Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
When you create a VPN Gateway virtual network gateway, you specify the gateway SKU that you want to use. This article describes the factors that you should take into consideration when selecting a gateway SKU. If you're looking for information about ExpressRoute gateway SKUs, see Virtual network gateways for ExpressRoute. For Virtual WAN gateways, see Virtual WAN gateway settings.
When you configure a virtual network gateway SKU, select the SKU that satisfies your requirements based on the types of workloads, throughput, features, and SLAs. The following sections show the relevant information that you should use when deciding.
Note
We're simplifying our VPN Gateway SKU portfolio and will be transitioning all non availability zone (AZ) supported SKUs to AZ supported SKUs. For more information and timelines, see VPN Gateway SKU consolidation and migration.
Gateway SKUs by tunnel, connection, and throughput
| VPN Gateway Generation |
SKU | S2S/VNet-to-VNet Tunnels |
P2S SSTP Connections |
P2S IKEv2/OpenVPN Connections |
Aggregate Throughput Benchmark |
BGP | Zone-redundant | Supported Number of VMs in the Virtual Network |
|---|---|---|---|---|---|---|---|---|
| Generation1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps | Not Supported | No | 200 |
| Generation1 | VpnGw1 | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | No | 450 |
| Generation1 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | No | 1300 |
| Generation1 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | No | 4000 |
| Generation1 | VpnGw1AZ | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | Yes | 1000 |
| Generation1 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | Yes | 2000 |
| Generation1 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | Yes | 5000 |
| Generation2 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | No | 685 |
| Generation2 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | No | 2240 |
| Generation2 | VpnGw4 | Max. 100* | Max. 128 | Max. 5000 | 5 Gbps | Supported | No | 5300 |
| Generation2 | VpnGw5 | Max. 100* | Max. 128 | Max. 10000 | 10 Gbps | Supported | No | 6700 |
| Generation2 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | Yes | 2000 |
| Generation2 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | Yes | 3300 |
| Generation2 | VpnGw4AZ | Max. 100* | Max. 128 | Max. 5000 | 5 Gbps | Supported | Yes | 4400 |
| Generation2 | VpnGw5AZ | Max. 100* | Max. 128 | Max. 10000 | 10 Gbps | Supported | Yes | 9000 |
(*) If you need more than 100 S2S VPN tunnels, use Virtual WAN instead of VPN Gateway.
Additional information
Because Basic SKU public IP addresses are announced to retire September 30, 2025, we're no longer permitting new gateways to be created using Basic SKU public IP addresses. Starting December 1, 2023, when you create a new VPN gateway, you must use a Standard SKU public IP address. This limitation doesn't apply to new gateways that you create using the VPN Gateway Basic gateway SKU. You can still create a Basic SKU VPN gateway that uses a Basic SKU public IP address.
The Basic gateway SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic gateway SKU doesn't support RADIUS authentication.
These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.
If you have numerous P2S connections, it can negatively impact your S2S connections. The Aggregate Throughput Benchmarks were tested by maximizing a combination of S2S and P2S connections. A single P2S or S2S connection can have a much lower throughput.
See the Pricing page for pricing information.
See the SLA page for SLA (Service Level Agreement) information.
All benchmarks aren't guaranteed due to Internet traffic conditions and your application behaviors.
Gateway SKUs by performance
The table in this section lists the results of performance tests for VpnGw SKUs. A VPN tunnel connects to a VPN gateway instance. Each instance throughput is mentioned in the throughput table in the previous section and is available aggregated across all tunnels connecting to that instance. The table shows the observed bandwidth and packets per second throughput per tunnel for the different gateway SKUs. All testing was performed between gateways (endpoints) within Azure across different regions with 100 connections and under standard load conditions. We used publicly available iPerf and CTSTraffic tools to measure performances for site-to-site connections
- The best performance was obtained when we used the GCMAES256 algorithm for both IPsec Encryption and Integrity.
- Average performance was obtained when using AES256 for IPsec Encryption and SHA256 for Integrity.
- The lowest performance was obtained when we used DES3 for IPsec Encryption and SHA256 for Integrity.
| Generation | SKU | Algorithms used |
Throughput observed per tunnel |
Packets per second per tunnel observed |
|---|---|---|---|---|
| Generation1 | VpnGw1 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
650 Mbps 500 Mbps 130 Mbps |
62,000 47,000 12,000 |
| Generation1 | VpnGw2 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.2 Gbps 650 Mbps 140 Mbps |
100,000 61,000 13,000 |
| Generation1 | VpnGw3 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 700 Mbps 140 Mbps |
120,000 66,000 13,000 |
| Generation1 | VpnGw1AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
650 Mbps 500 Mbps 130 Mbps |
62,000 47,000 12,000 |
| Generation1 | VpnGw2AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.2 Gbps 650 Mbps 140 Mbps |
110,000 61,000 13,000 |
| Generation1 | VpnGw3AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 700 Mbps 140 Mbps |
120,000 66,000 13,000 |
| Generation2 | VpnGw2 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 550 Mbps 130 Mbps |
120,000 52,000 12,000 |
| Generation2 | VpnGw3 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.5 Gbps 700 Mbps 140 Mbps |
140,000 66,000 13,000 |
| Generation2 | VpnGw4 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
| Generation2 | VpnGw5 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
| Generation2 | VpnGw2AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 550 Mbps 130 Mbps |
120,000 52,000 12,000 |
| Generation2 | VpnGw3AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.5 Gbps 700 Mbps 140 Mbps |
140,000 66,000 13,000 |
| Generation2 | VpnGw4AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
| Generation2 | VpnGw5AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
Gateway SKUs by feature set
| SKU | Features |
|---|---|
| Basic (**) | Route-based VPN: 10 tunnels for S2S/connections; no RADIUS authentication for P2S; no IKEv2 for P2S Policy-based VPN: (IKEv1): 1 S2S/connection tunnel; no P2S |
| All Generation1 and Generation2 SKUs except Basic | Route-based VPN: up to 100 tunnels (*), P2S, BGP, active-active, custom IPsec/IKE policy, ExpressRoute/VPN coexistence |
(*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway to multiple on-premises policy-based firewall devices. Refer to Connect VPN gateways to multiple on-premises policy-based VPN devices using PowerShell for details.
(**) The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
Gateway SKUs - Production vs. Dev-Test workloads
Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:
| Workload | SKUs |
|---|---|
| Production, critical workloads | All Generation1 and Generation2 SKUs, except Basic |
| Dev-test or proof of concept | Basic (**) |
(**) The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
If you're using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance. For information and instructions for old SKUs, see Gateway SKUs (legacy).
About legacy SKUs
For information about working with the legacy gateway SKUs (Standard and High Performance), including SKU deprecation, see Managing legacy gateway SKUs.
Specify a SKU
You specify the gateway SKU when you create your VPN Gateway. See the following article for steps:
Upgrade a SKU
For most VPN gateways, you can upgrade a gateway SKU. For more information, see Upgrade a VPN Gateway SKU.
Note
If you're working with a legacy gateway SKU (Standard and High Performance), see Managing Legacy gateway SKUs.
Next steps
For more information about available connection configurations, see About VPN Gateway.