
2. Verify the gateway subnet
In the VirtualNetworkSites element, add a gateway subnet to your VNet if one has not already been created.
When working with the network configuration file, the gateway subnet MUST be named "GatewaySubnet" or
Azure cannot recognize and use it as a gateway subnet.
IMPORTANT
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a
network security group to this subnet may cause your VPN gateway to stop functioning as expected. For more information
about network security groups, see What is a network security group?
Example:
<VirtualNetworkSites>
<VirtualNetworkSite name="ClassicVNet" Location="West US">
<AddressSpace>
<AddressPrefix>10.0.0.0/24</AddressPrefix>
</AddressSpace>
<Subnets>
<Subnet name="Subnet-1">
<AddressPrefix>10.0.0.0/27</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.0.0.32/29</AddressPrefix>
</Subnet>
</Subnets>
</VirtualNetworkSite>
</VirtualNetworkSites>
<LocalNetworkSites>
<LocalNetworkSite name="RMVNetLocal">
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="RMVNetLocal">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
You will see a similar result showing that the import succeeded.
OperationDescription OperationId OperationStatus
-------------------- ----------- ---------------
Set-AzureVNetConfig e0ee6e66-9167-cfa7-a746-7casb9 Succeeded
You can check the status of the gateway by using the Get-AzureVNetGateway cmdlet.
Connect-AzureRmAccount
Get-AzureRmSubscription
If you have more than one subscription, specify the subscription that you want to use.
2. Create a local network gateway. In a virtual network, the local network gateway typically refers to your on-
premises location. In this case, the local network gateway refers to your Classic VNet. Give it a name by
which Azure can refer to it, and also specify the address space prefix. Azure uses the IP address prefix you
specify to identify which traffic to send to your on-premises location. If you need to adjust the information
here later, before creating your gateway, you can modify the values and run the sample again.
-Name is the name you want to assign to refer to the local network gateway.
-AddressPrefix is the Address Space for your classic VNet.
-GatewayIpAddress is the public IP address of the classic VNet's gateway. Be sure to change the following
sample to reflect the correct IP address.
New-AzureRmLocalNetworkGateway -Name ClassicVNetLocal `
-Location "West US" -AddressPrefix "10.0.0.0/24" `
-GatewayIpAddress "n.n.n.n" -ResourceGroupName RG1
3. Request a public IP address to be allocated to the virtual network gateway for the Resource Manager VNet.
You can't specify the IP address that you want to use. The IP address is dynamically allocated to the virtual
network gateway. However, this does not mean the IP address changes. The only time the virtual network
gateway IP address changes is when the gateway is deleted and recreated. It doesn't change across resizing,
resetting, or other internal maintenance/upgrades of the gateway.
In this step, we also set a variable that is used in a later step.
4. Verify that your virtual network has a gateway subnet. If no gateway subnet exists, add one. Make sure the
gateway subnet is named GatewaySubnet.
5. Retrieve the subnet used for the gateway by running the following command. In this step, we also set a
variable to be used in the next step.
-Name is the name of your Resource Manager VNet.
-ResourceGroupName is the resource group that the VNet is associated with. The gateway subnet must
already exist for this VNet and must be named GatewaySubnet to work properly.
6. Create the gateway IP addressing configuration. The gateway configuration defines the subnet and the
public IP address to use. Use the following sample to create your gateway configuration.
In this step, the -SubnetId and -PublicIpAddressId parameters must be passed the id property from the
subnet, and IP address objects, respectively. You can't use a simple string. These variables are set in the step
to request a public IP and the step to retrieve the subnet.
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig `
-Name gwipconfig -SubnetId $subnet.id `
-PublicIpAddressId $ipaddress.id
7. Create the Resource Manager virtual network gateway by running the following command. The -VpnType
must be RouteBased. It can take 45 minutes or more for the gateway to create.
8. Copy the public IP address once the VPN gateway has been created. You use it when you configure the
local network settings for your Classic VNet. You can use the following cmdlet to retrieve the public IP
address. The public IP address is listed in the return as IpAddress.
2. Using a text editor, modify the value for VPNGatewayAddress. Replace the placeholder IP address with the
public IP address of the Resource Manager gateway and then save the changes.
<VPNGatewayAddress>13.68.210.16</VPNGatewayAddress>
In following example, -VNetName is the name of the classic VNet and -LocalNetworkSiteName is the
name you specified for the local network site. The -SharedKey is a value that you generate and specify. In
the example, we used 'abc123', but you can generate and use something more complex. The important
thing is that the value you specify here must be the same value that you specify in the next step when you
create your connection. The return should show Status: Successful.
Create the connection. Notice that the -ConnectionType is IPsec, not Vnet2Vnet.
2. After the cmdlet has finished, view the values. In the example below, the Connectivity State shows as
'Connected' and you can see ingress and egress bytes.
ConnectivityState : Connected
EgressBytesTransferred : 181664
IngressBytesTransferred : 182080
LastConnectionEstablished : 1/7/2016 12:40:54 AM
LastEventID : 24401
LastEventMessage : The connectivity state for the local network site 'RMVNetLocal' changed
from Connecting to
Connected.
LastEventTimeStamp : 1/7/2016 12:40:54 AM
LocalNetworkSiteName : RMVNetLocal
Azure portal
In the Azure portal, you can view the connection status for a classic VNet VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your classic virtual network.
2. On the virtual network blade, click Overview to access the VPN connections section of the blade.
3. On the VPN connections graphic, click the site.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
To verify the connection from your Resource Manager VNet to your classic VNet
PowerShell
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in
order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
Azure portal
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
VNet-to-VNet FAQ
The VNet-to-VNet FAQ applies to VPN Gateway connections. If you are looking for VNet Peering, see Virtual
Network Peering
Does Azure charge for traffic between VNets?
VNet-to-VNet traffic within the same region is free for both directions when using a VPN gateway connection.
Cross region VNet-to-VNet egress traffic is charged with the outbound inter-VNet data transfer rates based on
the source regions. Refer to the VPN Gateway pricing page for details. If you are connecting your VNets using
VNet Peering, rather than VPN Gateway, see the Virtual Network pricing page.
Does VNet-to -VNet traffic travel across the Internet?
No. VNet-to-VNet traffic travels across the Microsoft Azure backbone, not the Internet.
Can I establish a VNet-to -VNet connection across AAD Tenants?
Yes, VNet-to-VNet connections using Azure VPN gateways work across AAD Tenants.
Is VNet-to -VNet traffic secure?
Yes, it is protected by IPsec/IKE encryption.
Do I need a VPN device to connect VNets together?
No. Connecting multiple Azure virtual networks together doesn't require a VPN device unless cross-premises
connectivity is required.
Do my VNets need to be in the same region?
No. The virtual networks can be in the same or different Azure regions (locations).
If the VNets are not in the same subscription, do the subscriptions need to be associated with the same AD
tenant?
No.
Can I use VNet-to -VNet to connect virtual networks in separate Azure instances?
No. VNet-to-VNet supports connecting virtual networks within the same Azure instance. For example, you can’t
create a connection between public Azure and the Chinese / German / US Gov Azure instances. For these
scenarios, consider using a Site-to-Site VPN connection.
Can I use VNet-to -VNet along with multi-site connections?
Yes. Virtual network connectivity can be used simultaneously with multi-site VPNs.
How many on-premises sites and virtual networks can one virtual network connect to?
See Gateway requirements table.
Can I use VNet-to -VNet to connect VMs or cloud services outside of a VNet?
No. VNet-to-VNet supports connecting virtual networks. It does not support connecting virtual machines or cloud
services that are not in a virtual network.
Can a cloud service or a load balancing endpoint span VNets?
No. A cloud service or a load balancing endpoint can't span across virtual networks, even if they are connected
together.
Can I used a PolicyBased VPN type for VNet-to -VNet or Multi-Site connections?
No. VNet-to-VNet and Multi-Site connections require Azure VPN gateways with RouteBased (previously called
Dynamic Routing) VPN types.
Can I connect a VNet with a RouteBased VPN Type to another VNet with a PolicyBased VPN type?
No, both virtual networks MUST be using route-based (previously called Dynamic Routing) VPNs.
Do VPN tunnels share bandwidth?
Yes. All VPN tunnels of the virtual network share the available bandwidth on the Azure VPN gateway and the
same VPN gateway uptime SLA in Azure.
Are redundant tunnels supported?
Redundant tunnels between a pair of virtual networks are supported when one virtual network gateway is
configured as active-active.
Can I have overlapping address spaces for VNet-to -VNet configurations?
No. You can't have overlapping IP address ranges.
Can there be overlapping address spaces among connected virtual networks and on-premises local sites?
No. You can't have overlapping IP address ranges.
Configure ExpressRoute and Site-to-Site coexisting
connections using PowerShell
9/7/2018 • 8 minutes to read • Edit Online
Configuring Site-to-Site VPN and ExpressRoute coexisting connections has several advantages:
You can configure a Site-to-Site VPN as a secure failover path for ExpressRoute.
Alternatively, you can use Site-to-Site VPNs to connect to sites that are not connected through ExpressRoute.
The steps to configure both scenarios are covered in this article. This article applies to the Resource Manager
deployment model and uses PowerShell. You can also configure these scenarios using the Azure Portal, although
documentation is not yet available.
NOTE
If you want to create a Site-to-Site VPN over an ExpressRoute circuit, please see this article.
Configuration designs
Configure a Site -to -Site VPN as a failover path for ExpressRoute
You can configure a Site-to-Site VPN connection as a backup for ExpressRoute. This connection applies only to
virtual networks linked to the Azure private peering path. There is no VPN -based failover solution for services
accessible through Azure Microsoft peering. The ExpressRoute circuit is always the primary link. Data flows
through the Site-to-Site VPN path only if the ExpressRoute circuit fails. To avoid asymmetrical routing, your local
network configuration should also prefer the ExpressRoute circuit over the Site-to-Site VPN. You can prefer the
ExpressRoute path by setting higher local preference for the routes received the ExpressRoute.
NOTE
While ExpressRoute circuit is preferred over Site-to-Site VPN when both routes are the same, Azure will use the longest prefix
match to choose the route towards the packet's destination.
Configure a Site -to -Site VPN to connect to sites not connected through ExpressRoute
You can configure your network where some sites connect directly to Azure over Site-to-Site VPN, and some sites
connect through ExpressRoute.
NOTE
You cannot configure a virtual network as a transit router.
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName 'yoursubscription'
$location = "Central US"
$resgrp = New-AzureRmResourceGroup -Name "ErVpnCoex" -Location $location
$VNetASN = 65515
3. Create a virtual network including Gateway Subnet. For more information about creating a virtual network,
see Create a virtual network. For more information about creating subnets, see Create a subnet
IMPORTANT
The Gateway Subnet must be /27 or a shorter prefix (such as /26 or /25).
Add subnets.
4. Next, create your Site-to-Site VPN gateway. For more information about the VPN gateway configuration,
see Configure a VNet with a Site-to-Site connection. The GatewaySku is only supported for VpnGw1,
VpnGw2, VpnGw3, Standard, and HighPerformance VPN gateways. ExpressRoute-VPN Gateway coexist
configurations are not supported on the Basic SKU. The VpnType must be RouteBased.
$gwSubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name "GatewaySubnet" -VirtualNetwork $vnet
$gwIP = New-AzureRmPublicIpAddress -Name "VPNGatewayIP" -ResourceGroupName $resgrp.ResourceGroupName -
Location $location -AllocationMethod Dynamic
$gwConfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name "VPNGatewayIpConfig" -SubnetId $gwSubnet.Id -
PublicIpAddressId $gwIP.Id
New-AzureRmVirtualNetworkGateway -Name "VPNGateway" -ResourceGroupName $resgrp.ResourceGroupName -
Location $location -IpConfigurations $gwConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku
"VpnGw1"
Azure VPN gateway supports BGP routing protocol. You can specify ASN (AS Number) for that Virtual
Network by adding the -Asn switch in the following command. Not specifying that parameter will default to
AS number 65515.
You can find the BGP peering IP and the AS number that Azure uses for the VPN gateway in
$azureVpn.BgpSettings.BgpPeeringAddress and $azureVpn.BgpSettings.Asn. For more information, see
Configure BGP for Azure VPN gateway.
5. Create a local site VPN gateway entity. This command doesn’t configure your on-premises VPN gateway.
Rather, it allows you to provide the local gateway settings, such as the public IP and the on-premises
address space, so that the Azure VPN gateway can connect to it.
If your local VPN device only supports static routing, you can configure the static routes in the following
way:
$MyLocalNetworkAddress = @("10.100.0.0/16","10.101.0.0/16","10.102.0.0/16")
$localVpn = New-AzureRmLocalNetworkGateway -Name "LocalVPNGateway" -ResourceGroupName
$resgrp.ResourceGroupName -Location $location -GatewayIpAddress *<Public IP>* -AddressPrefix
$MyLocalNetworkAddress
If your local VPN device supports the BGP and you want to enable dynamic routing, you need to know the
BGP peering IP and the AS number that your local VPN device uses.
6. Configure your local VPN device to connect to the new Azure VPN gateway. For more information about
VPN device configuration, see VPN Device Configuration.
7. Link the Site-to-Site VPN gateway on Azure to the local gateway.
8. If you are connecting to an existing ExpressRoute circuit, skip steps 8 & 9 and, jump to step 10. Configure
ExpressRoute circuits. For more information about configuring ExpressRoute circuit, see create an
ExpressRoute circuit.
9. Configure Azure private peering over the ExpressRoute circuit. For more information about configuring
Azure private peering over the ExpressRoute circuit, see configure peering
10. Create an ExpressRoute gateway. For more information about the ExpressRoute gateway configuration, see
ExpressRoute gateway configuration. The GatewaySKU must be Standard, HighPerformance, or
UltraPerformance.
11. Link the ExpressRoute gateway to the ExpressRoute circuit. After this step has been completed, the
connection between your on-premises network and Azure, through ExpressRoute, is established. For more
information about the link operation, see Link VNets to ExpressRoute.
5. At this point, you have a virtual network with no gateways. To create new gateways and set up the connections,
follow the steps in the previous section.
2. Upload the VPN root certificate to Azure for your VPN gateway. In this example, it's assumed that the root
certificate is stored in the local machine where the following PowerShell cmdlets are run.
$p2sCertFullName = "RootErVpnCoexP2S.cer"
$p2sCertMatchName = "RootErVpnCoexP2S"
$p2sCertToUpload=get-childitem Cert:\CurrentUser\My | Where-Object {$_.Subject -match $p2sCertMatchName}
if ($p2sCertToUpload.count -eq 1){write-host "cert found"} else {write-host "cert not found" exit}
$p2sCertData = [System.Convert]::ToBase64String($p2sCertToUpload.RawData) Add-
AzureRmVpnClientRootCertificate -VpnClientRootCertificateName $p2sCertFullName -
VirtualNetworkGatewayname $azureVpn.Name -ResourceGroupName $resgrp.ResourceGroupName -PublicCertData
$p2sCertData
Next steps
For more information about ExpressRoute, see the ExpressRoute FAQ.
Add a Site-to-Site connection to a VNet with an
existing VPN gateway connection
2/15/2018 • 3 minutes to read • Edit Online
This article helps you add Site-to-Site (S2S ) connections to a VPN gateway that has an existing connection by
using the Azure portal. This type of connection is often referred to as a "multi-site" configuration. You can add a
S2S connection to a VNet that already has a S2S connection, Point-to-Site connection, or VNet-to-VNet
connection. There are some limitations when adding connections. Check the Before you begin section in this
article to verify before you start your configuration.
This article applies to Resource Manager VNets that have a RouteBased VPN gateway. These steps do not apply
to ExpressRoute/Site-to-Site coexisting connection configurations. See ExpressRoute/S2S coexisting connections
for information about coexisting connections.
Deployment models and methods
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work in.
For information about the deployment models, see Understanding deployment models. If you are new to Azure,
we recommend that you use the Resource Manager deployment model.
We update this table as new articles and additional tools become available for this configuration. When an article
is available, we link directly to it from this table.
3. On the Create local network gateway page, fill out the following fields:
Name: The name you want to give to the local network gateway resource.
IP address: The public IP address of the VPN device on the site that you want to connect to.
Address space: The address space that you want to be routed to the new local network site.
4. Click OK on the Create local network gateway page to save the changes.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See the virtual
machines learning path for more information.
Connect Azure VPN gateways to multiple on-
premises policy-based VPN devices using
PowerShell
4/18/2018 • 6 minutes to read • Edit Online
This article helps you configure an Azure route-based VPN gateway to connect to multiple on-premises policy-
based VPN devices leveraging custom IPsec/IKE policies on S2S VPN connections.
With the custom IPsec/IKE policy, you can now configure Azure route-based VPN gateways to use prefix-based
traffic selectors with option "PolicyBasedTrafficSelectors", to connect to on-premises policy-based VPN
devices. This capability allows you to connect from an Azure virtual network and VPN gateway to multiple on-
premises policy-based VPN/firewall devices, removing the single connection limit from the current Azure policy-
based VPN gateways.
IMPORTANT
1. To enable this connectivity, your on-premises policy-based VPN devices must support IKEv2 to connect to the Azure
route-based VPN gateways. Check your VPN device specifications.
2. The on-premises networks connecting through policy-based VPN devices with this mechanism can only connect to the
Azure virtual network; they cannot transit to other on-premises networks or virtual networks via the same
Azure VPN gateway.
3. The configuration option is part of the custom IPsec/IKE connection policy. If you enable the policy-based traffic
selector option, you must specify the complete policy (IPsec/IKE encryption and integrity algorithms, key strengths, and
SA lifetimes).
The following diagram shows why transit routing via Azure VPN gateway doesn't work with the policy-based
option:
As shown in the diagram, the Azure VPN gateway has traffic selectors from the virtual network to each of the
on-premises network prefixes, but not the cross-connection prefixes. For example, on-premises site 2, site 3, and
site 4 can each communicate to VNet1 respectively, but cannot connect via the Azure VPN gateway to each
other. The diagram shows the cross-connect traffic selectors that are not available in the Azure VPN gateway
under this configuration.
$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"
To use the Resource Manager cmdlets, make sure you switch to PowerShell mode. For more information, see
Using Windows PowerShell with Resource Manager.
Open your PowerShell console and connect to your account. Use the following sample to help you connect:
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
2. Create the virtual network, VPN gateway, and local network gateway
The following example creates the virtual network, TestVNet1 with three subnets, and the VPN gateway. When
substituting values, it's important that you always name your gateway subnet specifically 'GatewaySubnet'. If
you name it something else, your gateway creation fails.
IMPORTANT
You need to create an IPsec/IKE policy in order to enable "UsePolicyBasedTrafficSelectors" option on the connection.
The following example creates an IPsec/IKE policy with these algorithms and parameters:
IKEv2: AES256, SHA384, DHGroup24
IPsec: AES256, SHA256, PFS24, SA Lifetime 3600 seconds & 2048KB
2. Create the S2S VPN connection with policy-based traffic selectors and IPsec/IKE policy
Create an S2S VPN connection and apply the IPsec/IKE policy created in the previous step. Be aware of the
additional parameter "-UsePolicyBasedTrafficSelectors $True" which enables policy-based traffic selectors on the
connection.
After completing the steps, the S2S VPN connection will use the IPsec/IKE policy defined, and enable policy-
based traffic selectors on the connection. You can repeat the same steps to add more connections to additional
on-premises policy-based VPN devices from the same Azure VPN gateway.
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.UsePolicyBasedTrafficSelectors
If the line returns "True", then policy-based traffic selectors are configured on the connection; otherwise it
returns "False."
3. Update the policy-based traffic selectors on a connection
Once you obtain the connection resource, you can enable or disable the option.
Disable UsePolicyBasedTrafficSelectors
The following example disables the policy-based traffic selectors option, but leaves the IPsec/IKE policy
unchanged:
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
Enable UsePolicyBasedTrafficSelectors
The following example enables the policy-based traffic selectors option, but leaves the IPsec/IKE policy
unchanged:
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
Also review Configure IPsec/IKE policy for S2S VPN or VNet-to-VNet connections for more details on custom
IPsec/IKE policies.
Configure IPsec/IKE policy for S2S VPN or VNet-to-
VNet connections
4/18/2018 • 12 minutes to read • Edit Online
This article walks you through the steps to configure IPsec/IKE policy for Site-to-Site VPN or VNet-to-VNet
connections using the Resource Manager deployment model and PowerShell.
About IPsec and IKE policy parameters for Azure VPN gateways
IPsec and IKE protocol standard supports a wide range of cryptographic algorithms in various combinations.
Refer to About cryptographic requirements and Azure VPN gateways to see how this can help ensuring cross-
premises and VNet-to-VNet connectivity satisfy your compliance or security requirements.
This article provides instructions to create and configure an IPsec/IKE policy and apply to a new or existing
connection:
Part 1 - Workflow to create and set IPsec/IKE policy
Part 2 - Supported cryptographic algorithms and key strengths
Part 3 - Create a new S2S VPN connection with IPsec/IKE policy
Part 4 - Create a new VNet-to-VNet connection with IPsec/IKE policy
Part 5 - Manage (create, add, remove) IPsec/IKE policy for a connection
IMPORTANT
1. Note that IPsec/IKE policy only works on the following gateway SKUs:
VpnGw1, VpnGw2, VpnGw3 (route-based)
Standard and HighPerformance (route-based)
2. You can only specify one policy combination for a given connection.
3. You must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial policy
specification is not allowed.
4. Consult with your VPN device vendor specifications to ensure the policy is supported on your on-premises VPN
devices. S2S or VNet-to-VNet connections cannot establish if the policies are incompatible.
IPSEC/IKEV2 OPTIONS
For more information regarding policy-based traffic selectors, see Connect multiple on-premises policy-based
VPN devices.
The following table lists the corresponding Diffie-Hellman Groups supported by the custom policy:
See Create a S2S VPN connection for more detailed step-by-step instructions for creating a S2S VPN
connection.
Before you begin
Verify that you have an Azure subscription. If you don't already have an Azure subscription, you can activate
your MSDN subscriber benefits or sign up for a free account.
Install the Azure Resource Manager PowerShell cmdlets. See Overview of Azure PowerShell for more
information about installing the PowerShell cmdlets.
Step 1 - Create the virtual network, VPN gateway, and local network gateway
1. Declare your variables
For this exercise, we start by declaring our variables. Be sure to replace the values with your own when
configuring for production.
$Sub1 = "<YourSubscriptionName>"
$RG1 = "TestPolicyRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPconf1 = "gw1ipconf1"
$Connection16 = "VNet1toSite6"
$LNGName6 = "Site6"
$LNGPrefix61 = "10.61.0.0/16"
$LNGPrefix62 = "10.62.0.0/16"
$LNGIP6 = "131.107.72.22"
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create the virtual network, VPN gateway, and local network gateway
The following sample creates the virtual network, TestVNet1, with three subnets, and the VPN gateway. When
substituting values, it's important that you always name your gateway subnet specifically GatewaySubnet. If you
name it something else, your gateway creation fails.
If you use GCMAES for IPsec, you must use the same GCMAES algorithm and key length for both IPsec
encryption and integrity. For example above, the corresponding parameters will be "-IpsecEncryption
GCMAES256 -IpsecIntegrity GCMAES256" when using GCMAES256.
2. Create the S2S VPN connection with the IPsec/IKE policy
Create an S2S VPN connection and apply the IPsec/IKE policy created earlier.
You can optionally add "-UsePolicyBasedTrafficSelectors $True" to the create connection cmdlet to enable Azure
VPN gateway to connect to policy-based VPN devices on premises, as described above.
IMPORTANT
Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE
proposal with specified cryptographic algorithms and key strengths on that particular connection. Make sure your on-
premises VPN device for the connection uses or accepts the exact policy combination, otherwise the S2S VPN tunnel will
not establish.
See Create a VNet-to-VNet connection for more detailed steps for creating a VNet-to-VNet connection. You
must complete Part 3 to create and configure TestVNet1 and the VPN Gateway.
Step 1 - Create the second virtual network and VPN gateway
1. Declare your variables
Be sure to replace the values with the ones that you want to use for your configuration.
$RG2 = "TestPolicyRG2"
$Location2 = "East US 2"
$VNetName2 = "TestVNet2"
$FESubName2 = "FrontEnd"
$BESubName2 = "Backend"
$GWSubName2 = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$DNS2 = "8.8.8.8"
$GWName2 = "VNet2GW"
$GW2IPName1 = "VNet2GWIP1"
$GW2IPconf1 = "gw2ipconf1"
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"
2. Create the second virtual network and VPN gateway in the new resource group
New-AzureRmResourceGroup -Name $RG2 -Location $Location2
IMPORTANT
Once an IPsec/IKE policy is specified on a connection, the Azure VPN gateway will only send or accept the IPsec/IKE
proposal with specified cryptographic algorithms and key strengths on that particular connection. Make sure the IPsec
policies for both connections are the same, otherwise the VNet-to-VNet connection will not establish.
After completing these steps, the connection is established in a few minutes, and you will have the following
network topology as shown in the beginning:
Part 5 - Update IPsec/IKE policy for a connection
The last section shows you how to manage IPsec/IKE policy for an existing S2S or VNet-to-VNet connection.
The exercise below walks you through the following operations on a connection:
1. Show the IPsec/IKE policy of a connection
2. Add or update the IPsec/IKE policy to a connection
3. Remove the IPsec/IKE policy from a connection
The same steps apply to both S2S and VNet-to-VNet connections.
IMPORTANT
IPsec/IKE policy is supported on Standard and HighPerformance route-based VPN gateways only. It does not work on the
Basic gateway SKU or the policy-based VPN gateway.
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$connection6.IpsecPolicies
The last command lists the current IPsec/IKE policy configured on the connection, if there is any. The following is
a sample output for the connection:
SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES256
IkeIntegrity : SHA384
DhGroup : DHGroup24
PfsGroup : PFS24
If there is no IPsec/IKE policy configured, the command (PS> $connection6.policy) gets an empty return. It does
not mean IPsec/IKE is not configured on the connection, but that there is no custom IPsec/IKE policy. The actual
connection uses the default policy negotiated between your on-premises VPN device and the Azure VPN
gateway.
2. Add or update an IPsec/IKE policy for a connection
The steps to add a new policy or update an existing policy on a connection are the same: create a new policy then
apply the new policy to the connection.
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
You can get the connection again to check if the policy is updated.
You should see the output from the last line, as shown in the following example:
SALifeTimeSeconds : 14400
SADataSizeKilobytes : 102400000
IpsecEncryption : AES256
IpsecIntegrity : SHA256
IkeEncryption : AES128
IkeIntegrity : SHA1
DhGroup : DHGroup14
PfsGroup : None
$RG1 = "TestPolicyRG1"
$Connection16 = "VNet1toSite6"
$connection6 = Get-AzureRmVirtualNetworkGatewayConnection -Name $Connection16 -ResourceGroupName $RG1
$currentpolicy = $connection6.IpsecPolicies[0]
$connection6.IpsecPolicies.Remove($currentpolicy)
You can use the same script to check if the policy has been removed from the connection.
Next steps
See Connect multiple on-premises policy-based VPN devices for more details regarding policy-based traffic
selectors.
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
Configure active-active S2S VPN connections with
Azure VPN Gateways
7/25/2018 • 14 minutes to read • Edit Online
This article walks you through the steps to create active-active cross-premises and VNet-to-VNet connections
using the Resource Manager deployment model and PowerShell.
IMPORTANT
The active-active mode uses only the following SKUs:
VpnGw1, VpnGw2, VpnGw3
HighPerformance (for old legacy SKUs)
$Sub1 = "Ross"
$RG1 = "TestAARG1"
$Location1 = "West US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$VNet1ASN = 65010
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GW1IPName1 = "VNet1GWIP1"
$GW1IPName2 = "VNet1GWIP2"
$GW1IPconf1 = "gw1ipconf1"
$GW1IPconf2 = "gw1ipconf2"
$Connection12 = "VNet1toVNet2"
$Connection151 = "VNet1toSite5_1"
$Connection152 = "VNet1toSite5_2"
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create TestVNet1
The sample below creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet, one
called FrontEnd, and one called Backend. When substituting values, it's important that you always name your
gateway subnet specifically GatewaySubnet. If you name it something else, your gateway creation fails.
Step 2 - Create the VPN gateway for TestVNet1 with active -active mode
1. Create the public IP addresses and gateway IP configurations
Request two public IP addresses to be allocated to the gateway you will create for your VNet. You'll also define the
subnet and IP configurations required.
$gw1pip1 = New-AzureRmPublicIpAddress -Name $GW1IPName1 -ResourceGroupName $RG1 -Location $Location1 -
AllocationMethod Dynamic
$gw1pip2 = New-AzureRmPublicIpAddress -Name $GW1IPName2 -ResourceGroupName $RG1 -Location $Location1 -
AllocationMethod Dynamic
3. Obtain the gateway public IP addresses and the BGP Peer IP address
Once the gateway is created, you will need to obtain the BGP Peer IP address on the Azure VPN Gateway. This
address is needed to configure the Azure VPN Gateway as a BGP Peer for your on-premises VPN devices.
Use the following cmdlets to show the two public IP addresses allocated for your VPN gateway, and their
corresponding BGP Peer IP addresses for each gateway instance:
PS D:\> $gw1pip1.IpAddress
40.112.190.5
PS D:\> $gw1pip2.IpAddress
138.91.156.129
PS D:\> $vnet1gw.BgpSettingsText
{
"Asn": 65010,
"BgpPeeringAddress": "10.12.255.4,10.12.255.5",
"PeerWeight": 0
}
The order of the public IP addresses for the gateway instances and the corresponding BGP Peering Addresses are
the same. In this example, the gateway VM with public IP of 40.112.190.5 will use 10.12.255.4 as its BGP Peering
Address, and the gateway with 138.91.156.129 will use 10.12.255.5. This information is needed when you set up
your on premises VPN devices connecting to the active-active gateway. The gateway is shown in the diagram
below with all addresses:
Once the gateway is created, you can use this gateway to establish active-active cross-premises or VNet-to-VNet
connection. The following sections walk through the steps to complete the exercise.
$RG5 = "TestAARG5"
$Location5 = "West US"
$LNGName51 = "Site5_1"
$LNGPrefix51 = "10.52.255.253/32"
$LNGIP51 = "131.107.72.22"
$LNGASN5 = 65050
$BGPPeerIP51 = "10.52.255.253"
The connection should be established after a few minutes, and the BGP peering session will start once the IPsec
connection is established. This example so far has configured only one on-premises VPN device, resulting in the
diagram shown below:
Step 3 - Connect two on-premises VPN devices to the active -active VPN gateway
If you have two VPN devices at the same on-premises network, you can achieve dual redundancy by connecting
the Azure VPN gateway to the second VPN device.
1. Create the second local network gateway for Site5
The gateway IP address, address prefix, and BGP peering address for the second local network gateway must not
overlap with the previous local network gateway for the same on-premises network.
$LNGName52 = "Site5_2"
$LNGPrefix52 = "10.52.255.254/32"
$LNGIP52 = "131.107.72.23"
$BGPPeerIP52 = "10.52.255.254"
3. VPN and BGP parameters for your second on-premises VPN device
Similarly, below lists the parameters you will enter into the second VPN device:
Once the connection (tunnels) are established, you will have dual redundant VPN devices and tunnels connecting
your on-premises network and Azure:
Create the VPN gateway with the AS number and the "EnableActiveActiveFeature" flag. Note that you must
override the default ASN on your Azure VPN gateways. The ASNs for the connected VNets must be different to
enable BGP and transit routing.
IMPORTANT
Be sure to enable BGP for BOTH connections.
After completing these steps, the connection will be establish in a few minutes, and the BGP peering session will
be up once the VNet-to-VNet connection is completed with dual redundancy:
$GWName = "TestVNetAA1GW"
$VNetName = "TestVNetAA1"
$RG = "TestVPNActiveActive01"
$GWIPName2 = "gwpip2"
$GWIPconf2 = "gw1ipconf2"
After declaring the variables, you can copy and paste this example to your PowerShell console.
$vnet = Get-AzureRmVirtualNetwork -Name $VNetName -ResourceGroupName $RG
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gw = Get-AzureRmVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG
$location = $gw.Location
2. Create the public IP address, then add the second gateway IP configuration
When you are using this in your environment, if you don't need to resize the gateway, you won't need to specify
the -GatewaySku. Notice that in this step, you must set the gateway object in PowerShell to trigger the actual
update. This update can take 30 to 45 minutes, even if you are not resizing your gateway.
$GWName = "TestVNetAA1GW"
$RG = "TestVPNActiveActive01"
After declaring the variables, get the name of the IP configuration you want to remove.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
Create a zone-redundant virtual network gateway in
Azure Availability Zones - Preview
7/10/2018 • 8 minutes to read • Edit Online
You can deploy VPN and ExpressRoute gateways in Azure Availability Zones. This brings resiliency, scalability, and
higher availability to virtual network gateways. Deploying gateways in Azure Availability Zones physically and
logically separates gateways within a region, while protecting your on-premises network connectivity to Azure
from zone-level failures.
Zonal and zone-redundant gateways have fundamental performance improvements over regular virtual network
gateways. Additionally, creating a zone-redundant or zonal virtual network gateway is faster than creating other
gateways. Rather than taking 45 minutes, create times take approximately 15 minutes for an ExpressRoute
gateway, and 19 minutes for a VPN gateway.
Zone -redundant gateways
To automatically deploy your virtual network gateways across availability zones, you can use zone-redundant
virtual network gateways. With zone-redundant gateways, you can harness the 99.99% uptime SLA at GA to
access your mission-critical, scalable services on Azure.
Zonal gateways
To deploy gateways in a specific zone, you use zonal gateways. When you deploy a zonal gateway, both instances of
the gateway are deployed in the same Availability Zone.
Gateway SKUs
Zone-redundant and zonal gateways must use the new gateway SKUs. Once you self-enroll in the Preview, you will
see the new virtual network gateway SKUs in all of the Azure AZ regions. These SKUs are similar to the
corresponding SKUs for ExpressRoute and VPN Gateway, except that they are specific to zone-redundant and
zonal gateways.
The new gateway SKUs are:
VPN Gateway
VpnGw1AZ
VpnGw2AZ
VpnGw3AZ
ExpressRoute
ErGw1AZ
ErGw2AZ
ErGw3AZ
Public IP SKUs
Zone-redundant gateways and zonal gateways both rely on the Azure public IP resource Standard SKU. The
configuration of the Azure public IP resource determines whether the gateway that you deploy is zone-redundant,
or zonal. If you create a public IP resource with a Basic SKU, the gateway will not have any zone redundancy, and
the gateway resources will be regional.
Zone -redundant gateways
When you create a public IP address using the Standard public IP SKU without specifying a zone, the behavior
differs depending on whether the gateway is a VPN gateway, or an ExpressRoute gateway.
For a VPN gateway, the two gateway instances will be deployed in any 2 out of these three zones to provide
zone-redundancy.
For an ExpressRoute gateway, since there can be more than two instances, the gateway can span across all the
three zones.
Zonal gateways
When you create a public IP address using the Standard public IP SKU and specify the Zone (1, 2, or 3), all the
gateway instances will be deployed in the same zone.
Regional gateways
When you create a public IP address using the Basic public IP SKU, the gateway is deployed as a regional gateway
and does not have any zone-redundancy built into the gateway.
Click the Cloud Shell button on the menu in the upper right
of the Azure portal.
Connect-AzureRmAccount
If you have multiple Azure subscriptions, check the subscriptions for the account.
Get-AzureRmSubscription
Use the following command to verify that the 'AllowVMSSVirtualNetworkGateway' feature is registered with your
subscription:
$RG1 = "TestRG1"
$VNet1 = "VNet1"
$Location1 = "CentralUS"
$FESubnet1 = "FrontEnd"
$BESubnet1 = "Backend"
$GwSubnet1 = "GatewaySubnet"
$VNet1Prefix = "10.1.0.0/16"
$FEPrefix1 = "10.1.0.0/24"
$BEPrefix1 = "10.1.1.0/24"
$GwPrefix1 = "10.1.255.0/27"
$Gw1 = "VNet1GW"
$GwIP1 = "VNet1GWIP"
$GwIPConf1 = "gwipconf1"
$getvnet | Set-AzureRmVirtualNetwork
FAQ
How do I sign up for the Preview?
You can self-enroll using the PowerShell commands in this article.
What will change when I enroll?
From your perspective, during Preview, you can deploy your gateways with zone-redundancy. This means that all
instances of the gateways will be deployed across Azure Availability Zones, and each Availability Zone is a different
fault and update domain. This makes your gateways more reliable, available, and resilient to zone failures.
Can I use the Azure portal?
Yes, you can use the Azure portal for the Preview. However, you still need to enroll using PowerShell or you won't
be able to use the portal during Preview.
What regions are available for the Preview?
Zone-redundant and zonal gateways are available in production/Azure Public regions.
Will I be billed for participating in this Preview?
You will not be billed for your gateways during Preview. However, there is no SLA attached with your deployment.
We are very interested in hearing your feedback.
NOTE
For ExpressRoute gateways, the gateway is not billed/charged. However, the circuit itself (not the gateway) will be billed.
Next steps
We would appreciate your feedback. Send an email to aznetworkgateways@microsoft.com to report any issues or
provide feedback (positive or negative) for the zone-redundant and zonal VPN and Express Route gateways.
Include your company name in “[ ]” in the subject line. Also include your subscription ID if you are reporting an
issue.
How to configure BGP on Azure VPN Gateways
using PowerShell
4/18/2018 • 9 minutes to read • Edit Online
This article walks you through the steps to enable BGP on a cross-premises Site-to-Site (S2S ) VPN connection
and a VNet-to-VNet connection using the Resource Manager deployment model and PowerShell.
About BGP
BGP is the standard routing protocol commonly used in the Internet to exchange routing and reachability
information between two or more networks. BGP enables the Azure VPN Gateways and your on-premises VPN
devices, called BGP peers or neighbors, to exchange "routes" that will inform both gateways on the availability
and reachability for those prefixes to go through the gateways or routers involved. BGP can also enable transit
routing among multiple networks by propagating routes a BGP gateway learns from one BGP peer to all other
BGP peers.
See Overview of BGP with Azure VPN Gateways for more discussion on benefits of BGP and to understand the
technical requirements and considerations of using BGP.
You can combine parts together to build a more complex, multi-hop, transit network that meets your needs.
$Sub1 = "Replace_With_Your_Subcription_Name"
$RG1 = "TestBGPRG1"
$Location1 = "East US"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$VNet1ASN = 65010
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection12 = "VNet1toVNet2"
$Connection15 = "VNet1toSite5"
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
3. Create TestVNet1
The following sample creates a virtual network named TestVNet1 and three subnets, one called GatewaySubnet,
one called FrontEnd, and one called Backend. When substituting values, it's important that you always name your
gateway subnet specifically GatewaySubnet. If you name it something else, your gateway creation fails.
$fesub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubName1 -AddressPrefix $FESubPrefix1 $besub1 = New-
AzureRmVirtualNetworkSubnetConfig -Name $BESubName1 -AddressPrefix $BESubPrefix1
$gwsub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubName1 -AddressPrefix $GWSubPrefix1
Step 2 - Create the VPN Gateway for TestVNet1 with BGP parameters
1. Create the IP and subnet configurations
Request a public IP address to be allocated to the gateway you will create for your VNet. You'll also define the
required subnet and IP configurations.
The last command shows the corresponding BGP configurations on the Azure VPN Gateway; for example:
$vnet1gw.BgpSettingsText
{
"Asn": 65010,
"BgpPeeringAddress": "10.12.255.30",
"PeerWeight": 0
}
Once the gateway is created, you can use this gateway to establish cross-premises connection or VNet-to-VNet
connection with BGP. The following sections walk through the steps to complete the exercise.
$RG5 = "TestBGPRG5"
$Location5 = "East US 2"
$LNGName5 = "Site5"
$LNGPrefix50 = "10.52.255.254/32"
$LNGIP5 = "Your_VPN_Device_IP"
$LNGASN5 = 65050
$BGPPeerIP5 = "10.52.255.254"
The following example lists the parameters you enter into the BGP configuration section on your on-premises
VPN device for this exercise:
The connection is established after a few minutes, and the BGP peering session starts once the IPsec connection
is established.
The following instructions continue from the previous steps. You must complete Part I to create and configure
TestVNet1 and the VPN Gateway with BGP.
Step 1 - Create TestVNet2 and the VPN gateway
It is important to make sure that the IP address space of the new virtual network, TestVNet2, does not overlap
with any of your VNet ranges.
In this example, the virtual networks belong to the same subscription. You can set up VNet-to-VNet connections
between different subscriptions. For more information, see Configure a VNet-to-VNet connection. Make sure you
add the "-EnableBgp $True" when creating the connections to enable BGP.
1. Declare your variables
Be sure to replace the values with the ones that you want to use for your configuration.
$RG2 = "TestBGPRG2"
$Location2 = "West US"
$VNetName2 = "TestVNet2"
$FESubName2 = "FrontEnd"
$BESubName2 = "Backend"
$GWSubName2 = "GatewaySubnet"
$VNetPrefix21 = "10.21.0.0/16"
$VNetPrefix22 = "10.22.0.0/16"
$FESubPrefix2 = "10.21.0.0/24"
$BESubPrefix2 = "10.22.0.0/24"
$GWSubPrefix2 = "10.22.255.0/27"
$VNet2ASN = 65020
$DNS2 = "8.8.8.8"
$GWName2 = "VNet2GW"
$GWIPName2 = "VNet2GWIP"
$GWIPconfName2 = "gwipconf2"
$Connection21 = "VNet2toVNet1"
$Connection12 = "VNet1toVNet2"
Create the VPN gateway with the AS number. You must override the default ASN on your Azure VPN gateways.
The ASNs for the connected VNets must be different to enable BGP and transit routing.
IMPORTANT
Be sure to enable BGP for BOTH connections.
After completing these steps, the connection is established after a few minutes. The BGP peering session is up
once the VNet-to-VNet connection is completed.
If you completed all three parts of this exercise, you have established the following network topology:
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. See Create a Virtual
Machine for steps.
How to configure BGP on an Azure VPN gateway by
using CLI
10/5/2017 • 10 minutes to read • Edit Online
This article helps you enable BGP on a cross-premises Site-to-Site (S2S ) VPN connection and a VNet-to-VNet
connection (that is, a connection between virtual networks) by using the Azure Resource Manager deployment
model and Azure CLI.
About BGP
BGP is the standard routing protocol commonly used on the internet to exchange routing and reachability
information between two or more networks. BGP enables the VPN gateways and your on-premises VPN devices,
called BGP peers or neighbors, to exchange routes. The routes inform both gateways about the availability and
reachability for prefixes to go through the gateways or routers involved. BGP can also enable transit routing
among multiple networks by propagating the routes that a BGP gateway learns from one BGP peer, to all other
BGP peers.
For more information on the benefits of BGP, and to understand the technical requirements and considerations of
using BGP, see Overview of BGP with Azure VPN gateways.
This article helps you with the following tasks:
Enable BGP for your VPN gateway (required)
You can then complete either of the following sections, or both:
Establish a cross-premises connection with BGP
Establish a VNet-to-VNet connection with BGP
Each of these three sections forms a basic building block for enabling BGP in your network connectivity. If you
complete all three sections, you build the topology as shown in the following diagram:
You can combine these sections to build a more complex multihop transit network that meets your needs.
az login
If you have more than one Azure subscription, list the subscriptions for the account.
3. Create TestVNet1
The following example creates a virtual network named TestVNet1 and three subnets: GatewaySubnet, FrontEnd,
and BackEnd. When you're substituting values, it's important that you always name your gateway subnet
specifically GatewaySubnet. If you name it something else, your gateway creation fails.
The first command creates the front-end address space and the FrontEnd subnet. The second command creates an
additional address space for the BackEnd subnet. The third and fourth commands create the BackEnd subnet and
GatewaySubnet.
az network vnet subnet create --vnet-name TestVNet1 -n BackEnd -g TestBGPRG1 --address-prefix 10.12.0.0/24
az network vnet-gateway create -n VNet1GW -l eastus --public-ip-address GWPubIP -g TestBGPRG1 --vnet TestVNet1
--gateway-type Vpn --sku HighPerformance --vpn-type RouteBased --asn 65010 --no-wait
"bgpSettings": {
"asn": 65010,
"bgpPeeringAddress": "10.12.255.30",
"peerWeight": 0
}
After the gateway is created, you can use this gateway to establish a cross-premises connection or a VNet-to-VNet
connection with BGP.
In the output, find the "id": line. You need the values within the quotation marks to create the connection in the
next section.
Example output:
{
"activeActive": false,
"bgpSettings": {
"asn": 65010,
"bgpPeeringAddress": "10.12.255.30",
"peerWeight": 0
},
"enableBgp": true,
"etag": "W/\"<your etag number>\"",
"gatewayDefaultSite": null,
"gatewayType": "Vpn",
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestBGPRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW",
Copy the values after "id": to a text editor, such as Notepad, so that you can easily paste them when creating your
connection.
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW"
For this exercise, the following example lists the parameters to enter in the BGP configuration section of your on-
premises VPN device:
The connection should be established after a few minutes. The BGP peering session starts after the IPsec
connection is established.
The following instructions continue from the steps in the preceding sections. To create and configure TestVNet1
and the VPN gateway with BGP, you must complete the Enable BGP for your VPN gateway section.
Step 1: Create TestVNet2 and the VPN gateway
It's important to make sure that the IP address space of the new virtual network, TestVNet2, does not overlap with
any of your VNet ranges.
In this example, the virtual networks belong to the same subscription. You can set up VNet-to-VNet connections
between different subscriptions. To learn more, see Configure a VNet-to-VNet connection. Make sure that you add
-EnableBgp $True when creating the connections to enable BGP.
az network vnet subnet create --vnet-name TestVNet2 -n BackEnd -g TestBGPRG2 --address-prefix 10.22.0.0/24
az network vnet-gateway create -n VNet2GW -l westus --public-ip-address GWPubIP2 -g TestBGPRG2 --vnet TestVNet2
--gateway-type Vpn --sku Standard --vpn-type RouteBased --asn 65020 --no-wait
IMPORTANT
Enable BGP for both connections.
After you complete these steps, the connection will be established in a few minutes. The BGP peering session will
be up after the VNet-to-VNet connection is completed.
Next steps
After your connection is completed, you can add virtual machines to your virtual networks. For steps, see Create a
virtual machine.
Configure forced tunneling using the Azure Resource
Manager deployment model
2/1/2018 • 6 minutes to read • Edit Online
Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-
to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT
policies. Without forced tunneling, Internet-bound traffic from your VMs in Azure always traverses from Azure
network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches.
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work in.
For information about the deployment models, see Understanding deployment models. If you are new to Azure,
we recommend that you use the Resource Manager deployment model.
This article walks you through configuring forced tunneling for virtual networks created using the Resource
Manager deployment model. Forced tunneling can be configured by using PowerShell, not through the portal. If
you want to configure forced tunneling for the classic deployment model, select classic article from the following
dropdown list:
In the example above, the Frontend subnet is not forced tunneled. The workloads in the Frontend subnet can
continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend subnets
are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or redirected
back to an on-premises site via one of the S2S VPN tunnels.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while
continuing to enable your multi-tier service architecture required. If there are no Internet-facing workloads in your
virtual networks, you also can apply forced tunneling to the entire virtual networks.
Configuration overview
The following procedure helps you create a resource group and a VNet. You'll then create a VPN gateway and
configure forced tunneling. In this procedure, the virtual network 'MultiTier-VNet' has three subnets: 'Frontend',
'Midtier', and 'Backend', with four cross-premises connections: 'DefaultSiteHQ', and three Branches.
The procedure steps set the 'DefaultSiteHQ' as the default site connection for forced tunneling, and configure the
'Midtier' and 'Backend' subnets to use forced tunneling.
IMPORTANT
Installing the latest version of the PowerShell cmdlets is required. Otherwise, you may receive validation errors when running
some of the cmdlets.
To log in
Before beginning this configuration, you must sign in to your Azure account. The cmdlet prompts you for the sign-
in credentials for your Azure account. After signing in, it downloads your account settings so they are available to
Azure PowerShell. For more information, see Using Windows PowerShell with Resource Manager.
To sign in, open your PowerShell console with elevated privileges, and connect to your account. Use the following
example to help you connect:
Connect-AzureRmAccount
If you have multiple Azure subscriptions, check the subscriptions for the account.
Get-AzureRmSubscription
6. Create the virtual network gateway. This step takes some time to complete, sometimes 45 minutes or more,
because you are creating and configuring the gateway. If you see ValidateSet errors regarding the
GatewaySKU value, verify that you have installed the latest version of the PowerShell cmdlets. The latest
version of the PowerShell cmdlets contains the new validated values for the latest Gateway SKUs.
7. Assign a default site to the virtual network gateway. The -GatewayDefaultSite is the cmdlet parameter
that allows the forced routing configuration to work, so take care to configure this setting properly.
Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-
to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies.
Without forced tunneling, Internet-bound traffic from your VMs in Azure will always traverse from Azure network
infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches.
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work in.
For information about the deployment models, see Understanding deployment models. If you are new to Azure, we
recommend that you use the Resource Manager deployment model.
This article walks you through configuring forced tunneling for virtual networks created using the classic
deployment model. Forced tunneling can be configured by using PowerShell, not through the portal. If you want to
configure forced tunneling for the Resource Manager deployment model, select classic article from the following
dropdown list:
Configuration overview
In the following example, the Frontend subnet is not forced tunneled. The workloads in the Frontend subnet can
continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend subnets
are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or redirected
back to an on-premises site via one of the S2S VPN tunnels.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while
continuing to enable your multi-tier service architecture required. You also can apply forced tunneling to the entire
virtual networks if there are no Internet-facing workloads in your virtual networks.
In this example, the virtual network 'MultiTier-VNet' has three subnets: 'Frontend', 'Midtier', and 'Backend' subnets,
with four cross premises connections: 'DefaultSiteHQ', and three Branches.
The steps will set the 'DefaultSiteHQ' as the default site connection for forced tunneling, and configure the Midtier
and Backend subnets to use forced tunneling.
1. Create a routing table. Use the following cmdlet to create your route table.
New-AzureRouteTable –Name "MyRouteTable" –Label "Routing Table for Forced Tunneling" –Location "North
Europe"
$DefaultSite = @("DefaultSiteHQ")
Set-AzureVNetGatewayDefaultSite –VNetName "MultiTier-VNet" –DefaultSite "DefaultSiteHQ"
This article helps you configure gateway transit for virtual network peering. Virtual network peering seamlessly
connects two Azure virtual networks, merging the two virtual networks into one for connectivity purposes.
Gateway transit is a peering property that enables one virtual network to utilize the VPN gateway in the peered
virtual network for cross-premises or VNet-to-VNet connectivity. The following diagram shows how gateway
transit works with virtual network peering.
In the diagram, gateway transit allows the peered virtual networks to use the Azure VPN gateway in Hub-RM.
Connectivity available on the VPN gateway, including S2S, P2S, and VNet-to-VNet connections, applies to all three
virtual networks. The transit option is available for peering between the same or different deployment models. The
constraint is that the VPN gateway can only be in the virtual network using Resource Manager deployment model,
as shown in the diagram.
In hub-and-spoke network architecture, gateway transit allows spoke virtual networks to share the VPN gateway in
the hub, instead of deploying VPN gateways in every spoke virtual network. Routes to the gateway-connected
virtual networks or on-premises networks will propagate to the routing tables for the peered virtual networks
using gateway transit. You can disable the automatic route propagation from the VPN gateway. Create a routing
table with the "Disable BGP route propagation" option, and associate the routing table to the subnets to prevent
the route distribution to those subnets. For more information, see Virtual network routing table.
There are two scenarios described in this document:
1. Both virtual networks are using the Resource Manager deployment model
2. The spoke virtual network is classic, and the hub virtual network with gateway is in Resource Manager
IMPORTANT
Gateway transit is currently not supported with global virtual network peering.
Requirements
The example in this document requires the following resources to be created:
1. Hub-RM virtual network with a VPN gateway
2. Spoke-RM virtual network
3. Spoke-Classic virtual network with the classic deployment model
4. The account you use requires the necessary roles and permission. See the Permissions section of this article for
details.
Refer to the following documents for instructions:
1. Create a VPN gateway in a virtual network
2. Create virtual network peering with the same deployment model
3. Create virtual network peering with different deployment models
Permissions
The accounts you use to create a virtual network peering must have the necessary roles or permissions. In the
example below, if you were peering two virtual networks named Hub-RM and Spoke-Classic, your account must
have the following roles or permissions for each virtual network:
Learn more about built-in roles and assigning specific permissions to custom roles (Resource Manager only).
Add-AzureRmVirtualNetworkPeering `
-Name SpokeRMtoHubRM `
-VirtualNetwork $spokermvnet `
-RemoteVirtualNetworkId $hubrmvnet.Id `
-UseRemoteGateways
Add-AzureRmVirtualNetworkPeering `
-Name HubRMToSpokeRM `
-VirtualNetwork $hubrmvnet `
-RemoteVirtualNetworkId $spokermvnet.Id `
-AllowGatewayTransit
$HubRG = "HubRG1"
$HubRM = "Hub-RM"
Add-AzureRmVirtualNetworkPeering `
-Name HubRMToSpokeRM `
-VirtualNetwork $hubrmvnet `
-RemoteVirtualNetworkId "/subscriptions/<subscription Id>/resourceGroups/Default-
Networking/providers/Microsoft.ClassicNetwork/virtualNetworks/Spoke-Classic" `
-AllowGatewayTransit
Next steps
Learn more about virtual network peering constraints and behaviors and virtual network peering settings
before creating a virtual network peering for production use.
Learn how to create a hub and spoke network topology with virtual network peering and gateway transit.
Modify local network gateway settings using the
Azure portal
8/15/2017 • 3 minutes to read • Edit Online
Sometimes the settings for your local network gateway AddressPrefix or GatewayIPAddress change. This article
shows you how to modify your local network gateway settings. You can also modify these settings using a different
method by selecting a different option from the following list:
Next steps
You can verify your gateway connection. See Verify a gateway connection.
Modify local network gateway settings using
PowerShell
8/15/2017 • 3 minutes to read • Edit Online
Sometimes the settings for your local network gateway AddressPrefix or GatewayIPAddress change. This article
shows you how to modify your local network gateway settings. You can also modify these settings using a
different method by selecting a different option from the following list:
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page.
Set the variable for the VirtualNetworkGateway.
Create the connection. This example uses the variable $local that you set in step 2.
2. Modify the 'GatewayIpAddress' value. You can also modify the address prefixes at the same time. Be sure
to use the existing name of your local network gateway to overwrite the current settings. If you don't, you
create a new local network gateway, instead of overwriting the existing one.
New-AzureRmLocalNetworkGateway -Name Site1 `
-Location "East US" -AddressPrefix @('10.101.0.0/24','10.101.1.0/24') `
-GatewayIpAddress "104.40.81.124" -ResourceGroupName TestRG1
3. Create the connection. In this example, we configure an IPsec connection type. When you recreate your
connection, use the connection type that is specified for your configuration. For additional connection types,
see the PowerShell cmdlet page. To obtain the VirtualNetworkGateway name, you can run the 'Get-
AzureRmVirtualNetworkGateway' cmdlet.
Set the variables.
Next steps
You can verify your gateway connection. See Verify a gateway connection.
Modify local network gateway settings using the
Azure CLI
11/29/2017 • 2 minutes to read • Edit Online
Sometimes the settings for your local network gateway Address Prefix or Gateway IP Address change. This article
shows you how to modify your local network gateway settings. You can also modify these settings using a
different method by selecting a different option from the following list:
az login
If you have more than one Azure subscription, list the subscriptions for the account.
"gatewayIpAddress": "23.99.222.170",
Next steps
You can verify your gateway connection. See Verify a gateway connection.
Create a route-based VPN gateway using the Azure
portal
4/9/2018 • 3 minutes to read • Edit Online
This article helps you quickly create a route-based Azure VPN gateway using the Azure portal. A VPN gateway is
used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect
VNets.
The steps in this article will create a VNet, a subnet, a gateway subnet, and a route-based VPN gateway (virtual
network gateway). Once the gateway creation has completed, you can then create connections. These steps require
an Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
4. The Name for your subnet is automatically filled in with the required value 'GatewaySubnet'. Adjust the
auto-filled Address range values to match the following values:
Address range (CIDR block): 10.1.255.0/27
Next steps
Once the gateway has finished creating, you can create a connection between your virtual network and another
VNet. Or, create a connection between your virtual network and an on-premises location.
Create a site-to-site connection
This article helps you quickly create a route-based Azure VPN gateway using PowerShell. A VPN gateway is used
when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect VNets.
The steps in this article will create a VNet, a subnet, a gateway subnet, and a route-based VPN gateway (virtual
network gateway). Once the gateway creation has completed, you can then create connections. These steps require
an Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
Click the Cloud Shell button on the menu in the upper right
of the Azure portal.
If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version
5.3.0 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure
PowerShell module. If you are running PowerShell locally, you also need to run Connect-AzureRmAccount to create a
connection with Azure.
$virtualNetwork = New-AzureRmVirtualNetwork `
-ResourceGroupName TestRG1 `
-Location EastUS `
-Name VNet1 `
-AddressPrefix 10.1.0.0/16
Create a subnet configuration using the New -AzureRmVirtualNetworkSubnetConfig cmdlet.
$subnetConfig = Add-AzureRmVirtualNetworkSubnetConfig `
-Name Frontend `
-AddressPrefix 10.1.0.0/24 `
-VirtualNetwork $virtualNetwork
Set the subnet configuration for the virtual network using the Set-AzureRmVirtualNetwork cmdlet.
$virtualNetwork | Set-AzureRmVirtualNetwork
Set the subnet configuration for the virtual network using the Set-AzureRmVirtualNetwork cmdlet.
$virtualNetwork | Set-AzureRmVirtualNetwork
Name :VNet1GW
ResourceGroupName :TestRG1
Location :eastus
Id :/subscriptions/<subscription ID>/resourceGroups/TestRG1/provide
rs/Microsoft.Network/virtualNetworkGateways/VNet1GW
Etag : W/"0952d-9da8-4d7d-a8ed-28c8ca0413"
ResourceGuid : dc6ce1de-2c4494-9d0b-20b03ac595
ProvisioningState : Succeeded
Tags :
IpConfigurations : [
{
"PrivateIpAllocationMethod": "Dynamic",
"Subnet": {
"Id": "/subscriptions/<subscription ID>/resourceGroups/Te
stRG1/providers/Microsoft.Network/virtualNetworks/VNet1/subnets/GatewaySubnet"
},
"PublicIpAddress": {
"Id": "/subscriptions/<subscription ID>/resourceGroups/Te
stRG1/providers/Microsoft.Network/publicIPAddresses/VNet1GWIP"
},
"Name": "default",
"Etag": "W/\"0952d-9da8-4d7d-a8ed-28c8ca0413\"",
"Id": "/subscriptions/<subscription ID>/resourceGroups/Test
RG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW/ipConfigurations/de
fault"
}
]
GatewayType : Vpn
VpnType : RouteBased
EnableBgp : False
ActiveActive : False
GatewayDefaultSite : null
Sku : {
"Capacity": 2,
"Name": "VpnGw1",
"Tier": "VpnGw1"
}
VpnClientConfiguration : null
BgpSettings : {
Name :VNet1GWIP
ResourceGroupName :TestRG1
Location :eastus
Id :/subscriptions/<subscription ID>/resourceGroups/TestRG1/provi
ders/Microsoft.Network/publicIPAddresses/VNet1GWIP
Etag : W/"5001666a-bc2a-484b-bcf5-ad488dabd8ca"
ResourceGuid : 3c7c481e-9828-4dae-abdc-f95b383
ProvisioningState : Succeeded
Tags :
PublicIpAllocationMethod : Dynamic
IpAddress : 13.90.153.3
PublicIpAddressVersion : IPv4
IdleTimeoutInMinutes : 4
IpConfiguration : {
"Id": "/subscriptions/<subscription ID>/resourceGroups/Test
RG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW/ipConfigurations/
default"
}
DnsSettings : null
Zones : {}
Sku : {
"Name": "Basic"
}
IpTags : {}
Clean up resources
When you no longer need the resources you created, use the Remove-AzureRmResourceGroup command to
delete the resource group. This will delete the resource group and all of the resources it contains.
Next steps
Once the gateway has finished creating, you can create a connection between your virtual network and another
VNet. Or, create a connection between your virtual network and an on-premises location.
Create a site-to-site connection
This article helps you quickly create a route-based Azure VPN gateway using the Azure CLI. A VPN gateway is
used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect
VNets.
The steps in this article will create a VNet, a subnet, a gateway subnet, and a route-based VPN gateway (virtual
network gateway). A virtual network gateway can take 45 minutes or more to create. Once the gateway creation
has completed, you can then create connections. These steps require an Azure subscription. If you don't have an
Azure subscription, create a free account before you begin.
If you choose to install and use the CLI locally, this article requires that you are running the Azure CLI version 2.0.4
or later. To find the installed version, run az --version . If you need to install or upgrade, see Install Azure CLI 2.0.
{
"activeActive": false,
"bgpSettings": null,
"enableBgp": false,
"etag": "W/\"6c61f8cb-d90f-4796-8697\"",
"gatewayDefaultSite": null,
"gatewayType": "Vpn",
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG11/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW",
"ipConfigurations": [
{
"etag": "W/\"6c61f8cb-d90f-4796-8697\"",
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG11/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW/ipConfigurations/vnetGat
ewayConfig0",
"name": "vnetGatewayConfig0",
"privateIpAllocationMethod": "Dynamic",
"provisioningState": "Updating",
"publicIpAddress": {
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG11/providers/Microsoft.Network/publicIPAddresses/VNet1GWIP",
"resourceGroup": "TestRG1"
},
"resourceGroup": "TestRG1",
"subnet": {
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG11/providers/Microsoft.Network/virtualNetworks/VNet1/subnets/GatewaySubnet",
"resourceGroup": "TestRG1"
}
}
],
"location": "eastus",
"name": "VNet1GW",
"provisioningState": "Updating",
"resourceGroup": "TestRG1",
"resourceGuid": "69c269e3-622c-4123-9231",
"sku": {
"capacity": 2,
"name": "VpnGw1",
"tier": "VpnGw1"
},
"tags": null,
"type": "Microsoft.Network/virtualNetworkGateways",
"vpnClientConfiguration": null,
"vpnType": "RouteBased"
}
The value associated with the ipAddress field is the public IP address of your VPN gateway.
Example response:
{
"dnsSettings": null,
"etag": "W/\"a12d4d03-b27a-46cc-b222-8d9364b8166a\"",
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG1/providers/Microsoft.Network/publicIPAddresses/VNet1GWIP",
"idleTimeoutInMinutes": 4,
"ipAddress": "13.90.195.184",
"ipConfiguration": {
"etag": null,
"id": "/subscriptions/<subscription
ID>/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW/ipConfigurations/vnetGate
wayConfig0",
Clean up resources
When you no longer need the resources you created, use az group delete to delete the resource group. This will
delete the resource group and all of the resources it contains.
Next steps
Once the gateway has finished creating, you can create a connection between your virtual network and another
VNet. Or, create a connection between your virtual network and an on-premises location.
Create a site-to-site connection
This article shows you how to verify a VPN gateway connection for both the classic and Resource Manager
deployment models.
Azure portal
In the Azure portal, you can view the connection status of a Resource Manager VPN Gateway by navigating to the
connection. The following steps show one way to navigate to your connection and verify.
1. In the Azure portal, click All resources and navigate to your virtual network gateway.
2. On the blade for your virtual network gateway, click Connections. You can see the status of each connection.
3. Click the name of the connection that you want to verify to open Essentials. In Essentials, you can view
more information about your connection. The Status is 'Succeeded' and 'Connected' when you have made
a successful connection.
PowerShell
To verify a VPN gateway connection for the Resource Manager deployment model using PowerShell, install the
latest version of the Azure Resource Manager PowerShell cmdlets.
You can verify that your connection succeeded by using the 'Get-AzureRmVirtualNetworkGatewayConnection'
cmdlet, with or without '-Debug'.
1. Use the following cmdlet example, configuring the values to match your own. If prompted, select 'A' in
order to run 'All'. In the example, '-Name' refers to the name of the connection that you want to test.
2. After the cmdlet has finished, view the values. In the example below, the connection status shows as
'Connected' and you can see ingress and egress bytes.
"connectionStatus": "Connected",
"ingressBytesTransferred": 33509044,
"egressBytesTransferred": 4142431
Azure CLI
To verify a VPN gateway connection for the Resource Manager deployment model using Azure CLI, install the
latest version of the CLI commands (2.0 or later).
You can verify that your connection succeeded by using the az network vpn-connection show command. In the
example,'--name'refers to the name of the connection that you want to test. When the connection is in the process
of being established, its connection status shows 'Connecting'. Once the connection is established, the status
changes to 'Connected'.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
PowerShell (classic)
To verify your VPN gateway connection for the classic deployment model using PowerShell, install the latest
versions of the Azure PowerShell cmdlets. Be sure to download and install the Service Management module. Use
'Add-AzureAccount' to log in to the classic deployment model.
You can verify that your connection succeeded by using the 'Get-AzureVNetConnection' cmdlet.
1. Use the following cmdlet example, configuring the values to match your own. The name of the virtual
network must be in quotes if it contains spaces.
2. After the cmdlet has finished, view the values. In the example below, the Connectivity State shows as
'Connected' and you can see ingress and egress bytes.
ConnectivityState : Connected
EgressBytesTransferred : 181664
IngressBytesTransferred : 182080
LastConnectionEstablished : 1/7/2016 12:40:54 AM
LastEventID : 24401
LastEventMessage : The connectivity state for the local network site 'RMVNetLocal' changed
from Connecting to
Connected.
LastEventTimeStamp : 1/7/2016 12:40:54 AM
LocalNetworkSiteName : RMVNetLocal
Next steps
You can add virtual machines to your virtual networks. See Create a Virtual Machine for steps.
Reset a VPN Gateway
7/9/2018 • 3 minutes to read • Edit Online
Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on one or more Site-to-
Site VPN tunnels. In this situation, your on-premises VPN devices are all working correctly, but are not able to
establish IPsec tunnels with the Azure VPN gateways. This article helps you reset your VPN gateway.
What happens during a reset?
A VPN gateway is composed of two VM instances running in an active-standby configuration. When you reset the
gateway, it reboots the gateway, and then reapplies the cross-premises configurations to it. The gateway keeps the
public IP address it already has. This means you won’t need to update the VPN router configuration with a new
public IP address for Azure VPN gateway.
When you issue the command to reset the gateway, the current active instance of the Azure VPN gateway is
rebooted immediately. There will be a brief gap during the failover from the active instance (being rebooted), to
the standby instance. The gap should be less than one minute.
If the connection is not restored after the first reboot, issue the same command again to reboot the second VM
instance (the new active gateway). If the two reboots are requested back to back, there will be a slightly longer
period where both VM instances (active and standby) are being rebooted. This will cause a longer gap on the VPN
connectivity, up to 2 to 4 minutes for VMs to complete the reboots.
After two reboots, if you are still experiencing cross-premises connectivity problems, please open a support
request from the Azure portal.
Azure portal
You can reset a Resource Manager VPN gateway using the Azure portal. If you want to reset a classic gateway, see
the PowerShell steps.
Resource Manager deployment model
1. Open the Azure portal and navigate to the Resource Manager virtual network gateway that you want to reset.
2. On the blade for the virtual network gateway, click 'Reset'.
3. On the Reset blade, click the Reset button.
PowerShell
Resource Manager deployment model
The cmdlet for resetting a gateway is Reset-AzureRmVirtualNetworkGateway. Before performing a reset,
make sure you have the latest version of the Resource Manager PowerShell cmdlets. The following example resets
a virtual network gateway named VNet1GW in the TestRG1 resource group:
Result:
When you receive a return result, you can assume the gateway reset was successful. However, there is nothing in
the return result that indicates explicitly that the reset was successful. If you want to look closely at the history to
see exactly when the gateway reset occurred, you can view that information in the Azure portal. In the portal,
navigate to 'GatewayName' -> Resource Health.
Classic deployment model
The cmdlet for resetting a gateway is Reset-AzureVNetGateway. Before performing a reset, make sure you have
the latest version of the Service Management (SM ) PowerShell cmdlets. The following example resets the gateway
for a virtual network named "ContosoVNet":
Result:
Error :
HttpStatusCode : OK
Id : f1600632-c819-4b2f-ac0e-f4126bec1ff8
Status : Successful
RequestId : 9ca273de2c4d01e986480ce1ffa4d6d9
StatusCode : OK
Azure CLI
To reset the gateway, use the az network vnet-gateway reset command. The following example resets a virtual
network gateway named VNet5GW in the TestRG5 resource group:
Result:
When you receive a return result, you can assume the gateway reset was successful. However, there is nothing in
the return result that indicates explicitly that the reset was successful. If you want to look closely at the history to
see exactly when the gateway reset occurred, you can view that information in the Azure portal. In the portal,
navigate to 'GatewayName' -> Resource Health.
Delete a virtual network gateway using the portal
1/4/2018 • 3 minutes to read • Edit Online
This article provides the instructions for deleting an Azure VPN gateways deployed using the Resource Manager
deployment model. There are a couple of different approaches you can take when you want to delete a virtual
network gateway for a VPN gateway configuration.
If you want to delete everything and start over, as in the case of a test environment, you can delete the
resource group. When you delete a resource group, it deletes all the resources within the group. This
method is only recommended if you don't want to keep any of the resources in the resource group. You
can't selectively delete only a few resources using this approach.
If you want to keep some of the resources in your resource group, deleting a virtual network gateway
becomes slightly more complicated. Before you can delete the virtual network gateway, you must first
delete any resources that are dependent on the gateway. The steps you follow depend on the type of
connections that you created and the dependent resources for each connection.
IMPORTANT
The instructions below describe how to delete Azure VPN gateways deployed using the Resource Manager deployment
model. To delete a VPN gateway deployed using the classic deployment model, please use Azure PowerShell as described
here.
There are a couple of different approaches you can take when you want to delete a virtual network gateway for a
VPN gateway configuration.
If you want to delete everything and start over, as in the case of a test environment, you can delete the
resource group. When you delete a resource group, it deletes all the resources within the group. This is
method is only recommended if you don't want to keep any of the resources in the resource group. You
can't selectively delete only a few resources using this approach.
If you want to keep some of the resources in your resource group, deleting a virtual network gateway
becomes slightly more complicated. Before you can delete the virtual network gateway, you must first
delete any resources that are dependent on the gateway. The steps you follow depend on the type of
connections that you created and the dependent resources for each connection.
Before beginning
1. Download the latest Azure Resource Manager PowerShell cmdlets.
Download and install the latest version of the Azure Resource Manager PowerShell cmdlets. For more
information about downloading and installing PowerShell cmdlets, see How to install and configure Azure
PowerShell.
2. Connect to your Azure account.
Open your PowerShell console and connect to your account. Use the following example to help you connect:
Connect-AzureRmAccount
Get-AzureRmSubscription
If you have more than one subscription, specify the subscription that you want to use.
At this point, your virtual network gateway has been deleted. You can use the next steps to delete any resources
that are no longer being used.
5 Delete the local network gateways.
Get the list of the corresponding local network gateways.
Delete the local network gateways. You may be prompted to confirm the deletion of each of the local network
gateway.
$GWIpConfigs = $Gateway.IpConfigurations
Get the list of Public IP address resources used for this virtual network gateway. If the virtual network gateway
was active-active, you will see two Public IP addresses.
There may be other connections to the virtual network gateway that are part of a different resource group. Check
for additional connections in each additional resource group. In this example, we are checking for connections
from RG2. Run this for each resource group that you have which may have a connection to the virtual network
gateway.
In this example, we are checking for connections from RG2. Run this for each resource group that you have which
may have a connection to the virtual network gateway.
At this point, your virtual network gateway has been deleted. You can use the next steps to delete any resources
that are no longer being used.
6. Delete the Public IP address resources
Get the IP configurations of the virtual network gateway.
$GWIpConfigs = $Gateway.IpConfigurations
Get the list of Public IP address resources used for this virtual network gateway. If the virtual network gateway
was active-active, you will see two Public IP addresses.
Delete the Public IP resources. You may be prompted to confirm the deletion of the Public IP.
At this point, your virtual network gateway has been deleted. You can use the next steps to delete any resources
that are no longer being used.
3. Delete the Public IP address resources
Get the IP configurations of the virtual network gateway.
$GWIpConfigs = $Gateway.IpConfigurations
Get the list of Public IP addresses used for this virtual network gateway. If the virtual network gateway was active-
active, you will see two Public IP addresses.
Delete the Public IPs. You may be prompted to confirm the deletion of the Public IP.
Get-AzureRmResourceGroup
ResourceGroupName : RG1
Location : eastus
ProvisioningState : Succeeded
Working with virtual network gateway SKUs (legacy
SKUs)
3/21/2018 • 4 minutes to read • Edit Online
This article contains information about the legacy (old) virtual network gateway SKUs. The legacy SKUs still work
in both deployment models for VPN gateways that have already been created. Classic VPN gateways continue to
use the legacy SKUs, both for existing gateways, and for new gateways. When creating new Resource Manager
VPN gateways, use the new gateway SKUs. For information about the new SKUs, see About VPN Gateway.
Gateway SKUs
The legacy (old) VPN gateway SKUs are:
Basic
Standard
HighPerformance
VPN Gateway does not use the UltraPerformance gateway SKU. For information about the UltraPerformance
SKU, see the ExpressRoute documentation.
When working with the legacy SKUs, consider the following:
If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called
Static Routing) are not supported on any other SKU.
BGP is not supported on the Basic SKU.
ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.
Active-active S2S VPN Gateway connections can be configured on the HighPerformance SKU only.
(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure
region. It is not a guaranteed throughput for cross-premises connections across the Internet. It is the maximum
possible throughput measurement.
(2) The number of tunnels refer to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN
tunnel.
(3) BGP is not supported for the Basic SKU.
(4) PolicyBased VPNs are not supported for this SKU. They are supported for the Basic SKU only.
(5) Active-active S2S VPN Gateway connections are not supported for this SKU. Active-active is supported on the
HighPerformance SKU only.
(6) Basic SKU is deprecated for use with ExpressRoute.
Authentication Pre-shared key Pre-shared key for Pre-shared key for Pre-shared key for
method S2S connectivity, S2S connectivity, S2S connectivity,
Certificates for P2S Certificates for P2S Certificates for P2S
connectivity connectivity connectivity
Maximum number 1 10 10 30
of S2S connections
Resize a gateway
You can resize your gateway to a gateway SKU within the same SKU family. For example, if you have a Standard
SKU, you can resize to a HighPerformance SKU. However, you can't resize your VPN gateway between the old
SKUs and the new SKU families. For example, you can't go from a Standard SKU to a VpnGw2 SKU, or a Basic
SKU to VpnGw1.
To resize a gateway for the classic deployment model, use the following command:
To resize a gateway for the Resource Manager deployment model using PowerShell, use the following command:
$gw = Get-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg
Resize-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku HighPerformance
Next steps
For more information about the new Gateway SKUs, see Gateway SKUs.
For more information about configuration settings, see About VPN Gateway configuration settings.
Overview of partner VPN device configurations
4/18/2018 • 3 minutes to read • Edit Online
This article provides an overview of configuring on-premises VPN devices for connecting to Azure VPN
gateways. A sample Azure virtual network and VPN gateway setup is used to show you how to connect to
different on-premises VPN device configurations by using the same parameters.
Device requirements
Azure VPN gateways use standard IPsec/IKE protocol suites for site-to-site (S2S ) VPN tunnels. For a list of
IPsec/IKE parameters and cryptographic algorithms for Azure VPN gateways, see About VPN devices. You can
also specify the exact algorithms and key strengths for a specific connection as described in About cryptographic
requirements.
For step-by-step instructions to set up a single VPN tunnel, see Configure a site-to-site connection. The following
sections specify the connection parameters for the sample configuration and provide a PowerShell script to help
you get started.
Connection parameters
This section lists the parameters for the examples that are described in the previous sections.
PARAMETER VALUE
$Sub1 = "Replace_With_Your_Subcription_Name"
$RG1 = "TestRG1"
$Location1 = "East US 2"
$VNetName1 = "TestVNet1"
$FESubName1 = "FrontEnd"
$BESubName1 = "Backend"
$GWSubName1 = "GatewaySubnet"
$VNetPrefix11 = "10.11.0.0/16"
$VNetPrefix12 = "10.12.0.0/16"
$FESubPrefix1 = "10.11.0.0/24"
$BESubPrefix1 = "10.12.0.0/24"
$GWSubPrefix1 = "10.12.255.0/27"
$VNet1ASN = 65010
$DNS1 = "8.8.8.8"
$GWName1 = "VNet1GW"
$GWIPName1 = "VNet1GWIP"
$GWIPconfName1 = "gwipconf1"
$Connection15 = "VNet1toSite5"
$LNGName5 = "Site5"
$LNGPrefix50 = "10.52.255.254/32"
$LNGPrefix51 = "10.51.0.0/16"
$LNGPrefix52 = "10.52.0.0/16"
$LNGIP5 = "Your_VPN_Device_IP"
$LNGASN5 = 65050
$BGPPeerIP5 = "10.52.255.254"
Connect-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName $Sub1
New-AzureRmResourceGroup -Name $RG1 -Location $Location1
IMPORTANT
You must create an IPsec/IKE policy to enable the UsePolicyBasedTrafficSelectors option on the connection.
The sample script creates an IPsec/IKE policy with the following algorithms and parameters:
IKEv2: AES256, SHA384, DHGroup24
IPsec: AES256, SHA1, PFS24, SA Lifetime 7,200 seconds, and 20,480,000 KB (20 GB )
The script applies the IPsec/IKE policy and enables the UsePolicyBasedTrafficSelectors option on the
connection.
When you create the connection, you must set the -EnableBGP option to $True:
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection15 -ResourceGroupName $RG1 -
VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $lng5gw -Location $Location1 -ConnectionType
IPsec -SharedKey 'AzureA1b2C3' -EnableBGP $True
Next steps
For step-by-step instructions to set up active-active VPN gateways, see Configuring active-active VPN gateways
for cross-premises and VNet-to-VNet connections.
Sample configuration: Cisco ASA device (IKEv2/no
BGP)
1/18/2018 • 7 minutes to read • Edit Online
This article provides sample configurations for connecting Cisco Adaptive Security Appliance (ASA) devices to
Azure VPN gateways. The example applies to Cisco ASA devices that are running IKEv2 without the Border
Gateway Protocol (BGP ).
Device at a glance
BGP No
NOTE
The sample configuration connects a Cisco ASA device to an Azure route-based VPN gateway. The connection uses a
custom IPsec/IKE policy with the UsePolicyBasedTrafficSelectors option, as described in this article.
The sample requires that ASA devices use the IKEv2 policy with access-list-based configurations, not VTI-based. Consult your
VPN device vendor specifications to verify that the IKEv2 policy is supported on your on-premises VPN devices.
NOTE
You can optionally specify an exact combination of cryptographic algorithms and key strengths for a specific connection, as
described in About cryptographic requirements. If you specify an exact combination of algorithms and key strengths, be sure
to use the corresponding specifications on your VPN devices.
Single VPN tunnel
This configuration consists of a single S2S VPN tunnel between an Azure VPN gateway and an on-premises VPN
device. You can optionally configure the BGP across the VPN tunnel.
For step-by-step instructions to build the Azure configurations, see Single VPN tunnel setup.
Virtual network and VPN gateway information
This section lists the parameters for the sample.
PARAMETER VALUE
IPSEC/IKEV2 VALUE
DH Group DHGroup24
IPSEC/IKEV2 VALUE
* On some devices, IPsec Integrity must be a null value when the IPsec Encryption algorithm is AES -GCM.
ASA device support
Support for IKEv2 requires ASA version 8.4 and later.
Support for DH Group and PFS Group beyond Group 5 requires ASA version 9.x.
Support for IPsec Encryption with AES -GCM and IPsec Integrity with SHA-256, SHA-384, or SHA-512,
requires ASA version 9.x. This support requirement applies to newer ASA devices. At the time of
publication, ASA models 5505, 5510, 5520, 5540, 5550, and 5580 do not support these algorithms. Consult
your VPN device specifications to verify the algorithms that are supported for your VPN device models and
firmware versions.
Sample device configuration
The script provides a sample that is based on the configuration and parameters that are described in the previous
sections. The S2S VPN tunnel configuration consists of the following parts:
1. Interfaces and routes
2. Access lists
3. IKE policy and parameters (phase 1 or main mode)
4. IPsec policy and parameters (phase 2 or quick mode)
5. Other parameters, such as TCP MSS clamping
IMPORTANT
Complete the following steps before you use the sample script. Replace the placeholder values in the script with the device
settings for your configuration.
Specify the interface configuration for both inside and outside interfaces.
Identify the routes for your inside/private and outside/public networks.
Ensure all names and policy numbers are unique on your device.
Ensure that the cryptographic algorithms are supported on your device.
Replace the following placeholder values with actual values for your configuration:
Outside interface name: outside
Azure_Gateway_Public_IP
OnPrem_Device_Public_IP
IKE: Pre_Shared_Key
Virtual network and local network gateway names: VNetName and LNGName
Virtual network and on-premises network address prefixes
Proper netmasks
Sample script
show run
Use show subcommands to list specific parts of the device configuration, for example:
Next steps
To configure active-active cross-premises and VNet-to-VNet connections, see Configure active-active VPN
gateways.
Troubleshoot VPN Gateway
1/31/2018 • 2 minutes to read • Edit Online
VPN Gateway connections can fail for a variety of reasons. This article contains links to get you started with
troubleshooting. For a full list, see the articles contained in the table of contents under Troubleshoot, to the left of
this page.
Next steps
You can also use these steps to Validate VNet and VPN connections.
Community-suggested third-party VPN or firewall
device settings for Azure VPN gateway
6/15/2018 • 2 minutes to read • Edit Online
This article provides several suggested solutions for third-party VPN or firewall devices that are used with Azure
VPN gateway.
NOTE
Technical support for third-party VPN or firewall devices is provided by the device vendor.
More information
The following table lists several common devices and related help:
PRODUCT REFERENCE
Cisco ASA Community suggested solutions for Cisco ASA on Azure VPN
Cisco ISR Community suggested solutions for Cisco ISR on Azure VPN
Cisco ASR Community suggested solutions for Cisco ASR on Azure VPN
Next step
Azure Gateways settings
Known compatible devices
How to validate VPN throughput to a virtual network
7/13/2018 • 4 minutes to read • Edit Online
A VPN gateway connection enables you to establish secure, cross-premises connectivity between your Virtual
Network within Azure and your on-premises IT infrastructure.
This article shows how to validate network throughput from the on-premises resources to an Azure virtual
machine (VM ). It also provides troubleshooting guidance.
NOTE
This article is intended to help diagnose and fix common issues. If you're unable to solve the issue by using the following
information, contact support.
Overview
The VPN gateway connection involves the following components:
On-premises VPN device (view a list of validated VPN devices).
Public Internet
Azure VPN gateway
Azure VM
The following diagram shows the logical connectivity of an on-premises network to an Azure virtual network
through VPN.
NOTE
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft.
Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.
netsh advfirewall firewall add rule name="Open Port 5001" dir=in action=allow protocol=TCP
localport=5001
netsh advfirewall firewall delete rule name="Open Port 5001" protocol=TCP localport=5001
Azure Linux: Azure Linux images have permissive firewalls. If there is an application listening on a port, the
traffic is allowed through. Custom images that are secured may need ports opened explicitly. Common
Linux OS -layer firewalls include iptables , ufw , or firewalld .
3. On the server node, change to the directory where iperf3.exe is extracted. Then run iPerf in server mode and
set it to listen on port 5001 as the following commands:
cd c:\iperf-3.1.2-win65
iperf3.exe -s -p 5001
4. On the client node, change to the directory where iperf tool is extracted and then run the following
command:
iperf3.exe -c <IP of the iperf Server> -t 30 -p 5001 -P 32
The client is inducing traffic on port 5001 to the server for 30 seconds. The flag '-P ' that indicates we are
using 32 simultaneous connections to the server node.
The following screen shows the output from this example:
6. After completing the previous steps, execute the same steps with the roles reversed, so that the server node
will now be the client and vice-versa.
Insufficient VM disk read/write speed. For more information, see Azure Storage Troubleshooting.
Checking latency
Use tracert to trace to Microsoft Azure Edge device to determine if there are any delays exceeding 100 ms between
hops.
From the on-premises network, run tracert to the VIP of the Azure Gateway or VM. Once you see only * returned,
you know you have reached the Azure edge. When you see DNS names that include "MSN" returned, you know
you have reached the Microsoft backbone.
Next steps
For more information or help, check out the following links:
Optimize network throughput for Azure virtual machines
Microsoft Support
Troubleshooting: Azure point-to-site connection
problems
7/5/2018 • 10 minutes to read • Edit Online
This article lists common point-to-site connection problems that you might experience. It also discusses possible
causes and solutions for these problems.
CERTIFICATE LOCATION
3. Go to Users<UserName>\AppData\Roaming\Microsoft\Network\Connections\Cm<GUID>, manually
install the certificate (*.cer file) on the user and computer's store.
For more information about how to install the client certificate, see Generate and export certificates for point-to-
site connections.
NOTE
When you import the client certificate, do not select the Enable strong private key protection option.
CERTIFICATE LOCATION
2. If the certificates are already in the location, try to delete the certificates and reinstall them. The
azuregateway-GUID.cloudapp.net certificate is in the VPN client configuration package that you
downloaded from the Azure portal. You can use file archivers to extract the files from the package.
Azure portal error: Failed to save the VPN gateway, and the data is
invalid
Symptom
When you try to save the changes for the VPN gateway in the Azure portal, you receive the following error
message:
Failed to save virtual network gateway <gateway name>. Data for certificate <certificate ID> is
invalid.
Cause
This problem might occur if the root certificate public key that you uploaded contains an invalid character, such
as a space.
Solution
Make sure that the data in the certificate does not contain invalid characters, such as line breaks (carriage
returns). The entire value should be one long line. The following text is a sample of the certificate:
-----BEGIN CERTIFICATE-----
MIIC5zCCAc+gAwIBAgIQFSwsLuUrCIdHwI3hzJbdBjANBgkqhkiG9w0BAQsFADAW
MRQwEgYDVQQDDAtQMlNSb290Q2VydDAeFw0xNzA2MTUwMjU4NDZaFw0xODA2MTUw
MzE4NDZaMBYxFDASBgNVBAMMC1AyU1Jvb3RDZXJ0MIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAz8QUCWCxxxTrxF5yc5uUpL/bzwC5zZ804ltB1NpPa/PI
sa5uwLw/YFb8XG/JCWxUJpUzS/kHUKFluqkY80U+fAmRmTEMq5wcaMhp3wRfeq+1
G9OPBNTyqpnHe+i54QAnj1DjsHXXNL4AL1N8/TSzYTm7dkiq+EAIyRRMrZlYwije
407ChxIp0stB84MtMShhyoSm2hgl+3zfwuaGXoJQwWiXh715kMHVTSj9zFechYd7
5OLltoRRDyyxsf0qweTFKIgFj13Hn/bq/UJG3AcyQNvlCv1HwQnXO+hckVBB29wE
sF8QSYk2MMGimPDYYt4ZM5tmYLxxxvGmrGhc+HWXzMeQIDAQABozEwLzAOBgNVHQ8B
Af8EBAMCAgQwHQYDVR0OBBYEFBE9zZWhQftVLBQNATC/LHLvMb0OMA0GCSqGSIb3
DQEBCwUAA4IBAQB7k0ySFUQu72sfj3BdNxrXSyOT4L2rADLhxxxiK0U6gHUF6eWz
/0h6y4mNkg3NgLT3j/WclqzHXZruhWAXSF+VbAGkwcKA99xGWOcUJ+vKVYL/kDja
gaZrxHlhTYVVmwn4F7DWhteFqhzZ89/W9Mv6p180AimF96qDU8Ez8t860HQaFkU6
2Nw9ZMsGkvLePZZi78yVBDCWMogBMhrRVXG/xQkBajgvL5syLwFBo2kWGdC+wyWY
U/Z+EK9UuHnn3Hkq/vXEzRVsYuaxchta0X2UNRzRq+o706l+iyLTpe6fnvW6ilOi
e8Jcej7mzunzyjz4chN0/WVF94MtxbUkLkqP
-----END CERTIFICATE-----
Azure portal error: Failed to save the VPN gateway, and the resource
name is invalid
Symptom
When you try to save the changes for the VPN gateway in the Azure portal, you receive the following error
message:
Failed to save virtual network gateway <gateway name>. Resource name <certificate name you try to
upload> is invalid.
Cause
This problem occurs because the name of the certificate contains an invalid character, such as a space.
Azure VPN Gateway upgrade: All Point to Site clients are unable to
connect
Cause
If the certificate is more than 50 percent through its lifetime, the certificate is rolled over.
Solution
To resolve this problem, redeploy the Point to Site package on all clients.
"Error 405" when you download root certificate from VPN Gateway
Cause
Root certificate had not been installed. The root certificate is installed in the client's Trusted certificates store.
VPN Client Error: The remote connection was not made because the
attempted VPN tunnels failed. (Error 800)
Cause
The NIC driver is outdated.
Solution
Update the NIC driver:
1. Click Start, type Device Manager, and select it from the list of results. If you're prompted for an
administrator password or confirmation, type the password or provide confirmation.
2. In the Network adapters categories, find the NIC that you want to update.
3. Double-click the device name, select Update driver, select Search automatically for updated driver
software.
4. If Windows doesn't find a new driver, you can try looking for one on the device manufacturer's website and
follow their instructions.
5. Restart the computer and try the connection again.
This article helps you troubleshoot Point-to-Site connectivity issues from Mac OS X using the native VPN client
and IKEv2. The VPN client in Mac for IKEv2 is very basic and does not allow for much customization. There are
only four settings that need to be checked:
Server Address
Remote ID
Local ID
Authentication Settings
OS Version (10.11 or higher)
2. Verify that the Server Address is the complete FQDN and includes the cloudapp.net.
3. The Remote ID should be the same as the Server Address (Gateway FQDN ).
4. The Local ID should be the same as the Subject of the client certificate.
5. Click on Authentication Settings to open the Authentication Settings page.
6. Verify that Certificate is selected from the dropdown.
7. Click the Select button and verify that the correct certificate is selected. Click OK to save any changes.
2. Verify that the Server Address is the complete FQDN and includes the cloudapp.net.
3. The Remote ID should be the same as the Server Address (Gateway FQDN ).
4. The Local ID can be blank.
5. Click the Authentication Setting button and verify that "Username" is selected from the dropdown.
Additional steps
If you try the previous steps and everything is configured properly, download Wireshark and perform a packet
capture.
1. Filter on iskmp and look at the IKE_SA packets. You should be able to look at the SA proposal details under the
Payload: Security Association.
2. Verify that the client and the server have a common set.
Next steps
For additional help, see Microsoft Support.
Troubleshooting: An Azure site-to-site VPN
connection cannot connect and stops working
5/11/2018 • 3 minutes to read • Edit Online
After you configure a site-to-site VPN connection between an on-premises network and an Azure virtual network,
the VPN connection suddenly stops working and cannot be reconnected. This article provides troubleshooting
steps to help you resolve this problem.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
Troubleshooting steps
To resolve the problem, first try to reset the Azure VPN gateway and reset the tunnel from the on-premises VPN
device. If the problem persists, follow these steps to identify the cause of the problem.
Prerequisite step
Check the type of the Azure VPN gateway.
1. Go to the Azure portal.
2. Check the Overview page of the VPN gateway for the type information.
Azure PowerShell
For the Azure Resource Manager deployment model:
Next steps
Configure a site-to-site connection to a virtual network
Configure an IPsec/IKE policy for site-to-site VPN connections
Troubleshooting: Azure Site-to-Site VPN disconnects
intermittently
5/21/2018 • 2 minutes to read • Edit Online
You might experience the problem that a new or existing Microsoft Azure Site-to-Site VPN connection is not stable
or disconnects regularly. This article provides troubleshoot steps to help you identify and resolve the cause of the
problem.
If your Azure issue is not addressed in this article, visit the Azure forums on MSDN and Stack Overflow. You can
post your issue in these forums, or post to @AzureSupport on Twitter. You also can submit an Azure support
request. To submit a support request, on the Azure support page, select Get support.
Troubleshooting steps
Prerequisite step
Check the type of Azure virtual network gateway:
1. Go to Azure portal.
2. Check the Overview page of the virtual network gateway for the type information.
Next steps
Configure a Site-to-Site connection to a virtual network
Configure IPsec/IKE policy for Site-to-Site VPN connections
Create a Site-to-Site connection using the Azure
portal (classic)
2/16/2018 • 13 minutes to read • Edit Online
NOTE
This article is written for the classic deployment model. If you're new to Azure, we recommend that you use the Resource
Manager deployment model instead. The Resource Manager deployment model is the most current deployment model and
offers more options and feature compatibility than the classic deployment model. For more information about the
deployment models, see Understanding deployment models.
For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on
the left.
This article shows you how to use the Azure portal to create a Site-to-Site VPN gateway connection from your
on-premises network to the VNet. The steps in this article apply to the classic deployment model. You can also
create this configuration using a different deployment tool or deployment model by selecting a different option
from the following list:
A Site-to-Site VPN gateway connection is used to connect your on-premises network to an Azure virtual network
over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-
premises that has an externally facing public IP address assigned to it. For more information about VPN gateways,
see About VPN gateway.
3. Near the bottom of the Virtual Network page, from the Select a deployment model dropdown list, select
Classic, and then click Create.
4. On the Create virtual network(classic) page, configure the VNet settings. On this page, you add your
first address space and a single subnet address range. After you finish creating the VNet, you can go back
and add additional subnets and address spaces.
5. Verify that the Subscription is the correct one. You can change subscriptions by using the drop-down.
6. Click Resource group and either select an existing resource group, or create a new one by typing a name. For
more information about resource groups, visit Azure Resource Manager Overview.
7. Next, select the Location settings for your VNet. The location determines where the resources that you deploy
to this VNet will reside.
8. If you want to be able to find your VNet easily on the dashboard, select Pin to dashboard. Click Create to
create your VNet.
9. After clicking 'Create', a tile appears on the dashboard that reflects the progress of your VNet. The tile
changes as the VNet is being created.
2. Add additional address space
After you create your virtual network, you can add additional address space. Adding additional address space is
not a required part of a S2S configuration, but if you require multiple address spaces, use the following steps:
1. Locate the virtual networks in the portal.
2. On the page for your virtual network, under the Settings section, click Address space.
3. On the Address space page, click +Add and enter additional address space.
2. To open the Gateway configuration page, click Optional gateway configuration - Subnet, size, and
routing type.
3. On the Gateway Configuration page, click Subnet - Configure required settings to open the Add
subnet page.
4. On the Add subnet page, add the gateway subnet. The size of the gateway subnet that you specify
depends on the VPN gateway configuration that you want to create. While it is possible to create a gateway
subnet as small as /29, we recommend that you use /27 or /28. This creates a larger subnet that includes
more addresses. Using a larger gateway subnet allows for enough IP addresses to accommodate possible
future configurations.
2. Select the Routing Type for your gateway. This is also known as the VPN type. It's important to select the
correct gateway type because you cannot convert the gateway from one type to another. Your VPN device must
be compatible with the routing type you select. For more information about VPN type, see About VPN
Gateway Settings. You may see articles referring to 'RouteBased' and 'PolicyBased' VPN types. 'Dynamic'
corresponds to 'RouteBased', and 'Static' corresponds to' PolicyBased'.
3. Click OK to save the settings.
4. On the New VPN Connection page, click OK at the bottom of the page to begin creating your virtual
network gateway. Depending on the SKU you select, it can take up to 45 minutes to create a virtual network
gateway.
Add-AzureAccount
Get-AzureSubscription
3. If you have more than one subscription, select the subscription that you want to use.
2. Open the network configuration file with an xml editor and check the values for 'LocalNetworkSite name'
and 'VirtualNetworkSite name'. Modify the example to reflect the values that you need. When specifying a
name that contains spaces, use single quotation marks around the value.
3. Set the shared key and create the connection. The '-SharedKey' is a value that you generate and specify. In
the example, we used 'abc123', but you can generate (and should) use something more complex. The
important thing is that the value you specify here must be the same value that you specified when
configuring your VPN device.
4. On the Site-to-site VPN connections blade, view the information about your site.
5. To view more information about the connection, click the name of the connection to open the Site-to-site
VPN Connection blade.
If you are having trouble connecting, see the Troubleshoot section of the table of contents in the left pane.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more
information, see Virtual Machines.
For information about Forced Tunneling, see About Forced Tunneling.
Configure a Point-to-Site connection to a VNet using
certificate authentication (classic): Azure portal
2/21/2018 • 21 minutes to read • Edit Online
NOTE
This article is written for the classic deployment model. If you're new to Azure, we recommend that you use the Resource
Manager deployment model instead. The Resource Manager deployment model is the most current deployment model and
offers more options and feature compatibility than the classic deployment model. For more information about the
deployment models, see Understanding deployment models.
For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on
the left.
This article shows you how to create a VNet with a Point-to-Site connection in the classic deployment model using
the Azure portal. This configuration uses certificates to authenticate the connecting client, either self-signed or CA
issued. You can also create this configuration using a different deployment tool or deployment model by selecting
a different option from the following list:
A Point-to-Site (P2S ) VPN gateway lets you create a secure connection to your virtual network from an individual
client computer. Point-to-Site VPN connections are useful when you want to connect to your VNet from a remote
location, such when you are telecommuting from home or a conference. A P2S VPN is also a useful solution to
use instead of a Site-to-Site VPN when you have only a few clients that need to connect to a VNet. A P2S VPN
connection is established by starting it from the client computer.
IMPORTANT
The classic deployment model supports Windows VPN clients only and uses the Secure Socket Tunneling Protocol (SSTP), an
SSL-based VPN protocol. In order to support non-Windows VPN clients, your VNet must be created using the Resource
Manager deployment model. The Resource Manager deployment model supports IKEv2 VPN in addition to SSTP. For more
information, see About P2S connections.
Point-to-Site certificate authentication connections require the following:
A Dynamic VPN gateway.
The public key (.cer file) for a root certificate, which is uploaded to Azure. This is considered a trusted certificate
and is used for authentication.
A client certificate generated from the root certificate, and installed on each client computer that will connect.
This certificate is used for client authentication.
A VPN client configuration package must be generated and installed on every client computer that connects.
The client configuration package configures the native VPN client that is already on the operating system with
the necessary information to connect to the VNet.
Point-to-Site connections do not require a VPN device or an on-premises public-facing IP address. The VPN
connection is created over SSTP (Secure Socket Tunneling Protocol). On the server side, we support SSTP
versions 1.0, 1.1, and 1.2. The client decides which version to use. For Windows 8.1 and above, SSTP uses 1.2 by
default.
For more information about Point-to-Site connections, see the Point-to-Site FAQ at the end of this article.
Example settings
You can use the following values to create a test environment, or refer to these values to better understand the
examples in this article:
Name: VNet1
Address space: 192.168.0.0/16
For this example, we use only one address space. You can have more than one address space for your VNet, as
shown in the diagram.
Subnet name: FrontEnd
Subnet address range: 192.168.1.0/24
Subscription: If you have more than one subscription, verify that you are using the correct one.
Resource Group: TestRG
Location: East US
Connection type: Point-to-site
Client Address Space: 172.16.201.0/24. VPN clients that connect to the VNet using this Point-to-Site
connection receive an IP address from the specified pool.
GatewaySubnet: 192.168.200.0/24. The Gateway subnet must use the name 'GatewaySubnet'.
Size: Select the gateway SKU that you want to use.
Routing Type: Dynamic
5. Verify that the Subscription is the correct one. You can change subscriptions by using the drop-down.
6. Click Resource group and either select an existing resource group, or create a new one by typing a name for
your new resource group. If you are creating a new resource group, name the resource group according to
your planned configuration values. For more information about resource groups, visit Azure Resource
Manager Overview.
7. Next, select the Location settings for your VNet. The location determines where the resources that you deploy
to this VNet will reside.
8. Select Pin to dashboard if you want to be able to find your VNet easily on the dashboard, and then click
Create.
9. After clicking Create, a tile appears on your dashboard that will reflect the progress of your VNet. The tile
changes as the VNet is being created.
10. Once your virtual network has been created, you see Created.
11. Add a DNS server (optional). After you create your virtual network, you can add the IP address of a DNS
server for name resolution. The DNS server IP address that you specify should be the address of a DNS server
that can resolve the names for the resources in your VNet.
To add a DNS server, open the settings for your virtual network, click DNS servers, and add the IP address of
the DNS server that you want to use.
Part 2: Create gateway subnet and a dynamic routing gateway
In this step, you create a gateway subnet and a Dynamic routing gateway. In the Azure portal for the classic
deployment model, creating the gateway subnet and the gateway can be done through the same configuration
pages. The gateway subnet is used for the gateway services only. Never deploy anything directly to the gateway
subnet (such as VMs or other services).
1. In the portal, navigate to the virtual network for which you want to create a gateway.
2. On the page for your virtual network, on the Overview page, in the VPN connections section, click
Gateway.
5. Select the Create gateway immediately checkbox. Click Optional gateway configuration to open the
Gateway configuration page.
6. Click Subnet Configure required settings to add the gateway subnet. While it is possible to create a
gateway subnet as small as /29, we recommend that you create a larger subnet that includes more
addresses by selecting at least /28 or /27. This will allow for enough addresses to accommodate possible
additional configurations that you may want in the future. When working with gateway subnets, avoid
associating a network security group (NSG ) to the gateway subnet. Associating a network security group to
this subnet may cause your VPN gateway to stop functioning as expected.
7. Select the gateway Size. The size is the gateway SKU for your virtual network gateway. In the portal, the
Default SKU is Basic. For more information about gateway SKUs, see About VPN Gateway Settings.
8. Select the Routing Type for your gateway. P2S configurations require a Dynamic routing type. Click OK
when you have finished configuring this page.
9. On the New VPN Connection page, click OK at the bottom of the page to begin creating your virtual
network gateway. A VPN gateway can take up to 45 minutes to complete, depending on the gateway sku that
you select.
2. Create certificates
Certificates are used by Azure to authenticate VPN clients for Point-to-Site VPNs. You upload the public key
information of the root certificate to Azure. The public key is then considered 'trusted'. Client certificates must be
generated from the trusted root certificate, and then installed on each client computer in the Certificates-Current
User/Personal certificate store. The certificate is used to authenticate the client when it initiates a connection to the
VNet.
If you use self-signed certificates, they must be created using specific parameters. You can create a self-signed
certificate using the instructions for PowerShell and Windows 10, or MakeCert. It's important that you follow the
steps in these instructions when working with self-signed root certificates and generating client certificates from
the self-signed root certificate. Otherwise, the certificates you create will not be compatible with P2S connections
and you will receive a connection error.
Part 1: Obtain the public key (.cer) for the root certificate
You can use either a root certificate that was generated using an enterprise solution (recommended), or you can
generate a self-signed certificate. After creating the root certificate, export the public certificate data (not the
private key) as a Base-64 encoded X.509 .cer file and upload the public certificate data to Azure.
Enterprise certificate: If you are using an enterprise solution, you can use your existing certificate chain.
Obtain the .cer file for the root certificate that you want to use.
Self-signed root certificate: If you aren't using an enterprise certificate solution, you need to create a self-
signed root certificate. It's important that you follow the steps in one of the P2S certificate articles below.
Otherwise, the certificates you create won't be compatible with P2S connections and clients receive a
connection error when trying to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The steps
in the provided articles generate a compatible certificate:
Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to
generate certificates. Client certificates that are generated from the root certificate can be installed on
any supported P2S client.
MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to
generate certificates. MakeCert deprecated, but you can still use MakeCert to generate certificates.
Client certificates that are generated from the root certificate can be installed on any supported P2S
client.
Linux instructions
Part 2: Generate a client certificate
Each client computer that connects to a VNet using Point-to-Site must have a client certificate installed. The client
certificate is generated from the root certificate and installed on each client computer. If a valid client certificate is
not installed and the client tries to connect to the VNet, authentication fails.
You can either generate a unique certificate for each client, or you can use the same certificate for multiple clients.
The advantage to generating unique client certificates is the ability to revoke a single certificate. Otherwise, if
multiple clients are using the same client certificate and you need to revoke it, you have to generate and install
new certificates for all the clients that use that certificate to authenticate.
You can generate client certificates using the following methods:
Enterprise certificate:
If you are using an enterprise certificate solution, generate a client certificate with the common name
value format 'name@yourdomain.com', rather than the 'domain name\username' format.
Make sure the client certificate is based on the 'User' certificate template that has 'Client Authentication'
as the first item in the use list, rather than Smart Card Logon, etc. You can check the certificate by
double-clicking the client certificate and viewing Details > Enhanced Key Usage.
Self-signed root certificate: It's important that you follow the steps in one of the P2S certificate articles
below. Otherwise, the client certificates you create won't be compatible with P2S connections and clients
receive an error when trying to connect. The steps in either of the following articles generate a compatible
client certificate:
Windows 10 PowerShell instructions: These instructions require Windows 10 and PowerShell to
generate certificates. The certificates that are generated can be installed on any supported P2S client.
MakeCert instructions: Use MakeCert if you don't have access to a Windows 10 computer to use to
generate certificates. MakeCert deprecated, but you can still use MakeCert to generate certificates. The
certificates that are generated can be installed on any supported P2S client.
Linux instructions
When you generate a client certificate from a self-signed root certificate using the preceding instructions,
it's automatically installed on the computer that you used to generate it. If you want to install a client
certificate on another client computer, you need to export it as a .pfx, along with the entire certificate chain.
This creates a .pfx file that contains the root certificate information that is required for the client to
successfully authenticate. For steps to export a certificate, see Certificates - export a client certificate.
2. On the Point-to-site connection page, click Manage certificates to open the Certificates page.
3. On the Certificates page, click Upload to open the Upload certificate page.
4. Click the folder graphic to browse for the .cer file. Select the file, then click OK. Refresh the page to see the
uploaded certificate on the Certificates page.
3. Once the packaged generates, download and install it on your client computer. If you see a SmartScreen popup,
click More info, then Run anyway. You can also save the package to install on other client computers.
Part 2: Install the client certificate
If you want to create a P2S connection from a client computer other than the one you used to generate the client
certificates, you need to install a client certificate. When installing a client certificate, you need the password that
was created when the client certificate was exported. Typically, this is just a matter of double-clicking the certificate
and installing it. For more information, see Install an exported client certificate.
5. Connect to Azure
Connect to your VNet
NOTE
You must have Administrator rights on the client computer from which you are connecting.
1. To connect to your VNet, on the client computer, navigate to VPN connections and locate the VPN connection
that you created. It is named the same name as your virtual network. Click Connect. A pop-up message may
appear that refers to using the certificate. If this happens, click Continue to use elevated privileges.
2. On the Connection status page, click Connect to start the connection. If you see a Select Certificate
screen, verify that the client certificate showing is the one that you want to use to connect. If it is not, use the
drop-down arrow to select the correct certificate, and then click OK.
2. On the Point-to-site connection page, click Manage certificates to open the Certificates page.
3. On the Certificates page, click the ellipsis next to the certificate that you want to remove, then click Delete.
Point-to-Site FAQ
This FAQ applies to P2S connections using the classic deployment model.
What client operating systems can I use with Point-to -Site?
The following client operating systems are supported:
Windows 7 (32-bit and 64-bit)
Windows Server 2008 R2 (64-bit only)
Windows 8 (32-bit and 64-bit)
Windows 8.1 (32-bit and 64-bit)
Windows Server 2012 (64-bit only)
Windows Server 2012 R2 (64-bit only)
Windows 10
Can I use any software VPN client for Point-to -Site that supports SSTP?
No. Support is limited only to the Windows operating system versions listed above.
How many VPN client endpoints can I have in my Point-to -Site configuration?
We support up to 128 VPN clients to be able to connect to a virtual network at the same time.
Can I use my own internal PKI root CA for Point-to -Site connectivity?
Yes. Previously, only self-signed root certificates could be used. You can still upload 20 root certificates.
Can I traverse proxies and firewalls using Point-to -Site capability?
Yes. We use SSTP (Secure Socket Tunneling Protocol) to tunnel through firewalls. This tunnel will appear as an
HTTPs connection.
If I restart a client computer configured for Point-to -Site, will the VPN automatically reconnect?
By default, the client computer will not reestablish the VPN connection automatically.
Does Point-to -Site support auto -reconnect and DDNS on the VPN clients?
Auto-reconnect and DDNS are currently not supported in Point-to-Site VPNs.
Can I have Site -to -Site and Point-to -Site configurations coexist for the same virtual network?
Yes. Both these solutions will work if you have a RouteBased VPN type for your gateway. For the classic
deployment model, you need a dynamic gateway. We do not support Point-to-Site for static routing VPN
gateways or gateways using the -VpnType PolicyBased cmdlet.
Can I configure a Point-to -Site client to connect to multiple virtual networks at the same time?
Yes, it is possible. But the virtual networks cannot have overlapping IP prefixes and the Point-to-Site address
spaces must not overlap between the virtual networks.
How much throughput can I expect through Site -to -Site or Point-to -Site connections?
It's difficult to maintain the exact throughput of the VPN tunnels. IPsec and SSTP are crypto-heavy VPN
protocols. Throughput is also limited by the latency and bandwidth between your premises and the Internet.
Next steps
Once your connection is complete, you can add virtual machines to your virtual networks. For more information,
see Virtual Machines. To understand more about networking and virtual machines, see Azure and Linux VM
network overview.
For P2S troubleshooting information, Troubleshoot Azure point-to-site connections.
Configure a VNet-to-VNet connection (classic)
4/18/2018 • 12 minutes to read • Edit Online
NOTE
This article is written for the classic deployment model. If you're new to Azure, we recommend that you use the Resource
Manager deployment model instead. The Resource Manager deployment model is the most current deployment model and
offers more options and feature compatibility than the classic deployment model. For more information about the
deployment models, see Understanding deployment models.
For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on the
left.
This article helps you create a VPN gateway connection between virtual networks. The virtual networks can be in
the same or different regions, and from the same or different subscriptions. The steps in this article apply to the
classic deployment model and the Azure portal. You can also create this configuration using a different
deployment tool or deployment model by selecting a different option from the following list:
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
CONNECTS TO LOCAL
VIRTUAL NETWORK ADDRESS SPACE REGION NETWORK SITE
1. Locate TestVNet1 in the Azure portal. In the VPN connections section of the page, click Gateway.
3. On the Site-to-Site VPN Connections page, click the name of the local site that you want to modify.
Connect-AzureRmAccount
Get-AzureRmSubscription
If you have more than one subscription, select the subscription that you want to use.
Next, use the following cmdlet to add your Azure subscription to PowerShell for the classic deployment
model.
Add-AzureAccount
3. Export and view the network configuration file. Create a directory on your computer and then export the
network configuration file to the directory. In this example, the network configuration file is exported to
C:\AzureNet.
4. Open the file with a text editor and view the names for your VNets and sites. These will be the name you use
when you create your connections.
VNet names are listed as VirtualNetworkSite name =
Site names are listed as LocalNetworkSiteRef name =
3. Wait for the connections to initialize. Once the gateway has initialized, the Status is 'Successful'.
Error :
HttpStatusCode : OK
Id :
Status : Successful
RequestId :
StatusCode : OK
Next steps
Verify your connections. See Verify a VPN Gateway connection.
Configure forced tunneling using the classic
deployment model
8/2/2017 • 5 minutes to read • Edit Online
Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a
Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT
policies. Without forced tunneling, Internet-bound traffic from your VMs in Azure will always traverse from Azure
network infrastructure directly out to the Internet, without the option to allow you to inspect or audit the traffic.
Unauthorized Internet access can potentially lead to information disclosure or other types of security breaches.
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to
Azure, we recommend that you use the Resource Manager deployment model.
This article walks you through configuring forced tunneling for virtual networks created using the classic
deployment model. Forced tunneling can be configured by using PowerShell, not through the portal. If you want
to configure forced tunneling for the Resource Manager deployment model, select classic article from the
following dropdown list:
Configuration overview
In the following example, the Frontend subnet is not forced tunneled. The workloads in the Frontend subnet can
continue to accept and respond to customer requests from the Internet directly. The Mid-tier and Backend
subnets are forced tunneled. Any outbound connections from these two subnets to the Internet will be forced or
redirected back to an on-premises site via one of the S2S VPN tunnels.
This allows you to restrict and inspect Internet access from your virtual machines or cloud services in Azure, while
continuing to enable your multi-tier service architecture required. You also can apply forced tunneling to the
entire virtual networks if there are no Internet-facing workloads in your virtual networks.
In this example, the virtual network 'MultiTier-VNet' has three subnets: 'Frontend', 'Midtier', and 'Backend'
subnets, with four cross premises connections: 'DefaultSiteHQ', and three Branches.
The steps will set the 'DefaultSiteHQ' as the default site connection for forced tunneling, and configure the
Midtier and Backend subnets to use forced tunneling.
1. Create a routing table. Use the following cmdlet to create your route table.
New-AzureRouteTable –Name "MyRouteTable" –Label "Routing Table for Forced Tunneling" –Location "North
Europe"
$DefaultSite = @("DefaultSiteHQ")
Set-AzureVNetGatewayDefaultSite –VNetName "MultiTier-VNet" –DefaultSite "DefaultSiteHQ"
This article helps you delete a VPN gateway in the classic deployment model by using PowerShell. After the
virtual network gateway has been deleted, modify the network configuration file to remove elements that you are
no longer using.
Add-AzureAccount
Open the file with a text editor and view the name for your classic VNet. When you create a VNet in the Azure
portal, the full name that Azure uses is not visible in the portal. For example, a VNet that appears to be named
'ClassicVNet1' in the Azure portal, may have a much longer name in the network configuration file. The name
might look something like: 'Group ClassicRG1 ClassicVNet1'. Virtual network names are listed as
'VirtualNetworkSite name ='. Use the names in the network configuration file when running your PowerShell
cmdlets.
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="D1BFC9CB_Site2">
<Connection type="IPsec" />
</LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
Example:
<Gateway>
<ConnectionsToLocalNetwork>
</ConnectionsToLocalNetwork>
</Gateway>
<LocalNetworkSites>
<LocalNetworkSite name="Site1">
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>5.4.3.2</VPNGatewayAddress>
</LocalNetworkSite>
<LocalNetworkSite name="Site3">
<AddressSpace>
<AddressPrefix>192.168.0.0/16</AddressPrefix>
</AddressSpace>
<VPNGatewayAddress>57.179.18.164</VPNGatewayAddress>
</LocalNetworkSite>
</LocalNetworkSites>
Client AddressPool
If you had a P2S connection to your VNet, you will have a VPNClientAddressPool. Remove the client address
pools that correspond to the virtual network gateway that you deleted.
<Gateway>
<VPNClientAddressPool>
<AddressPrefix>10.1.0.0/24</AddressPrefix>
</VPNClientAddressPool>
<ConnectionsToLocalNetwork />
</Gateway>
Example:
<Gateway>
<ConnectionsToLocalNetwork />
</Gateway>
GatewaySubnet
Delete the GatewaySubnet that corresponds to the VNet.
<Subnets>
<Subnet name="FrontEnd">
<AddressPrefix>10.11.0.0/24</AddressPrefix>
</Subnet>
<Subnet name="GatewaySubnet">
<AddressPrefix>10.11.1.0/29</AddressPrefix>
</Subnet>
</Subnets>
Example:
<Subnets>
<Subnet name="FrontEnd">
<AddressPrefix>10.11.0.0/24</AddressPrefix>
</Subnet>
</Subnets>
NOTE
This article is written for the classic deployment model. If you're new to Azure, we recommend that you use the Resource
Manager deployment model instead. The Resource Manager deployment model is the most current deployment model and
offers more options and feature compatibility than the classic deployment model. For more information about the
deployment models, see Understanding deployment models.
For the Resource Manager version of this article, select it from the drop-down list below, or from the table of contents on
the left.
This article walks you through using PowerShell to add Site-to-Site (S2S ) connections to a VPN gateway that has
an existing connection. This type of connection is often referred to as a "multi-site" configuration. The steps in this
article apply to virtual networks created using the classic deployment model (also known as Service
Management). These steps do not apply to ExpressRoute/Site-to-Site coexisting connection configurations.
Deployment models and methods
Azure currently works with two deployment models: Resource Manager and classic. The two models are not
completely compatible with each other. Before you begin, you need to know which model that you want to work
in. For information about the deployment models, see Understanding deployment models. If you are new to
Azure, we recommend that you use the Resource Manager deployment model.
We update this table as new articles and additional tools become available for this configuration. When an article
is available, we link directly to it from this table.
About connecting
You can connect multiple on-premises sites to a single virtual network. This is especially attractive for building
hybrid cloud solutions. Creating a multi-site connection to your Azure virtual network gateway is similar to
creating other Site-to-Site connections. In fact, you can use an existing Azure VPN gateway, as long as the
gateway is dynamic (route-based).
If you already have a static gateway connected to your virtual network, you can change the gateway type to
dynamic without needing to rebuild the virtual network in order to accommodate multi-site. Before changing the
routing type, make sure that your on-premises VPN gateway supports route-based VPN configurations.
Points to consider
You won't be able to use the portal to make changes to this virtual network. You need to make changes to
the network configuration file instead of using the portal. If you make changes in the portal, they'll overwrite your
multi-site reference settings for this virtual network.
You should feel comfortable using the network configuration file by the time you've completed the multi-site
procedure. However, if you have multiple people working on your network configuration, you'll need to make sure
that everyone knows about this limitation. This doesn't mean that you can't use the portal at all. You can use it for
everything else, except making configuration changes to this particular virtual network.
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Site1"><Connection type="IPsec" /></LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
To add additional site references (create a multi-site configuration), simply add additional "LocalNetworkSiteRef"
lines, as shown in the example below:
<Gateway>
<ConnectionsToLocalNetwork>
<LocalNetworkSiteRef name="Site1"><Connection type="IPsec" /></LocalNetworkSiteRef>
<LocalNetworkSiteRef name="Site2"><Connection type="IPsec" /></LocalNetworkSiteRef>
</ConnectionsToLocalNetwork>
</Gateway>
6. Download keys
Once your new tunnels have been added, use the PowerShell cmdlet 'Get-AzureVNetGatewayKey' to get the
IPsec/IKE pre-shared keys for each tunnel.
For example:
If you prefer, you can also use the Get Virtual Network Gateway Shared Key REST API to get the pre-shared keys.
Example return:
ConnectivityState : Connected
EgressBytesTransferred : 661530
IngressBytesTransferred : 519207
LastConnectionEstablished : 5/2/2014 2:51:40 PM
LastEventID : 23401
LastEventMessage : The connectivity state for the local network site 'Site1' changed from Not
Connected to Connected.
LastEventTimeStamp : 5/2/2014 2:51:40 PM
LocalNetworkSiteName : Site1
OperationDescription : Get-AzureVNetConnection
OperationId : 7f68a8e6-51e9-9db4-88c2-16b8067fed7f
OperationStatus : Succeeded
ConnectivityState : Connected
EgressBytesTransferred : 789398
IngressBytesTransferred : 143908
LastConnectionEstablished : 5/2/2014 3:20:40 PM
LastEventID : 23401
LastEventMessage : The connectivity state for the local network site 'Site2' changed from Not
Connected to Connected.
LastEventTimeStamp : 5/2/2014 2:51:40 PM
LocalNetworkSiteName : Site2
OperationDescription : Get-AzureVNetConnection
OperationId : 7893b329-51e9-9db4-88c2-16b8067fed7f
OperationStatus : Succeeded
Next steps
To learn more about VPN Gateways, see About VPN Gateways.
2 minutes to read
VPN Gateway classic to Resource Manager migration
6/27/2017 • 4 minutes to read • Edit Online
VPN Gateways can now be migrated from classic to Resource Manager deployment model. You can read more
about Azure Resource Manager features and benefits. In this article, we detail how to migrate from classic
deployments to newer Resource Manager based model.
VPN Gateways are migrated as part of VNet migration from classic to Resource Manager. This migration is done
one VNet at a time. There is no additional requirement in terms of tools or prerequisites to migration. Migration
steps are identical to existing VNet migration and are documented at IaaS resources migration page. There is no
data path downtime during migration and thus existing workloads would continue to function without loss of on-
premises connectivity during migration. The public IP address associated with the VPN gateway does not change
during the migration process. This implies that you will not need to reconfigure your on-premises router once the
migration is completed.
The model in Resource Manager is different from classic model and is composed of virtual network gateways, local
network gateways and connection resources. These represent the VPN gateway itself, the local-site representing on
premises address space and connectivity between the two respectively. Once migration is completed your
gateways would not be available in classic model and all management operations on virtual network gateways,
local network gateways, and connection objects must be performed using Resource Manager model.
Supported scenarios
Most common VPN connectivity scenarios are covered by classic to Resource Manager migration. The supported
scenarios include -
Point to site connectivity
Site to site connectivity with VPN Gateway connected to on premises location
VNet to VNet connectivity between two VNets using VPN gateways
Multiple VNets connected to same on premises location
Multi-site connectivity
Forced tunneling enabled VNets
Scenarios which are not supported include -
VNet with both ExpressRoute Gateway and VPN Gateway is not currently supported.
Transit scenarios where VM extensions are connected to on-premises servers. Transit VPN connectivity
limitations are detailed below.
NOTE
CIDR validation in Resource Manager model is more strict than the one in classic model. Before migrating ensure that classic
address ranges given conform to valid CIDR format before beginning the migration. CIDR can be validated using any
common CIDR validators. VNet or local sites with invalid CIDR ranges when migrated would result in failed state.
During VNet migration we detect that the connected entity to current VNet's VPN gateway is another VNet and
ensure that once migration of both VNets is completed, you would no longer see two local sites representing the
other VNet. The classic model of two VPN gateways, two local sites and two connections between them is
transformed to Resource Manager model with two VPN gateways and two connections of type Vnet2Vnet.
Since we transform VNet to VNet connectivity without requiring local sites, the transit scenario loses on-premises
connectivity for VNet that is indirectly connected to on-premises. The loss of connectivity can be mitigated in the
following two ways, after migration is completed -
Enable BGP on VPN gateways that are connected together and to on-premises. Enabling BGP restores
connectivity without any other configuration change since routes are learned and advertised between VNet
gateways. Note that BGP option is only available on Standard and higher SKUs.
Establish an explicit connection from affected VNet to the local network gateway representing on-premises
location. This would also require changing configuration on the on-premises router to create and configure the
IPsec tunnel.
Next steps
After learning about VPN gateway migration support, go to platform-supported migration of IaaS resources from
classic to Resource Manager to get started.
VPN Gateway FAQ
7/30/2018 • 36 minutes to read • Edit Online
NOTE
Starting July 1, 2018, support is being removed for TLS 1.0 and 1.1 from Azure VPN Gateway. VPN Gateway will support only
TLS 1.2. To maintain support, see the updates to enable support for TLS1.2.
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
Additionally, the following legacy algorithms will also be deprecated for TLS on July 1, 2018:
RC4 (Rivest Cipher 4)
DES (Data Encryption Algorithm)
3DES (Triple Data Encryption Algorithm)
MD5 (Message Digest 5)
How do I enable support for TLS 1.2 in Windows 7 and Windows 8.1?
1. Open a command prompt with elevated privileges by right-clicking on Command Prompt and selecting Run
as administrator.
2. Run the following commands in the command prompt:
IPsec/IKE policy
Is Custom IPsec/IKE policy supported on all Azure VPN Gateway SKUs?
Custom IPsec/IKE policy is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard, and HighPerformance
VPN gateways. The Basic SKU is not supported.
How many policies can I specify on a connection?
You can only specify one policy combination for a given connection.
Can I specify a partial policy on a connection? (for example, only IKE algorithms, but not IPsec)
No, you must specify all algorithms and parameters for both IKE (Main Mode) and IPsec (Quick Mode). Partial
policy specification is not allowed.
What are the algorithms and key strengths supported in the custom policy?
The following table lists the supported cryptographic algorithms and key strengths configurable by the customers.
You must select one option for every field.
IPSEC/IKEV2 OPTIONS
Does everything need to match between the Azure VPN gateway policy and my on-premises VPN device
configurations?
Your on-premises VPN device configuration must match or contain the following algorithms and parameters that
you specify on the Azure IPsec/IKE policy:
IKE encryption algorithm
IKE integrity algorithm
DH Group
IPsec encryption algorithm
IPsec integrity algorithm
PFS Group
Traffic Selector (*)
The SA lifetimes are local specifications only, do not need to match.
If you enable UsePolicyBasedTrafficSelectors, you need to ensure your VPN device has the matching traffic
selectors defined with all combinations of your on-premises network (local network gateway) prefixes to/from the
Azure virtual network prefixes, instead of any-to-any. For example, if your on-premises network prefixes are
10.1.0.0/16 and 10.2.0.0/16, and your virtual network prefixes are 192.168.0.0/16 and 172.16.0.0/16, you need to
specify the following traffic selectors:
10.1.0.0/16 <====> 192.168.0.0/16
10.1.0.0/16 <====> 172.16.0.0/16
10.2.0.0/16 <====> 192.168.0.0/16
10.2.0.0/16 <====> 172.16.0.0/16
For more information, see Connect multiple on-premises policy-based VPN devices.
Which Diffie -Hellman Groups are supported?
The table below lists the supported Diffie-Hellman Groups for IKE (DHGroup) and IPsec (PFSGroup):
BGP
Is BGP supported on all Azure VPN Gateway SKUs?
No, BGP is supported on Azure VpnGw1, VpnGw2, VpnGw3, Standard and HighPerformance VPN gateways.
Basic SKU is NOT supported.
Can I use BGP with Azure Policy-Based VPN gateways?
No, BGP is supported on Route-Based VPN gateways only.
Can I use private ASNs (Autonomous System Numbers)?
Yes, you can use your own public ASNs or private ASNs for both your on-premises networks and Azure virtual
networks.
Can I use 32-bit ASNs (Autonomous System Numbers)?
No, the Azure VPN Gateways support 16-Bit ASNs today.
Are there ASNs reserved by Azure?
Yes, the following ASNs are reserved by Azure for both internal and external peerings:
Public ASNs: 8074, 8075, 12076
Private ASNs: 65515, 65517, 65518, 65519, 65520
You cannot specify these ASNs for your on premises VPN devices when connecting to Azure VPN gateways.
Are there any other ASNs that I can't use?
Yes, the following ASNs are reserved by IANA and can't be configured on your Azure VPN Gateway:
23456, 64496-64511, 65535-65551 and 429496729
Can I use the same ASN for both on-premises VPN networks and Azure VNets?
No, you must assign different ASNs between your on-premises networks and your Azure VNets if you are
connecting them together with BGP. Azure VPN Gateways have a default ASN of 65515 assigned, whether BGP is
enabled or not for your cross-premises connectivity. You can override this default by assigning a different ASN
when creating the VPN gateway, or change the ASN after the gateway is created. You will need to assign your on-
premises ASNs to the corresponding Azure Local Network Gateways.
What address prefixes will Azure VPN gateways advertise to me?
Azure VPN gateway will advertise the following routes to your on-premises BGP devices:
Your VNet address prefixes
Address prefixes for each Local Network Gateways connected to the Azure VPN gateway
Routes learned from other BGP peering sessions connected to the Azure VPN gateway, except default route
or routes overlapped with any VNet prefix.
Can I advertise default route (0.0.0.0/0) to Azure VPN gateways?
Yes.
Please note this will force all VNet egress traffic towards your on-premises site, and will prevent the VNet VMs
from accepting public communication from the Internet directly, such RDP or SSH from the Internet to the VMs.
Can I advertise the exact prefixes as my Virtual Network prefixes?
No, advertising the same prefixes as any one of your Virtual Network address prefixes will be blocked or filtered by
the Azure platform. However you can advertise a prefix that is a superset of what you have inside your Virtual
Network.
For example, if your virtual network used the address space 10.0.0.0/16, you could advertise 10.0.0.0/8. But you
cannot advertise 10.0.0.0/16 or 10.0.0.0/24.
Can I use BGP with my VNet-to -VNet connections?
Yes, you can use BGP for both cross-premises connections and VNet-to-VNet connections.
Can I mix BGP with non-BGP connections for my Azure VPN gateways?
Yes, you can mix both BGP and non-BGP connections for the same Azure VPN gateway.
Does Azure VPN gateway support BGP transit routing?
Yes, BGP transit routing is supported, with the exception that Azure VPN gateways will NOT advertise default
routes to other BGP peers. To enable transit routing across multiple Azure VPN gateways, you must enable BGP
on all intermediate VNet-to-VNet connections.
Can I have more than one tunnel between Azure VPN gateway and my on-premises network?
Yes, you can establish more than one S2S VPN tunnel between an Azure VPN gateway and your on-premises
network. Please note that all these tunnels will be counted against the total number of tunnels for your Azure VPN
gateways and you must enable BGP on both tunnels.
For example, if you have two redundant tunnels between your Azure VPN gateway and one of your on-premises
networks, they will consume 2 tunnels out of the total quota for your Azure VPN gateway (10 for Standard and 30
for HighPerformance).
Can I have multiple tunnels between two Azure VNets with BGP?
Yes, but at least one of the virtual network gateways must be in active-active configuration.
Can I use BGP for S2S VPN in an ExpressRoute/S2S VPN co -existence configuration?
Yes.
What address does Azure VPN gateway use for BGP Peer IP?
The Azure VPN gateway will allocate a single IP address from the GatewaySubnet range defined for the virtual
network. By default, it is the second last address of the range. For example, if your GatewaySubnet is
10.12.255.0/27, ranging from 10.12.255.0 to 10.12.255.31, the BGP Peer IP address on the Azure VPN gateway
will be 10.12.255.30. You can find this information when you list the Azure VPN gateway information.
What are the requirements for the BGP Peer IP addresses on my VPN device?
Your on-premises BGP peer address MUST NOT be the same as the public IP address of your VPN device. Use a
different IP address on the VPN device for your BGP Peer IP. It can be an address assigned to the loopback
interface on the device, but please note that it cannot be an APIPA (169.254.x.x) address. Specify this address in the
corresponding Local Network Gateway representing the location.
What should I specify as my address prefixes for the Local Network Gateway when I use BGP?
Azure Local Network Gateway specifies the initial address prefixes for the on-premises network. With BGP, you
must allocate the host prefix (/32 prefix) of your BGP Peer IP address as the address space for that on-premises
network. If your BGP Peer IP is 10.52.255.254, you should specify "10.52.255.254/32" as the
localNetworkAddressSpace of the Local Network Gateway representing this on-premises network. This is to
ensure that the Azure VPN gateway establishes the BGP session through the S2S VPN tunnel.
What should I add to my on-premises VPN device for the BGP peering session?
You should add a host route of the Azure BGP Peer IP address on your VPN device pointing to the IPsec S2S VPN
tunnel. For example, if the Azure VPN Peer IP is "10.12.255.30", you should add a host route for "10.12.255.30"
with a nexthop interface of the matching IPsec tunnel interface on your VPN device.
Next steps
For more information about VPN Gateway, see About VPN Gateway.
For more information about VPN Gateway configuration settings, see About VPN Gateway configuration
settings.
Azure subscription and service limits, quotas, and
constraints
9/5/2018 • 64 minutes to read • Edit Online
This document lists some of the most common Microsoft Azure limits, which are also sometimes called quotas.
This document doesn't currently cover all Azure services. Over time, the list will be expanded and updated to cover
more of the platform.
Please visit Azure Pricing Overview to learn more about Azure pricing. There, you can estimate your costs using
the Pricing Calculator or by visiting the pricing details page for a service (for example, Windows VMs). For tips to
help manage your costs, see Prevent unexpected costs with Azure billing and cost management.
NOTE
If you want to raise the limit or quota above the Default Limit, open an online customer support request at no charge. The
limits can't be raised above the Maximum Limit value shown in the following tables. If there is no Maximum Limit column,
then the resource doesn't have adjustable limits.
Free Trial subscriptions are not eligible for limit or quota increases. If you have a Free Trial subscription, you can upgrade to a
Pay-As-You-Go subscription. For more information, see Upgrade Azure Free Trial to Pay-As-You-Go and Free Trial
subscription FAQ.
NOTE
It is important to emphasize that quotas for resources in Azure Resource Groups are per-region accessible by your
subscription, and are not per-subscription, as the service management quotas are. Let's use vCPU quotas as an example. If
you need to request a quota increase with support for vCPUs, you need to decide how many vCPUs you want to use in
which regions, and then make a specific request for Azure Resource Group vCPU quotas for the amounts and regions that
you want. Therefore, if you need to use 30 vCPUs in West Europe to run your application there, you should specifically
request 30 vCPUs in West Europe. But you will not have a vCPU quota increase in any other region -- only West Europe will
have the 30-vCPU quota.
As a result, you may find it useful to consider deciding what your Azure Resource Group quotas need to be for your workload
in any one region, and request that amount in each region into which you are considering deployment. See troubleshooting
deployment issues for more help discovering your current quotas for specific regions.
Service-specific limits
Active Directory
API Management
App Service
Application Gateway
Application Insights
Automation
Azure Cosmos DB
Azure Database for MySQL
Azure Database for PostgreSQL
Azure Event Grid
Azure Maps
Azure Policy
Azure Redis Cache
Backup
Batch
BizTalk Services
CDN
Cloud Services
Container Instances
Container Registry
Kubernetes Service
Data Factory
Data Lake Analytics
Data Lake Store
Database Migration Service
DNS
Event Hubs
Azure Firewall
IoT Hub
IoT Hub Device Provisioning Service
Key Vault
Log Analytics
Managed Identity
Media Services
Mobile Engagement
Mobile Services
Monitor
Multi-Factor Authentication
Networking
Network Watcher
Notification Hub Service
Resource Group
Role-based access control
Scheduler
Search
Service Bus
Site Recovery
SQL Database
SQL Data Warehouse
Storage
StorSimple System
Stream Analytics
Subscription
Traffic Manager
Virtual Machines
Virtual Machine Scale Sets
Subscription limits
Subscription limits
1Extra Small instances count as one vCPU towards the vCPU limit despite using a partial CPU core.
2The storage account limit includes both Standard and Premium storage accounts. If you require more than 200
storage accounts in a given region, make a request through Azure Support. The Azure Storage team will review
your business case and may approve up to 250 storage accounts for a given region.
Subscription limits - Azure Resource Manager
The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have
not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those
limits.
For information about handling limits on Resource Manager requests, see Throttling Resource Manager requests.
VM per series (Dv2, F, etc.) cores per 201 per Region Contact support
subscription
Availability Sets per subscription 2,000 per Region 2,000 per Region
Resource Manager API Reads 15,000 per hour 15,000 per hour
Resource Manager API Writes 1,200 per hour 1,200 per hour
1Default limits vary by offer Category Type, such as Free Trial, Pay-As-You-Go, and series, such as Dv2, F, G, etc.
2This includes both Standard and Premium storage accounts. If you require more than 200 storage accounts, make
a request through Azure Support. The Azure Storage team will review your business case and may approve up to
250 storage accounts.
3You can apply an unlimited number of tags per subscription. The number of tags per resource or resource group is
limited to 15. Resource Manager only returns a list of unique tag name and values in the subscription when the
number of tags is 10,000 or less. However, you can still find a resource by tag when the number exceeds 10,000.
4These features are no longer required with Azure Resource Groups and the Azure Resource Manager.
NOTE
It is important to emphasize that virtual machine cores have a regional total limit as well as a regional per size series (Dv2, F,
etc.) limit that are separately enforced. For example, consider a subscription with a US East total VM core limit of 30, an A
series core limit of 30, and a D series core limit of 30. This subscription would be allowed to deploy 30 A1 VMs, or 30 D1
VMs, or a combination of the two not to exceed a total of 30 cores (for example, 10 A1 VMs and 20 D1 VMs).
Resources per resource group (per 800 Varies per resource type
resource type)
Template limits
Outputs 64 64
Template size 1 MB 1 MB
You can exceed some template limits by using a nested template. For more information, see Using linked templates
when deploying Azure resources. To reduce the number of parameters, variables, or outputs, you can combine
several values into an object. For more information, see Objects as parameters.
If you reach the limit of 800 deployments per resource group, delete deployments from the history that are no
longer needed. You can delete entries from the history with az group deployment delete for Azure CLI, or Remove-
AzureRmResourceGroupDeployment in PowerShell. Deleting an entry from the deployment history does not
affect the deploy resources.
Virtual Machines limits
Virtual Machine limits
1Virtual machines created in Service Management (instead of Resource Manager ) are automatically stored in a
cloud service. You can add more virtual machines to that cloud service for load balancing and availability.
2Input endpoints allow communications to a virtual machine from outside the virtual machine's cloud service.
Virtual machines in the same cloud service or virtual network can automatically communicate with each other. See
How to Set Up Endpoints to a Virtual Machine.
Virtual Machines limits - Azure Resource Manager
The following limits apply when using the Azure Resource Manager and Azure Resource Groups. Limits that have
not changed with the Azure Resource Manager are not listed below. Please refer to the previous table for those
limits.
1With Azure Resource Manager, certificates are stored in the Azure Key Vault. Although the number of certificates
is unlimited for a subscription, there is still a 1 MB limit of certificates per deployment (which consists of either a
single VM or an availability set).
Virtual Machine Scale Sets limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Ports per IP 5
Webhooks 2 10 100
1 The specified storage limits are the amount of included storage for each tier. You're charged an additional daily
rate per GiB for image storage above these limits. For rate information, see Container Registry pricing.
2 ReadOps, WriteOps, and Bandwidth are minimum estimates. ACR strives to improve performance as usage
requires.
3 docker pull translates to multiple read operations based on the number of layers in the image, plus the manifest
retrieval.
4 docker push translates to multiple write operations, based on the number of layers that must be pushed. A
docker push includes ReadOps to retrieve a manifest for an existing image.
Max pods per node: Advanced networking with Azure CNI Azure CLI deployment: 1101
Resource Manager template: 1101
Portal deployment: 30
1 This value is configurable at cluster deployment when deploying an AKS cluster with the Azure CLI or a Resource
Manager template.
Networking limits
ExpressRoute Limits
The following limits apply to ExpressRoute resources per subscription.
Number of virtual network links allowed per ExpressRoute see table below
circuit
50 Mbps 10 20
100 Mbps 10 25
200 Mbps 10 25
NUMBER OF VNET LINKS WITH PREMIUM
CIRCUIT SIZE NUMBER OF VNET LINKS FOR STANDARD ADD-ON
500 Mbps 10 40
1 Gbps 10 50
2 Gbps 10 60
5 Gbps 10 75
10 Gbps 10 100
Networking limits
The following limits apply only for networking resources managed through the classic deployment model per
subscription. Learn how to view your current resource usage against your subscription limits.
Backend pool, Basic 100, single Availability Set 100, single Availability Set
** Up to 150 resources, any combination of standalone virtual machines, availability sets, and virtual machine scale
sets.
Contact support in case you need to increase limits from default.
Application Gateway limits
Frontend Ports 20
HTTP Listeners 20
RESOURCE DEFAULT LIMIT NOTE
DNS limits
RESOURCE DEFAULT LIMIT
VNet peering For hub and spoke implementations, max of 50 spoke VNETs.
Global peering Not supported. You should have at least one firewall
deployment per region.
Storage limits
For additional details on storage account limits, see Azure Storage Scalability and Performance Targets.
Maximum request rate per storage account 20,000 requests per second2
Max ingress3 per storage account (US Regions) 10 Gbps if RA-GRS/GRS enabled, 20 Gbps for LRS/ZRS4
Max egress3 per storage account (US Regions) 20 Gbps if RA-GRS/GRS enabled, 30 Gbps for LRS/ZRS4
Max ingress3 per storage account (Non-US regions) 5 Gbps if RA-GRS/GRS enabled, 10 Gbps for LRS/ZRS4
Max egress3 per storage account (Non-US regions) 10 Gbps if RA-GRS/GRS enabled, 15 Gbps for LRS/ZRS4
1Includes both Standard and Premium storage accounts. If you require more than 200 storage accounts in a given
region, make a request through Azure Support. The Azure Storage team will review your business case and may
approve up to 250 storage accounts for a given region.
2 If you need expanded limits for
your storage account, please contact Azure Support. The Azure Storage team will
review the request and may approve higher limits on a case by case basis. Both general-purpose and Blob storage
accounts support increased capacity, ingress/egress, and request rate by request. For the new maximums for Blob
storage accounts, see Announcing larger, higher scale storage accounts.
3
3 Capped only by the account's ingress/egress limits. Ingress refers to all data (requests) being sent to a storage
account. Egress refers to all data (responses) being received from a storage account.
4Azure Storage redundancy options include:
RA -GRS: Read-access geo-redundant storage. If RA-GRS is enabled, egress targets for the secondary location
are identical to those for the primary location.
GRS: Geo-redundant storage.
ZRS: Zone-redundant storage.
LRS: Locally redundant storage.
The following limits apply when performing management operations using the Azure Resource Manager only.
RESOURCE TARGET
Max size of single blob container Same as max storage account capacity
Max size of a block blob 50,000 X 100 MiB (approx. 4.75 TiB)
Target throughput for single blob Up to 60 MiB per second, or up to 500 requests per second
RESOURCE TARGET
Maximum request rate per storage account 20,000 requests per second for files of any valid size3
Sync groups per Storage Sync Service 100 sync groups Yes
Server endpoints per server 33-99 server endpoints Yes, but varies based on configuration
(CPU, memory, volumes, file churn, file
count, etc.)
Maximum request rate per storage account 20,000 messages per second assuming 1 KiB message size
Target throughput for single queue (1 KiB messages) Up to 2000 messages per second
RESOURCE TARGET
Max number of properties in a table entity 255 (including 3 system properties: PartitionKey, RowKey and
Timestamp)
Maximum request rate per storage account 20,000 transactions per second (assuming 1 KiB entity size)
Target throughput for single table partition (1 KiB entities) Up to 2000 entities per second
IMPORTANT
For optimal performance, limit the number of highly utilized disks attached to the virtual machine to avoid possible throttling.
If all attached disks are not highly utilized at the same time, then the virtual machine can support a larger number of disks.
For standard storage accounts: A standard storage account has a maximum total request rate of 20,000
IOPS. The total IOPS across all of your virtual machine disks in a standard storage account should not
exceed this limit.
You can roughly calculate the number of highly utilized disks supported by a single standard storage
account based on the request rate limit. For example, for a Basic Tier VM, the maximum number of highly
utilized disks is about 66 (20,000/300 IOPS per disk), and for a Standard Tier VM, it is about 40 (20,000/500
IOPS per disk).
For premium storage accounts: A premium storage account has a maximum total throughput rate of 50
Gbps. The total throughput across all of your VM disks should not exceed this limit.
See Virtual machine sizes for additional details.
Managed virtual machine disks
Standard managed virtual machine disks
STANDAR
D DISK
TYPE S4 S6 S10 S15 S20 S30 S40 S50
IOPS per 500 500 500 500 500 500 500 500
disk
Throughp 60 60 60 60 60 60 60 60
ut per MB/sec MB/sec MB/sec MB/sec MB/sec MB/sec MB/sec MB/sec
disk
PREMIUM
DISKS
TYPE P4 P6 P10 P15 P20 P30 P40 P50
IOPS per 120 240 500 1100 2300 5000 7500 7500
disk
1Ingress refers to all data (requests) being sent to a storage account. Egress refers to all data (responses) being
PREMIUM
STORAGE DISK
TYPE P10 P20 P30 P40 P50
Disk size 128 GiB 512 GiB 1024 GiB (1 TB) 2048 GiB (2 TB) 4095 GiB (4 TB)
Max throughput 100 MB/s 150 MB/s 200 MB/s 250 MB/s 250 MB/s
per disk
1Each Cloud Service with Web/Worker roles can have two deployments, one for production and one for staging.
Also note that this limit refers to the number of distinct roles (configuration) and not the number of instances per
role (scaling).
App Service limits
The following App Service limits include limits for Web Apps, Mobile Apps, and API Apps.
App Service 1 per region 10 per 100 per 100 per 100 per 100 per
plan resource resource resource resource resource
group group group group group
CPU time (5 3 minutes 3 minutes Unlimited, pay Unlimited, pay Unlimited, pay Unlimited, pay
min)6 at standard at standard at standard at standard
rates rates rates rates
CPU time 60 minutes 240 minutes Unlimited, pay Unlimited, pay Unlimited, pay Unlimited, pay
(day)6 at standard at standard at standard at standard
rates rates rates rates
Concurrent 1 1 1 5 5 5
debugger
connections
per
application
Custom Not Not Unlimited SNI Unlimited SNI Unlimited SNI Unlimited SNI
domain SSL supported. supported. SSL SSL and 1 IP SSL and 1 IP SSL and 1 IP
support Wildcard Wildcard connections SSL SSL SSL
certificate for certificate for connections connections connections
*.azurewebsite *.azurewebsite included included included
s.net available s.net available
by default. by default.
Integrated X X X X X9
Load Balancer
Always On X X X X
Auto Scale X X X
WebJobs8 X X X X X X
Azure X X X X X
Scheduler
support
Endpoint X X X X
monitoring
Staging Slots 5 20 20
1Apps and storage quotas are per App Service plan unless noted otherwise.
2The actual number of apps that you can host on these machines depends on the activity of the apps, the size of the
machine instances, and the corresponding resource utilization.
3Dedicated instances can be of different sizes. See App Service Pricing for more details.
4More allowed upon request. 5The storage limit is the total content size across all apps in the same App Service
number of instances).
7If you scale an app in the Basic tier to two instances, you have 350 concurrent connections for each of the two
instances.
8Run custom executables and/or scripts on demand, on a schedule, or continuously as a background task within
your App Service instance. Always On is required for continuous WebJobs execution. Azure Scheduler Free or
Standard is required for scheduled WebJobs. There is no predefined limit on the number of WebJobs that can run
in an App Service instance, but there are practical limits that depend on what the application code is trying to do.
9App Service Isolated SKUs have the ability to be internally load balanced ( ILB ) with Azure Load Balancer, which
means no public connectivity from the internet. As a result, some features of an ILB Isolated App Service must be
used from machines that have direct access to the ILB network endpoint.
Scheduler limits
The following table describes each of the major quotas, limits, defaults, and throttles in Azure Scheduler.
Job size Maximum job size is 16K. If a PUT or a PATCH results in a job
larger than these limits, a 400 Bad Request status code is
returned.
Request URL size Maximum size of the request URL is 2048 chars.
Job history Maximum response body stored in job history is 2048 bytes.
Jobs The default max jobs quota is 5 jobs in a free job collection
and 50 jobs in a standard job collection. The maximum
number of jobs is configurable on a job collection. All jobs in
the job collection are limited the value set on the job
collection. If you attempt to create more jobs than the
maximum jobs quota, then the request fails with a 409
Conflict status code.
Job history retention Job history is retained for up to 2 months or up to the last
1000 executions.
Completed and faulted job retention Completed and faulted jobs are retained for 60 days.
Batch limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
NOTE
Default limits vary depending on the type of subscription you use to create a Batch account. Cores quotas shown are for
Batch accounts in Batch service mode. View the quotas in your Batch account.
1 The number of dedicated cores per Batch account can be increased, but the maximum number is unspecified.
Contact Azure support to discuss increase options.
2 The number of low -priority cores per Batch account can be increased, but the maximum number is unspecified.
Contact Azure support to discuss increase options.
3 Completed jobs and job schedules are not limited.
4 Contact Azure support if you want to request an increase beyond this limit.
Scale out N/A N/A Yes, in increments Yes, in increments Yes, in increments
of 1 Basic Unit of 1 Standard of 1 Premium
Unit Unit
Hybrid 5 5 10 50 100
Connections per
Unit
Number of N/A 1 2 5 25
connections
using BizTalk
Adapter Service
per Unit
Total Push Campaigns (includes Active & Completed) 1000 per app
Search limits
Pricing tiers determine the capacity and limits of your search service. Tiers include:
Free multi-tenant service, shared with other Azure subscribers, intended for evaluation and small development
projects.
Basic provides dedicated computing resources for production workloads at a smaller scale, with up to three
replicas for highly available query workloads.
Standard (S1, S2, S3, S3 High Density ) is for larger production workloads. Multiple levels exist within the
standard tier so that you can choose a resource configuration that best matches your workload profile.
Limits per subscription
You can create multiple services within a subscription, each one provisioned at a specific tier, limited only by the
number of services allowed at each tier. For example, you could create up to 12 services at the Basic tier and
another 12 services at the S1 tier within the same subscription. For more information about tiers, see Choose a
SKU or tier for Azure Search.
Maximum service limits can be raised upon request. Contact Azure Support if you need more services within the
same subscription.
Maximum 1 12 12 6 6 6
services
Maximum N/A 3 SU 36 SU 36 SU 36 SU 36 SU
scale in SU 2
1 Free is based on shared, not dedicated, resources. Scale-up is not supported on shared resources.
Replicas N/A 3 12 12 12 12
1 Basic has one fixed partition. At this tier, additional SUs are used for allocating more replicas for increased query
workloads.
2 S3 HD has a hard limit of 3 partitions, which is lower than the partition limit for S3. The lower partition limit is
imposed because the index count for S3 HD is substantially higher. Given that service limits exist for both
computing resources (storage and processing) and content (indexes and documents), the content limit is reached
first.
3 Service level agreements ( SLAs) are offered forbillable services on dedicated resources. Free services and
preview features have no SLA. For billable services, SLAs take effect when you provision sufficient redundancy for
your service. Two or more replicas are required for query (read) SLA. Three or more replicas are required for query
and indexing (read-write) SLA. The number of partitions is not an SLA consideration.
To learn more about limits on a more granular level, such as document size, queries per second, keys, requests, and
responses, see Service limits in Azure Search.
Media Services limits
NOTE
For resources that are not fixed, you may ask for the quotas to be raised, by opening a support ticket. Do not create
additional Azure Media Services accounts in an attempt to obtain higher limits.
Policies 1,000,000(6)
File size In some scenarios, there is a limit on the maximum file size
supported for processing in Media Services. 7
1 If you change the type (for example, from S2 to S1,) the max RU limits are reset.
2 This number includes queued, finished, active, and canceled jobs. It does not include deleted jobs. You can delete
the old jobs using IJob.Delete or the DELETE HTTP request.
As of April 1, 2017, any Job record in your account older than 90 days will be automatically deleted, along with its
associated Task records, even if the total number of records is below the maximum quota. If you need to archive the
job/task information, you can use the code described here.
3 When making a request to list Job entities, a maximum of 1,000 jobs is returned per request. If you need to keep
track of all submitted Jobs, you can use top/skip as described in OData system query options.
4 Locators are not designed for
managing per-user access control. To give different access rights to individual users,
use Digital Rights Management (DRM ) solutions. For more information, see this section.
5 The storage accounts must be from the same Azure subscription.
6 There is a limit of 1,000,000
policies for different AMS policies (for example, for Locator policy or
ContentKeyAuthorizationPolicy).
NOTE
You should use the same policy ID if you are always using the same days / access permissions / etc. For information and an
example, see this section.
7If you are uploading content to an Asset in Azure Media Services to process it with one of the media processors in
the service (that is, encoders like Media Encoder Standard and Media Encoder Premium Workflow, or analysis
engines like Face Detector), then you should be aware of the constraints on the maximum file sizes supported.
The maximum size supported for a single blob is currently up to 5 TB in Azure Blob Storage. However, additional
limits apply in Azure Media Services based on the VM sizes that are used by the service. The following table shows
the limits on each of the Media Reserved Units (S1, S2, S3.) If your source file is larger than the limits defined in
the table, your encoding job will fail. If you are encoding 4K resolution sources of long duration, you are required to
use S3 Media Reserved Units to achieve the performance needed. If you have 4K content that is larger than 260
GB limit on the S3 Media Reserved Units, contact us at amshelp@microsoft.com for potential mitigations to
support your scenario.
MEDIA RESERVED UNIT TYPE MAXIMUM INPUT SIZE (GB)
S1 325
S2 640
S3 260
CDN limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
CDN profiles 25 25
A CDN subscription can contain one or more CDN profiles and a CDN profile can contain one or more CDN
endpoints. You may wish to use multiple profiles to organize your CDN endpoints by internet domain, web
application, or some other criteria.
To request an update to your subscription's default limits, open a support ticket.
Mobile Services limits
TIER: FREE BASIC STANDARD
Push Notifications Notification Hubs Free Tier Notification Hubs Basic Tier Notification Hubs Standard
included, up to 1 M pushes included, up to 10 M pushes Tier included, up to 10 M
pushes
For additional details on these limits and for information on pricing, see Mobile Services Pricing.
Monitor limits
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Metric Alerts (classic) 100 active alert rules per subscription call support
Newer Metric Alerts 100 active alert rules per subscription call support
For additional details on these limits and for information on pricing, see Notification Hubs Pricing.
Event Hubs limits
The following table lists quotas and limits specific to Azure Event Hubs. For information about Event Hubs pricing,
see Event Hubs pricing.
Number of partitioned Namespace Subsequent requests for Basic and Standard Tiers -
topics/queues per creation of a new partitioned 100
namespace topic or queue on the
namespace are rejected. As a Partitioned entities are not
result, if configured through supported in the Premium
the Azure portal, an error tier.
message is generated. If
called from the management Each partitioned queue or
API, a topic counts towards the
QuotaExceededException quota of 10,000 entities per
exception is received by the namespace.
calling code.
Message size for a Entity Incoming messages that Maximum message size: 256
queue/topic/subscription exceed these quotas are KB (Standard tier) / 1 MB
entity rejected and an exception is (Premium tier).
received by the calling code.
Due to system overhead,
this limit is less than these
values.
Size of SQL filters/actions Namespace Subsequent requests for Maximum length of filter
creation of additional filters condition string: 1024 (1 K).
are rejected and an
exception is received by the Maximum length of rule
calling code. action string: 1024 (1 K).
Maximum number of
expressions per rule action:
32.
NOTE
If you anticipate using more than 200 units with an S1 or S2 or 10 units with an S3 tier hub, contact Microsoft support.
The following table lists the limits that apply to IoT Hub resources:
RESOURCE LIMIT
NOTE
If you need more than 50 paid IoT hubs in an Azure subscription, contact Microsoft support.
NOTE
Currently, the maximum number of devices you can connect to a single IoT hub is 500,000. If you want to increase this limit,
contact Microsoft Support.
The IoT Hub service throttles requests when the following quotas are exceeded:
THROTTLE PER-HUB VALUE
Device connections 6000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
Device-to-cloud sends 6000/sec/unit (for S3), 120/sec/unit (for S2), 12/sec/unit (for
S1).
Minimum of 100/sec.
Device twin reads 50/sec/unit (for S3), Maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1)
Device twin updates 50/sec/unit (for S3), Maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1)
Jobs per-device operation throughput 50/sec/unit (for S3), Maximum of 10/sec or 1/sec/unit (for S2),
10/sec (for S1)
RESOURCE LIMIT
NOTE
You can contact Microsoft Support to increase the number of instances in your subscription.
NOTE
You can contact Microsoft Support to increase the number of enrollments and registrations on your provisioning service.
The Device Provisioning Service throttles requests when the following quotas are exceeded:
Operations 100/min
ForEach parallelism 20 50
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Version 1
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Retry count for pipeline activity runs 1000 MaxInt (32 bit)
1 Pipeline, dataset, and linked service objects represent a logical grouping of your
workload. Limits for these
objects do not relate to amount of data you can move and process with the Azure Data Factory service. Data
factory is designed to scale to handle petabytes of data.
2 On-demand HDInsight cores are allocated out of the subscription that contains the data factory. As a result, the
above limit is the Data Factory enforced core limit for on-demand HDInsight cores and is different from the core
limit associated with your Azure subscription.
3 Data Integration Unit ( DIU ) for v2 or Cloud Data Movement Unit (DMU ) for v1 is being used in a cloud-to-cloud
copy operation. It is a measure that represents the power (a combination of CPU, memory, and network resource
allocation) of a single unit in Data Factory. You can achieve higher copy throughput by using more DMUs for some
scenarios. Refer to Data integration units (V2) and Cloud data movement units (V1) section on details, and Azure
Data Factory pricing page for billing implication.
4 The Integration Runtime ( IR ) is the compute infrastructure used byAzure Data Factory to provide the following
data integration capabilities across different network environments: data movement, dispatching activities to
compute services, execution of SSIS packages. For more information, see Integration Runtime overview.
Max number of access ACLs, per file or 32 This is a hard limit. Use groups to
folder manage access with fewer entries
Max number of default ACLs, per file or 32 This is a hard limit. Use groups to
folder manage access with fewer entries
Maximum number of inputs per job 60 There is a hard limit of 60 inputs per
Stream Analytics job.
Maximum number of outputs per job 60 There is a hard limit of 60 outputs per
Stream Analytics job.
Maximum number of functions per job 60 There is a hard limit of 60 functions per
Stream Analytics job.
Maximum number of Streaming Units 120 There is a hard limit of 120 Streaming
per job Units per Stream Analytics job.
Maximum number of jobs per region 1500 Each subscription may have up to 1500
jobs per geographical region.
Domains You can add no more than 900 managed domain names. If
you're setting up all of your domains for federation with on-
premises Active Directory, you can add no more than 450
domain names in each directory.
Publish rate for a custom topic (ingress) 5,000 events per second per topic
RESOURCE LIMIT
Maximum number of schedules per 168 A schedule for every hour, every day of
bandwidth template the week (24*7).
Maximum size of a tiered volume on 64 TB for 8100 and 8600 8100 and 8600 are physical devices.
physical devices
Maximum size of a tiered volume on 30 TB for 8010 8010 and 8020 are virtual devices in
virtual devices in Azure 64 TB for 8020 Azure that use Standard Storage and
Premium Storage respectively.
Maximum size of a locally pinned 9 TB for 8100 8100 and 8600 are physical devices.
volume on physical devices 24 TB for 8600
Maximum number of snapshots of any 256 This includes local snapshots and cloud
type that can be retained per volume snapshots.
Restore and clone recover time for < 2 minutes The volume is made available
tiered volumes within 2 minutes of restore or
clone operation, regardless of
the volume size.
The volume performance may
initially be slower than normal as
most of the data and metadata
still resides in the cloud.
Performance may increase as
data flows from the cloud to the
StorSimple device.
The total time to download
metadata depends on the
allocated volume size. Metadata
is automatically brought into the
device in the background at the
rate of 5 minutes per TB of
allocated volume data. This rate
may be affected by Internet
bandwidth to the cloud.
The restore or clone operation is
complete when all the metadata
is on the device.
Backup operations cannot be
performed until the restore or
clone operation is fully complete.
LIMIT IDENTIFIER LIMIT COMMENTS
Restore recover time for locally pinned < 2 minutes The volume is made available
volumes within 2 minutes of the restore
operation, regardless of the
volume size.
The volume performance may
initially be slower than normal as
most of the data and metadata
still resides in the cloud.
Performance may increase as
data flows from the cloud to the
StorSimple device.
The total time to download
metadata depends on the
allocated volume size. Metadata
is automatically brought into the
device in the background at the
rate of 5 minutes per TB of
allocated volume data. This rate
may be affected by Internet
bandwidth to the cloud.
Unlike tiered volumes, in the
case of locally pinned volumes,
the volume data is also
downloaded locally on the
device. The restore operation is
complete when all the volume
data has been brought to the
device.
The restore operations may be
long and the total time to
complete the restore will depend
on the size of the provisioned
local volume, your Internet
bandwidth and the existing data
on the device. Backup
operations on the locally pinned
volume are allowed while the
restore operation is in progress.
Maximum client read/write throughput 920/720 MB/s with a single 10GbE Up to 2x with MPIO and two network
(when served from the SSD tier)* network interface interfaces.
Maximum client read/write throughput 11/41 MB/s Read throughput depends on clients
(when served from the cloud tier)* generating and maintaining sufficient
I/O queue depth.
* Maximum throughput per I/O type was measured with 100 percent read and 100 percent write scenarios. Actual
throughput may be lower and depends on I/O mix and network conditions.
Log Analytics limits
The following limits apply to Log Analytics resources per subscription:
RESOURCE DEFAULT LIMIT COMMENTS
Number of paid workspaces per N/A You are limited by the number of
subscription resources within a resource group and
number of resource groups per
subscription
NOTE
As of April 2, 2018, new workspaces in a new subscription will automatically use the Per GB pricing plan. For existing
subscriptions created before April 2, or a subscription that was tied to an existing EA enrollment, you can continue choosing
between the three pricing tiers for new workspaces.
1 When customers reach their 500 MB daily data transfer limit, data analysis stops and resumes at the start of the
next day. A day is based on UTC.
2 The data retention period for the Standalone, OMS, and Per GB pricing plans can be increased to 730 days.
Data Collector API Maximum size for a single post is 30 Split larger volumes into multiple posts
MB Fields longer than 32 KB are truncated.
Maximum size for field values is 32 KB
Search API 5000 records returned for non- Aggregated data is a search that
aggregated data includes the summarize command
500000 records for aggregated data
Backup limits
The following limits apply to Azure Backup.
Size of a data source for data stored in Azure vault storage 54400 GB max1
Number of backup vaults that can be created in each Azure 500 Recovery Services vaults per region
subscription
LIMIT IDENTIFIER DEFAULT LIMIT
Number of times backup can be scheduled per day 3 per day for Windows Server/Client
2 per day for SCDPM
Once a day for IaaS VMs
Total data per day 100 GB You can reduce data by setting a cap. If
you need more data, you can increase
the limit in the portal, up to 1,000 GB.
For capacities greater than 1,000 GB,
send mail to
AIDataCap@microsoft.com.
Availability multi-step test detailed 90 days This resource provides detailed results
results retention of each step.
For more information, see About pricing and quotas in Application Insights.
API Management limits
RESOURCE LIMIT
1API Management limits are different for each pricing tier. To see the pricing tiers and their scaling limits go to API
Management Pricing. 2 Connections are pooled and re-used, unless explicitly closed by the backend. 3 Per unit of
Basic, Standard and Premium tiers. Developer tier is limited to 1024. 4 Available in Premium tier only.
Azure Redis Cache limits
RESOURCE LIMIT
Databases 64
Azure Redis Cache limits and sizes are different for each pricing tier. To see the pricing tiers and their associated
sizes, see Azure Redis Cache Pricing.
For more information on Azure Redis Cache configuration limits, see Default Redis server configuration.
Because configuration and management of Azure Redis Cache instances is done by Microsoft, not all Redis
commands are supported in Azure Redis Cache. For more information, see Redis commands not supported in
Azure Redis Cache.
Key Vault limits
Key transactions (Max transactions allowed in 10 seconds, per vault per region1):
HSM-KEY SOFTWARE-KEY
HSM-KEY ALL OTHER SOFTWARE-KEY ALL OTHER
KEY TYPE CREATE KEY TRANSACTIONS CREATE KEY TRANSACTIONS
See Azure Key Vault throttling guidance for information on how to handle throttling when these limits are
exceeded.
1 There is a subscription-wide limit forall transaction types, that is 5x per key vault limit. For example, HSM - other
transactions per subscription are limited to 5000 transactions in 10 seconds per subscription.
Multi-Factor Authentication
RESOURCE DEFAULT LIMIT MAXIMUM LIMIT
Automation limits
RESOURCE MAXIMUM LIMIT NOTES
Max number of new jobs that can be 100 When this limit it hit, the subsequent
submitted every 30 seconds per requests to create a job fail. The client
Automation Account (non Scheduled receives an error response.
jobs)
Max number of concurrent running jobs 200 When this limit it hit, the subsequent
at the same instance of time per requests to create a job fail. The client
Automation Account (non Scheduled receives an error response.
jobs)
Job Run Time - Free tier 500 minutes per subscription per
calendar month
Max amount of disk space allowed per 1 GB Applies to Azure sandboxes only
sandbox 1
Maximum runtime allowed per runbook 3 hours Applies to Azure sandboxes only
1
1 A sandbox is a shared environment that can be used by multiple jobs, jobs using the same sandbox are bound by
the resource limitations of the sandbox.
Managed Identity limits
CATEGORY LIMIT
User assigned managed identities When creating user assigned managed identities, only
alphanumeric characters (0-9, a-z, A-Z) and the
hyphen (-) are supported. Additionally, the name
should be limited to 24 characters in length for the
assignment to VM/VMSS to work properly.
If using the managed identity virtual machine
extension, the supported limit is 32 user assigned
managed identities. Without the managed identity
virtual machine extension, the supported limit is 512
user assigned identities.
See also
Understanding Azure Limits and Increases
Virtual Machine and Cloud Service Sizes for Azure
Sizes for Cloud Services