VPN gateway IP change not applied

Question

VPN gateway IP change not applied

Eric Maussion 26

I needed to change the IP configuration for my VPN gateway (running for months with several tunnels up) to a static IP- standard SKU, so I went ahead and applied my Terraform plan in steps (attach to another IP, change the SKU of the original IP, reattach to original public IP). I did not expect the SKU change to renew the public IP. So basically my VPN gateway IP went from 1.2.3.4 to 5.6.7.8

But the biggest issue here is that after 8 hours, the new IP of the gateway has not propagated: the S2S tunnels are still all up using the 1.2.3.4 IP address.

I tried:

Changing the public IP again
Resetting the VPN gateway
Using the new IP (5.6.7.8) from the premises to re-establish the tunnels -> it fails
Changing other settings (unrelated to IP, like custom routes advertised)
Running nslookup myvpngateway.vpn.azure.com returns 1.2.3.4

The diagnostics on the VPN gateway do no show any sign of major failures. A strange observation however:

Changing a setting on the VPN gateway with Terraform results in a HTTP 500 (no description) after 7-8 minutes
Changing a setting on the console or with Powershell takes 10 to 25 minutes and "succeeds".

These times are very long, I remember having 3-4 minutes deployments when I previously worked on this gateway (before today).

Joe Carlyle 661 Reputation points MVP

2023-07-19T16:52:15.5+00:00

This sounds like your VPN is in a mismatched state. I think your only resolution will be a deletion and rebuild with your newly created IP. You can open an SR to confirm in advance.
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-07-19T18:51:39.6433333+00:00

@Eric Maussion Thank you for reaching out.

Can you please let us know what VPN SKU you are using?

If you are using Basic VPN SKU, it does not support static IP- standard SKU and in order to move from VPN Basic to another SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.
Eric Maussion 26 Reputation points

2023-07-20T15:38:30.55+00:00

The SKU of the gateway is VpnGw1 (Generation 1). Deleting/recreating the gateway would be kind of dramatic as it would change the configuration file for all the users in our company :-/

1 answer

Your answer

Joe Carlyle 661 Reputation points MVP

2023-07-19T16:52:15.5+00:00

This sounds like your VPN is in a mismatched state. I think your only resolution will be a deletion and rebuild with your newly created IP. You can open an SR to confirm in advance.
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-07-19T18:51:39.6433333+00:00

@Eric Maussion Thank you for reaching out.

Can you please let us know what VPN SKU you are using?

If you are using Basic VPN SKU, it does not support static IP- standard SKU and in order to move from VPN Basic to another SKU, you must delete the Basic SKU VPN gateway and create a new gateway with the desired Generation and SKU size combination.
Eric Maussion 26 Reputation points

2023-07-20T15:38:30.55+00:00

The SKU of the gateway is VpnGw1 (Generation 1). Deleting/recreating the gateway would be kind of dramatic as it would change the configuration file for all the users in our company :-/

Answer 1

ChaitanyaNaykodi-MSFT 27,476 Microsoft Employee Moderator

@Eric Maussion

Thank you for getting back.

Currently VPN Gateway doesn't support changing the primary public IP address after creation this is documented here.

Although unfavorable I think the solution here will be to create a new gateway with the desired Generation and SKU size combination and assign the already created IP address to it.

If you wish to troubleshoot this issue further, I think it will be better if you can file for support request. Where a support engineer can have a screen share session to pinpoint the issue. If you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details.

Subject : Attn Chaitanya

Thread URL: Link to this thread.

Subscription ID

Please let me know once you have done the same. Thank you!

Eric Maussion 26 Reputation points

2023-07-21T09:50:13.9166667+00:00

I see... Thanks for the documentation which I missed.

Then you have a nasty bug in all your deployment validation workflow on VPN gateways because the az cli / terraform provider allow to change the assigned IP of the VPN gateway without recreating it, this results in wrong information in the APIs/consoles when the changes are applied. It also reserves a new IP while it's not. And the former IP still is use by the gateway is nowhere to be found in the Azure resource manager. You may need to forward this to the dev teams (or point me to the right place to do so).
We do not currently have a support plan (as far as I know).

--Eric
ChaitanyaNaykodi-MSFT 27,476 Reputation points Microsoft Employee Moderator

2023-07-22T00:55:33.4266667+00:00

@Eric Maussion

Thank you for the feedback, it will help if you could send the email as requested above. I will create a one-time free support request for you in this case so that you can raise this issue and submit the required logs to the support engineer. Thank you!

Share via

VPN gateway IP change not applied

1 answer

Your answer