Share via

Azure Vitual network gateway

HASSAN BIN NASIR DAR 391 Reputation points
2021-05-11T12:36:44.55+00:00

Hi,

I am using azure legacy virtual network gateway with SKU Baisc.

It is working fine for one customer.

My other customer has custom security parameters for IKE/IPSec.

Basic SKU can not support custom security parameters. So I want to upgrade it with Basic to Standard SKU.

During the upgrade can we face downtime?

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,786 questions
Azure Virtual Network
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
2,762 questions
0 comments

10 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2021-05-12T13:41:26.287+00:00

    Hello @HASSAN BIN NASIR DAR ,

    When working with the old gateway SKUs, you can resize between Basic, Standard, and HighPerformance SKUs. You can resize your gateway to a gateway SKU within the same SKU family. However, you can't resize your VPN gateway between the old SKUs and the new SKU families. For example, you can't go from a Standard SKU to a VpnGw2 SKU, or a Basic SKU to VpnGw1.
    To re-size your VPN gateway from Basic to Standard SKU, you can either use the PowerShell commands or re-size it via Azure portal using the Configuration tab.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#resize

    Re-sizing a gateway (when available) doesn't require much downtime since you will not be deleting & recreating the gateway.
    Every Azure VPN gateway consists of two instances in an active-standby configuration. For any planned maintenance or unplanned disruption that happens to the active instance, the standby instance would take over (failover) automatically, and resume the S2S VPN or VNet-to-VNet connections. The switch over will cause a brief interruption. For planned maintenance, the connectivity should be restored within 10 to 15 seconds. For unplanned issues, the connection recovery will be longer, about 1 to 3 minutes in the worst case. For P2S VPN client connections to the gateway, the P2S connections will be disconnected and the users will need to reconnect from the client machines.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

    NOTE : Basic gateway SKU is the only SKU which supports Policy-based VPN. A gateway type cannot be changed from policy-based to route-based, or from route-based to policy-based. To change a gateway type, the gateway must be deleted and recreated. This process takes about 60 minutes. When you create the new gateway, you cannot retain the IP address of the original gateway.
    Refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq#can-i-update-my-policy-based-vpn-gateway-to-route-based

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

  2. Andreas Baumgarten 123.4K Reputation points MVP Volunteer Moderator
    2021-05-13T20:49:04.29+00:00

    Hi @HASSAN BIN NASIR DAR ,

    the Azure VPN Gateway prices are listed here:
    https://azure.microsoft.com/en-us/pricing/details/vpn-gateway/

    The supported IKE/IPsec settings you will find here:
    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell#part-2---supported-cryptographic-algorithms--key-strengths

    IKE version 2 -> yes
    IKE encryption AES256 -> yes
    IKE integrity SHA384 -> yes
    IPsec encryption GCMAES256 -> yes
    IPsec integrity GCMAES256 -> yes
    PFS group Enabled -> yes - available options are: PFS24, ECP384, ECP256, PFS2048, PFS2, PFS1, None
    DH group 20 -> No - available options are: DHGroup24, ECP384, ECP256, DHGroup14, DHGroup2048, DHGroup2, DHGroup1, None

    ----------

    (If the reply was helpful please don't forget to upvote and/or accept as answer, thank you)

    Regards
    Andreas Baumgarten

  3. GitaraniSharma-MSFT 50,021 Reputation points Microsoft Employee Moderator
    2021-06-28T01:40:14.003+00:00

    Hi @HASSAN BIN NASIR DAR ,

    Apologies for the delay in response.

    For legacy VPN gateway SKU pricing, you need to see the ExpressRoute pricing page and check the Virtual Network Gateways section.

    Please refer : https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#pricing
    https://azure.microsoft.com/en-in/pricing/details/expressroute/

    Kindly let us know if the above helps or you need further assistance on this issue.

    ----------------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments
  4. Vineet Kumar Gupta 161 Reputation points
    2022-04-12T14:40:42.797+00:00

    No downtime .

    0 comments
  5. Nikhil Sukumaran 1 Reputation point
    2022-10-26T15:09:03.523+00:00

    Hi All,

    Some how I am facing an issue that I am not able to resize the SKU from Basic to Standard .

    Is there any Change in Azue about VPN GW

    Resize-AzVirtualNetworkGateway: Upgrade from Basic SKU not allowed for Gateway /subscriptions/486de8bd-b6ae-4b5c-a177-7ca72eb72f3f/resourceGroups/RG_Test/providers/Microsoft.Network/virtualNetworkGateways/VPN-Gw02. Please delete and recreate if needed.
    StatusCode: 400
    ReasonPhrase: Bad Request
    ErrorCode: CustomerGatewayUpgradeFromBasicNotAllowed

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.