Azure VPN Gateway

Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network
and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic
between Azure virtual networks over the Microsoft network. VPN Gateway uses a specific type of Azure
virtual network gateway called a VPN gateway. Multiple connections can be created to the same VPN gateway.
When you create multiple connections, all VPN tunnels share the available gateway bandwidth.

Because you can create multiple connection configurations using VPN Gateway, you need to determine which
configuration best fits your needs. Point-to-site, site-to-site, and coexisting ExpressRoute/site-to-site
connections all have different instructions and resource configuration requirements. The following sections of
the article highlight some of the design topologies that are most often used.

• Site-to-site VPN connections

• Point-to-site VPN connections

• VNet-to-VNet VPN connections

Gateway SKUs
When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU
that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.

Create and manage a VPN gateway using the Azure portal

In this lab, you learn how to:

• Create a virtual network.

• Create an active-active mode zone-redundant VPN gateway.

• View the gateway public IP address.

• Resize a VPN gateway (resize SKU).

• Reset a VPN gateway.

Create a virtual network using the following example values:

• Resource group: TestRG1

• Name: VNet1

• Region: (US) East US (or region of your choosing)

• IPv4 address space: 10.1.0.0/16

• Subnet name: Use the default name, or specify a name. Example: FrontEnd

• Subnet address space: 10.1.0.0/24

Create a virtual network using the following steps:
1. Sign in to the Azure portal.

2. In Search resources, service, and docs (G+/) at the top of the portal page, enter virtual network.
Select Virtual network from the Marketplace search results to open the Virtual network page.

3. On the Virtual network page, select Create to open the Create virtual network page.

4. On the Basics tab, configure the virtual network settings for Project details and Instance details. You
see a green check mark when the values you enter are validated. You can adjust the values shown in
the example according to the settings that you require.

• Subscription: Verify that the subscription listed is the correct one. You can change
subscriptions by using the dropdown box.
• Resource group: Select an existing resource group or select Create new to create a
new one. For more information about resource groups, see Azure Resource Manager
overview.
• Name: Enter the name for your virtual network.
• Region: Select the location for your virtual network. The location determines where
the resources that you deploy to this virtual network will reside.

5. Select Next or Security to go to the Security tab. For this exercise, leave the default values for all the
services on this page.

6. Select IP Addresses to go to the IP Addresses tab. On the IP Addresses tab, configure the settings.

• IPv4 address space: By default, an address space is automatically created. You can select the
address space and adjust it to reflect your own values. You can also add a different address
space and remove the default that was automatically created. For example, you can specify
the starting address as 10.1.0.0 and specify the address space size as /16. Then select Add to
add that address space.
• + Add subnet: If you use the default address space, a default subnet is created automatically.
If you change the address space, add a new subnet within that address space. Select + Add
subnet to open the Add subnet window. Configure the following settings, and then
select Add at the bottom of the page to add the values.
• Subnet name: You can use the default, or specify the name. Example: FrontEnd.
• Subnet address range: The address range for this subnet. Examples are 10.1.0.0 and /24.

7. Review the IP addresses page and remove any address spaces or subnets that you don't need.

8. Select Review + create to validate the virtual network settings.

9. After the settings are validated, select Create to create the virtual network.

After you create your virtual network, you can optionally configure Azure DDoS Protection. Protection is
simple to enable on any new or existing virtual network, and it requires no application or resource
changes.
 Create a gateway subnet
Virtual network gateway resources are deployed to a specific subnet named GatewaySubnet. The
gateway subnet is part of the virtual network IP address range that you specify when you configure your
virtual network. If you don't have a subnet named GatewaySubnet, when you create your VPN gateway, it
fails. We recommend that you create a gateway subnet that uses a /27 (or larger).

1. On the page for your virtual network, on the left pane, select Subnets to open the Subnets page.

2. At the top of the page, select + Gateway subnet to open the Add subnet pane.

3. The name is automatically entered as GatewaySubnet. Adjust the IP address range value, if necessary.
An example is 10.1.255.0/27.

4. Don't adjust the other values on the page. Select Save at the bottom of the page to save the subnet.

Create a VPN gateway

Create the virtual network gateway (VPN gateway) for your virtual network. Creating a gateway can often take
45 minutes or more, depending on the selected gateway SKU.

Create a gateway using the following values:

• Name: VNet1GW

• Gateway type: VPN

• SKU: VpnGw2AZ

• Generation: Generation 2

• Virtual network: VNet1

• Gateway subnet address range: 10.1.255.0/27

• Public IP address: Create new

• Public IP address name: VNet1GWpip1

• Public IP address SKU: Standard

• Assignment: Static

• Second Public IP address name: VNet1GWpip2

Create a gateway using the following steps:

1. In Search resources, services, and docs (G+/), enter virtual network gateway. Locate Virtual network
gateway in the Marketplace search results and select it to open the Create virtual network
gateway page.

2. On the Basics tab, fill in the values for Project details and Instance details.
 • Subscription: Select the subscription you want to use from the dropdown list.
• Resource group: This value is autofilled when you select your virtual network
on this page.
• Name: This is the name of the gateway object you're creating. This is different
than the gateway subnet to which gateway resources will be deployed.
• Region: Select the region in which you want to create this resource. The region
for the gateway must be the same as the virtual network.
• Gateway type: Select VPN. VPN gateways use the virtual network gateway
type VPN.
• SKU: From the dropdown list, select a gateway SKU that supports the features
you want to use.

1. We recommend that you select a SKU that ends in AZ when possible. AZ SKUs
support availability zones.
2. The Basic SKU isn't available in the portal. To configure a Basic SKU gateway,
you must use PowerShell or CLI.
• Generation: Select Generation2 from the dropdown.
• Virtual network: From the dropdown list, select the virtual network to which you
want to add this gateway. If you can't see the virtual network you want to use, make
sure you selected the correct subscription and region in the previous settings.
• Gateway subnet address range or Subnet: The gateway subnet is required to create
a VPN gateway.

Currently, this field can show different settings options, depending on the virtual
network address space and whether you already created a subnet
named GatewaySubnet for your virtual network.

If you don't have a gateway subnet and you don't see the option to create one
on this page, go back to your virtual network and create the gateway subnet.
Then, return to this page and configure the VPN gateway.

3. Specify the values for Public IP address. These settings specify the public IP address objects that will
be associated to the VPN gateway. A public IP address is assigned to each public IP address object
when the VPN gateway is created. The only time the assigned public IP address changes is when the
gateway is deleted and re-created. IP addresses don't change across resizing, resetting, or other
internal maintenance/upgrades of your VPN gateway.

• Public IP address type: If this option appears, select Standard.

• Public IP address: Leave Create new selected.

• Public IP address name: In the text box, enter a name for your public IP address instance.

• Public IP address SKU: Setting is autoselected to Standard SKU.

 • Assignment: The assignment is typically autoselected and should be Static.

• Availability zone: This setting is available for AZ gateway SKUs in regions that
support availability zones. Select Zone-redundant, unless you know you want to specify a
zone.

• Enable active-active mode: We recommend that you select Enabled to take advantage of the
benefits of an active-active mode gateway. If you plan to use this gateway for a site-to-site
connection, take into consideration the following:

o Verify the active-active design that you want to use. Connections with your on-
premises VPN device must be configured specifically to take advantage of active-
active mode.

o Some VPN devices don't support active-active mode. If you're not sure, check with
your VPN device vendor. If you're using a VPN device that doesn't support active-
active mode, you can select Disabled for this setting.

• Second public IP address: Select Create new. This is available only if you selected Enabled for
the Enable active-active mode setting.

• Public IP address name: In the text box, enter a name for your public IP address instance.

• Public IP address SKU: Setting is autoselected to Standard SKU.

• Availability zone: Select Zone-redundant, unless you know you want to specify a zone.

• Configure BGP: Select Disabled unless your configuration specifically requires this setting. If
you do require this setting, the default ASN is 65515, although this value can be changed.

o Enable Key Vault Access: Select Disabled unless your configuration specifically requires this
setting.

1. Select Review + create to run validation.

2. After validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on
the Overview page for your gateway. After the gateway is created, you can view the IP address assigned to it
by looking at the virtual network in the portal.

View public IP address

To view public IP addresses associated to your virtual network gateway, navigate to your gateway in the
portal.

1. On the portal page for your virtual network gateway, under Settings, open the Properties page.

2. To view more information about the IP address object, click the associated IP address link.

Resize a gateway SKU

There are specific rules for resizing versus changing a gateway SKU. In this section, you resize the SKU. For
more information, see Resize or change gateway SKUs.

The basic steps are:

1. Go to the Configuration page for your virtual network gateway.

2. On the right side of the page, select the dropdown arrow to show a list of available SKUs. Notice that
the list only populates SKUs that you're able to use to resize your current SKU. If you don't see the
SKU you want to use, instead of resizing, you have to change to a new SKU.

3. Select the SKU from the dropdown list and save your changes.

Reset a gateway
Gateway resets behave differently, depending on your gateway configuration. For more information, see Reset
a VPN gateway or a connection.

The basic steps are:

1. In the portal, go to the virtual network gateway that you want to reset.

2. On the Virtual network gateway page, in the left pane, scroll and locate Help -> Reset.

3. On the Reset page, select Reset. After the command is issued, the current active instance of Azure
VPN gateway is rebooted immediately. Resetting the gateway causes a gap in VPN connectivity and
might limit future root cause analysis of the issue.

Create a site-to-site VPN connection

In this tutorial, you:

• Create a virtual network.

• Create a VPN gateway.

• Create a local network gateway.

• Create a VPN connection.

• Verify the connection.

• Connect to a virtual machine.

Create a virtual network

In this section, you create a virtual network by using the following values:

• Resource group: TestRG1

• Name: VNet1

• Region: (US) East US

 • IPv4 address space: 10.1.0.0/16

• Subnet name: FrontEnd

• Subnet address space:

Steps to create a virtual network

1. Sign in to the Azure portal.

2. In Search resources, service, and docs (G+/) at the top of the portal page, enter virtual network.
Select Virtual network from the Marketplace search results to open the Virtual network page.

3. On the Virtual network page, select Create to open the Create virtual network page.

4. On the Basics tab, configure the virtual network settings for Project details and Instance details. You
see a green check mark when the values you enter are validated. You can adjust the values shown in
the example according to the settings that you require.

1. Subscription: Verify that the subscription listed is the correct one. You can change
subscriptions by using the dropdown box.
2. Resource group: Select an existing resource group or select Create new to create a
new one. For more information about resource groups, see Azure Resource Manager
overview.
3. Name: Enter the name for your virtual network.
4. Region: Select the location for your virtual network. The location determines where
the resources that you deploy to this virtual network will reside.
5. Select Next or Security to go to the Security tab. For this exercise, leave the default values for all the
services on this page.

6. Select IP Addresses to go to the IP Addresses tab. On the IP Addresses tab, configure the settings.

• IPv4 address space: By default, an address space is automatically created. You can select the
address space and adjust it to reflect your own values. You can also add a different address
space and remove the default that was automatically created. For example, you can specify
the starting address as 10.1.0.0 and specify the address space size as /16. Then select Add to
add that address space.

• + Add subnet: If you use the default address space, a default subnet is created automatically.
If you change the address space, add a new subnet within that address space. Select + Add
subnet to open the Add subnet window. Configure the following settings, and then
select Add at the bottom of the page to add the values.

o Subnet name: You can use the default, or specify the name. Example: FrontEnd.

o Subnet address range: The address range for this subnet. Examples
are 10.1.0.0 and /24.

7. Review the IP addresses page and remove any address spaces or subnets that you don't need.

8. Select Review + create to validate the virtual network settings.

 9. After the settings are validated, select Create to create the virtual network.

After you create your virtual network, you can optionally configure Azure DDoS Protection. Azure DDoS
Protection is simple to enable on any new or existing virtual network, and it requires no application or
resource changes.

Create a gateway subnet

The virtual network gateway requires a specific subnet named GatewaySubnet. The gateway subnet is part of
the IP address range for your virtual network and contains the IP addresses that the virtual network gateway
resources and services use. The number of IP addresses needed depends on the VPN gateway configuration
that you want to create.

1. On the page for your virtual network, on the left pane, select Subnets to open the Subnets page.

2. At the top of the page, select + Gateway subnet to open the Add subnet pane.

3. The name is automatically entered as GatewaySubnet. Adjust the IP address range value, if necessary.
An example is 10.1.255.0/27.

4. Don't adjust the other values on the page. Select Save at the bottom of the page to save the subnet.

Network security groups (NSGs) on the gateway subnet are not supported. Associating a network security
group to this subnet might cause your virtual network gateway (VPN and ExpressRoute gateways) to stop
functioning as expected.

Create a VPN gateway

Create a virtual network gateway (VPN gateway) by using the following values:

• Name: VNet1GW

• Gateway type: VPN

• SKU: VpnGw2AZ

• Generation: Generation 2

• Virtual network: VNet1

• Gateway subnet address range: 10.1.255.0/27

• Public IP address: Create new

• Public IP address name: VNet1GWpip1

• Public IP address SKU: Standard

• Assignment: Static

• Second Public IP address name: VNet1GWpip2

• Enable active-active mode: Enabled

• Configure BGP: Disabled

1. In Search resources, services, and docs (G+/), enter virtual network gateway. Locate Virtual network
gateway in the Marketplace search results and select it to open the Create virtual network
gateway page.

2. On the Basics tab, fill in the values for Project details and Instance details.

• Subscription: Select the subscription you want to use from the dropdown list.

• Resource group: This value is autofilled when you select your virtual network on this page.

• Name: This is the name of the gateway object you're creating. This is different than the
gateway subnet to which gateway resources will be deployed.

• Region: Select the region in which you want to create this resource. The region for the
gateway must be the same as the virtual network.

• Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.

• SKU: From the dropdown list, select a gateway SKU that supports the features you want to
use.

o We recommend that you select a SKU that ends in AZ when possible. AZ SKUs
support availability zones.

o The Basic SKU isn't available in the portal. To configure a Basic SKU gateway, you must
use PowerShell or CLI.

• Generation: Select Generation2 from the dropdown.

• Virtual network: From the dropdown list, select the virtual network to which you want to add
this gateway. If you can't see the virtual network you want to use, make sure you selected the
correct subscription and region in the previous settings.

• Gateway subnet address range or Subnet: The gateway subnet is required to create a VPN
gateway.

Currently, this field can show different settings options, depending on the virtual network address
space and whether you already created a subnet named GatewaySubnet for your virtual network.

If you don't have a gateway subnet and you don't see the option to create one on this page, go back
to your virtual network and create the gateway subnet. Then, return to this page and configure the
VPN gateway.

3. Specify the values for Public IP address. These settings specify the public IP address objects that will
be associated to the VPN gateway. A public IP address is assigned to each public IP address object
when the VPN gateway is created. The only time the assigned public IP address changes is when the
gateway is deleted and re-created. IP addresses don't change across resizing, resetting, or other
internal maintenance/upgrades of your VPN gateway.

o Public IP address type: If this option appears, select Standard.

 o Public IP address: Leave Create new selected.
o Public IP address name: In the text box, enter a name for your public IP
address instance.
o Public IP address SKU: Setting is autoselected to Standard SKU.
o Assignment: The assignment is typically autoselected and should be Static.
o Availability zone: This setting is available for AZ gateway SKUs in regions that
support availability zones. Select Zone-redundant, unless you know you want
to specify a zone.
o Enable active-active mode: We recommend that you select Enabled to take
advantage of the benefits of an active-active mode gateway. If you plan to use
this gateway for a site-to-site connection, take into consideration the
following:
▪ Verify the active-active design that you want to use. Connections with your on-
premises VPN device must be configured specifically to take advantage of
active-active mode.
▪ Some VPN devices don't support active-active mode. If you're not sure, check
with your VPN device vendor. If you're using a VPN device that doesn't
support active-active mode, you can select Disabled for this setting.
o Second public IP address: Select Create new. This is available only if you
selected Enabled for the Enable active-active mode setting.
o Public IP address name: In the text box, enter a name for your public IP
address instance.
o Public IP address SKU: Setting is autoselected to Standard SKU.
o Availability zone: Select Zone-redundant, unless you know you want to
specify a zone.
o Configure BGP: Select Disabled unless your configuration specifically requires
this setting. If you do require this setting, the default ASN is 65515, although
this value can be changed.
o Enable Key Vault Access: Select Disabled unless your configuration
specifically requires this setting.
4. Select Review + create to run validation.
5. After validation passes, select Create to deploy the VPN gateway.

View public IP address

To view the IP address associated with each virtual network gateway VM instance, go to your
virtual network gateway in the portal.

1. Go to your virtual network gateway Properties page (not the Overview page). You
might need to expand Settings to see the Properties page in the list.
 2. If your gateway in active-passive mode, you'll only see one IP address. If your gateway
is in active-active mode, you'll see two public IP addresses listed, one for each
gateway VM instance. When you create a site-to-site connection, you must specify
each IP address when configuring your VPN device because both gateway VMs are
active.
3. To view more information about the IP address object, click the associated IP address
link.

Create a local network gateway

The local network gateway is a specific object deployed to Azure that represents your on-
premises location (the site) for routing purposes. You give the site a name by which Azure
can refer to it, and then specify the IP address of the on-premises VPN device to which you
create a connection. You also specify the IP address prefixes that are routed through the
VPN gateway to the VPN device. The address prefixes you specify are the prefixes located on
your on-premises network. If your on-premises network changes or you need to change the
public IP address for the VPN device, you can easily update the values later. You create a
separate local network gateway for each VPN device that you want to connect to. Some
highly available connectivity designs specify multiple on-premises VPN devices.

Create a local network gateway by using the following values:

• Name: Site1
• Resource Group: TestRG1
• Location: East US

Configuration considerations:

• VPN Gateway supports only one IPv4 address for each FQDN. If the domain name
resolves to multiple IP addresses, VPN Gateway uses the first IP address returned by
the DNS servers. To eliminate the uncertainty, we recommend that your FQDN always
resolve to a single IPv4 address. IPv6 isn't supported.
• VPN Gateway maintains a DNS cache that's refreshed every 5 minutes. The gateway
tries to resolve the FQDNs for disconnected tunnels only. Resetting the gateway also
triggers FQDN resolution.
• Although VPN Gateway supports multiple connections to different local network
gateways with different FQDNs, all FQDNs must resolve to different IP addresses.

1. In the portal, go to Local network gateways and open the Create local network
gateway page.
2. On the Basics tab, specify the values for your local network gateway.
 • Subscription: Verify that the correct subscription is showing.
• Resource group: Select the resource group that you want to use. You can
either create a new resource group or select one that you've already created.
• Region: Select the region for this object. You might want to select the same
location where your virtual network resides, but you aren't required to do so.
• Name: Specify a name for your local network gateway object.
• Endpoint: Select the endpoint type for the on-premises VPN device as IP
address or FQDN (Fully Qualified Domain Name).
o IP address: If you have a static public IP address allocated from your
internet service provider (ISP) for your VPN device, select the IP address
option. Fill in the IP address as shown in the example. This address is the
public IP address of the VPN device that you want Azure VPN Gateway
to connect to. If you don't have the IP address right now, you can use
the values shown in the example. Later, you must go back and replace
your placeholder IP address with the public IP address of your VPN
device. Otherwise, Azure can't connect.
o FQDN: If you have a dynamic public IP address that could change after
a certain period of time, often determined by your ISP, you can use a
constant DNS name with a Dynamic DNS service to point to your
current public IP address of your VPN device. Your Azure VPN gateway
resolves the FQDN to determine the public IP address to connect to.
• Address space: The address space refers to the address ranges for the network
that this local network represents. You can add multiple address space ranges.
Make sure that the ranges you specify here don't overlap with ranges of other
networks that you want to connect to. Azure routes the address range that you
specify to the on-premises VPN device IP address. Use your own values here if
you want to connect to your on-premises site, not the values shown in the
example.

3. On the Advanced tab, you can configure BGP settings, if needed.

4. After you specify the values, select Review + create at the bottom of the page to
validate the page.
5. Select Create to create the local network gateway object.

Configure your VPN device

Site-to-site connections to an on-premises network require a VPN device. In this step, you
configure your VPN device. When you configure your VPN device, you need the following
values:
 • Shared key: This shared key is the same one that you specify when you create your
site-to-site VPN connection. In our examples, we use a simple shared key. We
recommend that you generate a more complex key to use.
• Public IP addresses of your virtual network gateway instances: Obtain the IP
address for each VM instance. If your gateway is in active-active mode, you'll have an
IP address for each gateway VM instance. Be sure to configure your device with both
IP addresses, one for each active gateway VM. Active-standby mode gateways have
only one IP address.

Depending on the VPN device that you have, you might be able to download a VPN device
configuration script. For more information, see Download VPN device configuration scripts.

For more configuration information, see the following links:

• For information about compatible VPN devices, see VPN devices.

• Before you configure your VPN device, check for any Known device compatibility
issues for the VPN device that you want to use.
• For links to device configuration settings, see Validated VPN devices. The device
configuration links are provided on a best-effort basis. It's always best to check with
your device manufacturer for the latest configuration information. The list shows the
versions we've tested. If your OS isn't on that list, it's still possible that the version is
compatible. Check with your device manufacturer to verify that the OS version for
your VPN device is compatible.
• For an overview of VPN device configuration, see Overview of third-party VPN device
configurations.
• For information about editing device configuration samples, see Editing samples.
• For cryptographic requirements, see About cryptographic requirements and Azure
VPN gateways.
• For information about IPsec/IKE parameters, see About VPN devices and IPsec/IKE
parameters for site-to-site VPN gateway connections. This link shows information
about IKE version, Diffie-Hellman Group, authentication method, encryption and
hashing algorithms, SA lifetime, PFS, and DPD, in addition to other parameter
information that you need to complete your configuration.
• For IPsec/IKE policy configuration steps, see Configure IPsec/IKE policy for site-to-site
VPN or VNet-to-VNet connections.
• To connect multiple policy-based VPN devices, see Connect Azure VPN gateways to
multiple on-premises policy-based VPN devices using PowerShell.

Create VPN connections

Create a site-to-site VPN connection between your virtual network gateway and your on-
premises VPN device. If you're using an active-active mode gateway (recommended), each
gateway VM instance has a separate IP address. To properly configure highly available
connectivity, you must establish a tunnel between each VM instance and your VPN device.
Both tunnels are part of the same connection.

Create a connection by using the following values:

• Local network gateway name: Site1

• Connection name: VNet1toSite1
• Shared key: For this example, you use abc123. But you can use whatever is
compatible with your VPN hardware. The important thing is that the values match on
both sides of the connection.

1. In the portal, go to the virtual network gateway and open it.

2. On the page for the gateway, select Connections.
3. At the top of the Connections page, select + Add to open the Create
connection page.
4. On the Create connection page, on the Basics tab, configure the values for your
connection:

• Under Project details, select the subscription and the resource group where
your resources are located.
• Under Instance details, configure the following settings:
• Connection type: Select Site-to-site (IPSec).
• Name: Name your connection.
• Region: Select the region for this connection.

5. Select the Settings tab and configure the following values:

• Virtual network gateway: Select the virtual network gateway from the dropdown list.
• Local network gateway: Select the local network gateway from the dropdown list.
• Shared key: The value here must match the value that you're using for your local on-
premises VPN device. If this field doesn't appear on your portal page, or you want to
later update this key, you can do so once the connection object is created. Go to the
connection object you created (example name: VNet1toSite1) and update the key on
the Authentication page.
• IKE Protocol: Select IKEv2.
• Use Azure Private IP Address: Don't select.
• Enable BGP: Don't select.
• FastPath: Don't select.
• IPsec/IKE policy: Select Default.
 • Use policy based traffic selector: Select Disable.
• DPD timeout in seconds: Select 45.
• Connection Mode: Select Default. This setting is used to specify which gateway can
initiate the connection. For more information, see VPN Gateway settings - Connection
modes.

6. For NAT Rules Associations, leave both Ingress and Egress as 0 selected.
7. Select Review + create to validate your connection settings.
8. Select Create to create the connection.
9. After the deployment is finished, you can view the connection on
the Connections page of the virtual network gateway. The status changes
from Unknown to Connecting and then to Succeeded.

Configure more connection settings (optional)

You can configure more settings for your connection, if necessary. Otherwise, skip this
section and leave the defaults in place. For more information, see Configure custom
IPsec/IKE connection policies.

1. Go to your virtual network gateway and select Connections to open

the Connections page.
2. Select the name of the connection you want to configure to open
the Connection page.
3. On the left side of the Connection page, select Configuration to open
the Configuration page. Make any necessary changes and then select Save.

In the following screenshots, the settings are enabled so that you can see the configuration
settings that are available in the portal. Select the screenshot to see the expanded view.
When you configure your connections, only configure the settings that you require.
Otherwise, leave the default settings in place.

Optional steps

Reset a gateway

Resetting an Azure VPN gateway is helpful if you lose cross-premises VPN connectivity on
one or more site-to-site VPN tunnels. In this situation, your on-premises VPN devices are all
working correctly but aren't able to establish IPsec tunnels with the Azure VPN gateways. If
you need to reset an active-active gateway, you can reset both instances using the portal.
You can also use PowerShell or CLI to reset each gateway instance separately using instance
VIPs. For more information, see Reset a connection or a gateway.
 1. In the portal, go to the virtual network gateway that you want to reset.
2. On the Virtual network gateway page, in the left pane, scroll and locate Help ->
Reset.
3. On the Reset page, select Reset. After the command is issued, the current active
instance of Azure VPN gateway is rebooted immediately. Resetting the gateway
causes a gap in VPN connectivity and might limit future root cause analysis of the
issue.

Add another connection

A gateway can have multiple connections. If you want to configure connections to multiple
on-premises sites from the same VPN gateway, the address spaces can't overlap between
any of the connections.

1. If you're connecting using a site-to-site VPN and you don't have a local network
gateway for the site you want to connect to, create another local network gateway
and specify the site details. For more information, see Create a local network gateway.
2. To add a connection, go to the VPN gateway and then select Connections to open
the Connections page.
3. Select + Add to add your connection. Adjust the connection type to reflect either
VNet-to-VNet (if connecting to another virtual network gateway) or site-to-site.
4. Specify the shared key that you want to use and then select OK to create the
connection.

Update a connection shared key

You can specify a different shared key for your connection.

1. In the portal, go to the connection.

2. Change the shared key on the Authentication page.
3. Save your changes.
4. Update your VPN device with the new shared key as necessary.

Resize or change a gateway SKU

You can resize a gateway SKU, or you can change the gateway SKU. There are specific rules
regarding which option is available, depending on the SKU your gateway is currently using.
For more information, see Resize or change gateway SKUs.

More configuration considerations

You can customize site-to-site configurations in various ways. For more information, see the
following articles:

• For information about BGP, see the BGP overview and How to configure BGP.
• For information about forced tunneling, see About forced tunneling.
• For information about highly available active-active connections, see Highly available
cross-premises and VNet-to-VNet connectivity.
• For information about how to limit network traffic to resources in a virtual network,
see Network security.
• For information about how Azure routes traffic between Azure, on-premises, and
internet resources, see Virtual network traffic routing.

Point-to-site VPN
A point-to-site (P2S) VPN gateway connection lets you create a secure connection to your
virtual network from an individual client computer. A point-to-site connection is established
by starting it from the client computer. Point-to-site VPN is also a useful solution to use
instead of site-to-site VPN when you have only a few clients that need to connect to a virtual
network. Unlike site-to-site connections, point-to-site connections don't require an on-
premises public-facing IP address or a VPN device. Point-to-site connections can be used
with site-to-site connections through the same VPN gateway, as long as all the configuration
requirements for both connections are compatible.

Deployment models and methods for P2S

Authentication method Article

Certificate Tutorial
How-to
Microsoft Entra ID How-to
RADIUS How-to

P2S VPN client configuration

Authentication Tunnel type Client OS VPN client

Certificate
IKEv2, SSTP Windows Native VPN client
IKEv2 macOS Native VPN client
IKEv2 Linux strongSwan
Authentication Tunnel type Client OS VPN client
OpenVPN Windows Azure VPN client
OpenVPN client version 2.x
OpenVPN client version 3.x
OpenVPN macOS OpenVPN client
OpenVPN iOS OpenVPN client
OpenVPN Linux Azure VPN Client
OpenVPN client
Microsoft Entra ID
OpenVPN Windows Azure VPN client
OpenVPN macOS Azure VPN Client
OpenVPN Linux Azure VPN Client

Configure server settings for P2S VPN Gateway certificate authentication

Configure the necessary VPN Gateway point-to-site (P2S) server settings to let you securely
connect individual clients running Windows, Linux, or macOS to an Azure virtual network
(VNet). P2S VPN connections are useful when you want to connect to your virtual network
from a remote location, such as when you're telecommuting from home or a conference.
You can also use P2S instead of a site-to-site (S2S) VPN when you have only a few clients
that need to connect to a virtual network. P2S connections don't require a VPN device or a
public-facing IP address. There are various different configuration options available for P2S.

P2S Azure certificate authentication connections use the following items:

• A route-based VPN gateway (not policy-based). For more information about VPN
type, see VPN Gateway settings.
• The public key (.cer file) for a root certificate, which is uploaded to Azure. Once the
certificate is uploaded, it's considered a trusted certificate and is used for
authentication.
• A client certificate that is generated from the root certificate. The client certificate
installed on each client computer that will connect to the VNet. This certificate is used
for client authentication.
• VPN client configuration files. The VPN client is configured using VPN client
configuration files. These files contain the necessary information for the client to
connect to the VNet. Each client that connects must be configured using the settings
in the configuration files.
Generate certificates

Certificates are used by Azure to authenticate clients connecting to a virtual network over a
point-to-site VPN connection. Once you obtain a root certificate, you upload the public key
information to Azure. The root certificate is then considered 'trusted' by Azure for
connection over P2S to the virtual network. You also generate client certificates from the
trusted root certificate, and then install them on each client computer. The client certificate
is used to authenticate the client when it initiates a connection to the virtual network. The
root certificate must be generated and extracted before you configure the point-to-site
gateway settings.

Generate a root certificate

Obtain the .cer file for the root certificate. You can use either a root certificate that was
generated with an enterprise solution (recommended), or generate a self-signed certificate.
After you create the root certificate, export the public certificate data (not the private key) as
a Base64 encoded X.509 .cer file. You upload this file later to Azure.

• Enterprise certificate: If you're using an enterprise solution, you can use your
existing certificate chain. Acquire the .cer file for the root certificate that you want to
use.
• Self-signed root certificate: If you aren't using an enterprise certificate solution,
create a self-signed root certificate. Otherwise, the certificates you create won't be
compatible with your P2S connections and clients receive a connection error when
they try to connect. You can use Azure PowerShell, MakeCert, or OpenSSL. The steps
in the following articles describe how to generate a compatible self-signed root
certificate:
o PowerShell instructions for Windows 10 or later: These instructions require
PowerShell on a computer running Windows 10 or later. Client certificates that
are generated from the root certificate can be installed on any supported P2S
client.
o MakeCert instructions: Use MakeCert to generate certificates if you don't have
access to a computer running Windows 10 or later. Although MakeCert is
deprecated, you can still use it to generate certificates. Client certificates that
you generate from the root certificate can be installed on any supported P2S
client.
o Linux - OpenSSL instructions
o Linux - strongSwan instructions

Generate client certificates

Each client computer that you connect to a VNet with a point-to-site connection must have
a client certificate installed. You generate it from the root certificate and install it on each
client computer. If you don't install a valid client certificate, authentication will fail when the
client tries to connect to the VNet.

You can either generate a unique certificate for each client, or you can use the same
certificate for multiple clients. The advantage to generating unique client certificates is the
ability to revoke a single certificate. Otherwise, if multiple clients use the same client
certificate to authenticate and you revoke it, you'll need to generate and install new
certificates for every client that uses that certificate.

You can generate client certificates by using the following methods:

• Enterprise certificate:
o If you're using an enterprise certificate solution, generate a client certificate
with the common name value format name@yourdomain.com. Use this format
instead of the domain name\username format.
o Make sure the client certificate is based on a user certificate template that
has Client Authentication listed as the first item in the user list. Check the
certificate by double-clicking it and viewing Enhanced Key Usage in
the Details tab.
• Self-signed root certificate: Follow the steps in one of the following P2S certificate
articles so that the client certificates you create will be compatible with your P2S
connections.

When you generate a client certificate from a self-signed root certificate, it's automatically
installed on the computer that you used to generate it. If you want to install a client
certificate on another client computer, export it as a .pfx file, along with the entire certificate
chain. Doing so will create a .pfx file that contains the root certificate information required
for the client to authenticate.

The steps in these articles generate a compatible client certificate, which you can then export
and distribute.

o Windows 10 or later PowerShell instructions: These instructions require

Windows 10 or later, and PowerShell to generate certificates. The generated
certificates can be installed on any supported P2S client.
o MakeCert instructions: Use MakeCert if you don't have access to a Windows 10
or later computer for generating certificates. Although MakeCert is deprecated,
you can still use it to generate certificates. You can install the generated
certificates on any supported P2S client.
 o Linux: See strongSwan or OpenSSL instructions.

Add the VPN client address pool

The client address pool is a range of private IP addresses that you specify. The clients that
connect over a point-to-site VPN dynamically receive an IP address from this range. Use a
private IP address range that doesn't overlap with the on-premises location that you connect
from, or the VNet that you want to connect to. If you configure multiple protocols and SSTP
is one of the protocols, then the configured address pool is split between the configured
protocols equally.

1. In the Azure portal, go to your VPN gateway.

2. On the page for your gateway, in the left pane, select Point-to-site configuration.
3. Click Configure now to open the configuration page.
4. On the Point-to-site configuration page, in the Address pool box, add the private
IP address range that you want to use. VPN clients dynamically receive an IP address
from the range that you specify. The minimum subnet mask is 29 bit for
active/passive and 28 bit for active/active configuration.
5. Continue to the next section to configure more settings.

Specify the tunnel and authentication type

You can select options that contain multiple tunnel types from the dropdown, such as IKEv2
and OpenVPN(SSL) or IKEv2 and SSTP (SSL). Only certain combinations of tunnel types and
authentication types are available. The tunnel type and the authentication type must
correspond to the VPN client software you want use to connect to Azure. When you have
various VPN clients connecting from different operating systems, planning the tunnel type
and authentication type is important.

Authentication Tunnel type Client OS VPN client

Certificate
IKEv2, SSTP Windows Native VPN client
IKEv2 macOS Native VPN client
IKEv2 Linux strongSwan
OpenVPN Windows Azure VPN client
OpenVPN client version 2.x
OpenVPN client version 3.x
OpenVPN macOS OpenVPN client
OpenVPN iOS OpenVPN client
Authentication Tunnel type Client OS VPN client
OpenVPN Linux Azure VPN Client
OpenVPN client
Microsoft Entra ID
OpenVPN Windows Azure VPN client
OpenVPN macOS Azure VPN Client
OpenVPN Linux Azure VPN Client

If you don't see tunnel type or authentication type on the Point-to-site

configuration page, your gateway is using the Basic SKU. The Basic SKU doesn't support
IKEv2 or RADIUS authentication. If you want to use these settings, you need to delete and
re-create the gateway using a different gateway SKU.

1. For Tunnel type, select the tunnel type that you want to use. For this exercise, from
the dropdown, select IKEv2 and OpenVPN(SSL).
2. For Authentication type, from the dropdown, select Azure certificate.

Add another public IP address

If you have an active-active mode gateway, you need to specify a third public IP address to
configure point-to-site. In the example, we create the third public IP address using the
example value VNet1GWpip3. If your gateway isn't in active-active mode, you don't need to
add another public IP address.

Upload root certificate public key information

In this section, you upload public root certificate data to Azure. Once the public certificate
data is uploaded, Azure uses it to authenticate connecting clients. The connecting clients
have an installed client certificate generated from the trusted root certificate.

1. Make sure that you exported the root certificate as a Base-64 encoded X.509
(.CER) file in the previous steps. You need to export the certificate in this format so
you can open the certificate with text editor. You don't need to export the private key.
2. Open the certificate with a text editor, such as Notepad. When copying the certificate
data, make sure that you copy the text as one continuous line:
3. Go to your Virtual network gateway -> Point-to-site configuration page in
the Root certificate section. This section is only visible if you have selected Azure
certificate for the authentication type.
4. In the Root certificate section, you can add up to 20 trusted root certificates.
 • Paste the certificate data into the Public certificate data field.
• Name the certificate.

5. Additional routes aren't necessary for this exercise. For more information about the
custom routing feature, see Advertise custom routes.
6. Select Save at the top of the page to save all of the configuration settings.

Generate VPN client profile configuration files

All the necessary configuration settings for the VPN clients are contained in a VPN client
profile configuration zip file. VPN client profile configuration files are specific to the P2S VPN
gateway configuration for the virtual network. If there are any changes to the P2S VPN
configuration after you generate the files, such as changes to the VPN protocol type or
authentication type, you need to generate new VPN client profile configuration files and
apply the new configuration to all of the VPN clients that you want to connect.

1. In the Azure portal, go to the virtual network gateway for the virtual network to which
you want to connect.
2. On the virtual network gateway page, select Point-to-site configuration to open the
Point-to-site configuration page.
3. At the top of the Point-to-site configuration page, select Download VPN client.
This doesn't download VPN client software, it generates the configuration package
used to configure VPN clients. It takes a few minutes for the client configuration
package to generate. During this time, you might not see any indications until the
packet generates.
4. Once the configuration package is generated, your browser indicates that a client
configuration zip file is available. It's named the same name as your gateway.
5. Unzip the file to view the folders. You'll use some, or all, of these files to configure
your VPN client. The files that are generated correspond to the authentication and
tunnel type settings that you configured on the P2S server.

Configure Azure VPN Client for P2S certificate authentication connections - Windows

If your point-to-site (P2S) VPN gateway is configured to use OpenVPN and certificate
authentication, you can connect to your virtual network using the Azure VPN Client. The
following table shows the configuration articles available for VPN Gateway point-to-site VPN
clients.

Authentication Tunnel type Client OS VPN client

Certificate
Authentication Tunnel type Client OS VPN client
IKEv2, SSTP Windows Native VPN client
IKEv2 macOS Native VPN client
IKEv2 Linux strongSwan
OpenVPN Windows Azure VPN client
OpenVPN client version 2.x
OpenVPN client version 3.x
OpenVPN macOS OpenVPN client
OpenVPN iOS OpenVPN client
OpenVPN Linux Azure VPN Client
OpenVPN client
Microsoft Entra ID
OpenVPN Windows Azure VPN client
OpenVPN macOS Azure VPN Client
OpenVPN Linux Azure VPN Client

Connection requirements

To connect to Azure, each connecting client computer requires the following items:

• The Azure VPN Client software must be installed on each client computer.
• The Azure VPN Client profile is configured using the settings contained in the
downloaded azurevpnconfig.xml or azurevpnconfig_cert.xml configuration file.
• The client computer must have a client certificate that's installed locally.

Install the client certificate

Each computer needs a client certificate in order to authenticate. If the client certificate isn't
already installed on the local computer, you can install it using the following steps:

1. Locate the client certificate. For more information about client certificates, see Install
client certificates.
2. Install the client certificate. Typically, you can do this by double-clicking the certificate
file and providing a password (if required).

View configuration files

The VPN client profile configuration package contains specific folders. The files within the
folders contain the settings needed to configure the VPN client profile on the client
computer. The files and the settings they contain are specific to the VPN gateway and the
type of authentication and tunnel your VPN gateway is configured to use.

Locate and unzip the VPN client profile configuration package you generated. For Certificate
authentication and OpenVPN, you'll see the AzureVPN folder. In this folder, you'll see either
the azurevpnconfig_cert.xml file or the azurevpnconfig.xml file, depending on whether
your P2S configuration includes multiple authentication types. The .xml file contains the
settings you use to configure the VPN client profile. If you don't see either file, or you don't
have an AzureVPN folder, verify that your VPN gateway is configured to use the OpenVPN
tunnel type and that certificate authentication is selected.

Download the Azure VPN Client

1. Download the latest version of the Azure VPN Client install files using one of the
following links:
• Install using Client Install files: https://aka.ms/azvpnclientdownload.
• Install directly, when signed in on a client computer: Microsoft Store.
2. Install the Azure VPN Client to each computer.
3. Verify that the Azure VPN Client has permission to run in the background. For steps,
see Windows background apps.
4. To verify the installed client version, open the Azure VPN Client. Go to the bottom of
the client and click ... -> ? Help. In the right pane, you can see the client version
number.

Configure the Azure VPN Client profile

1. Open the Azure VPN Client.

2. Select + on the bottom left of the page, then select Import.
3. In the window, navigate to the azurevpnconfig.xml or azurevpnconfig_cert.xml file.
Select the file, then select Open.
4. On the client profile page, notice that many of the settings are already specified. The
preconfigured settings are contained in the VPN client profile package that you
imported. Even though most of the settings are already specified, you need to
configure settings specific to the client computer.

From the Certificate Information dropdown, select the name of the child certificate (the
client certificate). For example, P2SChildCert. You can also (optionally) select a Secondary
Profile. For this exercise, select None.
1. If you don't see a client certificate in the Certificate Information dropdown, you'll
need to cancel and fix the issue before proceeding. It's possible that one of the
following things is causing the problem:
• The client certificate isn't installed locally on the client computer.
• There are multiple certificates with exactly the same name installed on your
local computer (common in test environments).
• The child certificate is corrupt.
2. After the import validates (imports with no errors), select Save.
3. In the left pane, locate the VPN connection, then select Connect.