Tutorial: Create and manage a VPN gateway using the Azure portal

This tutorial helps you create and manage a virtual network gateway (VPN gateway) using the Azure portal. The VPN gateway is just one part of a connection architecture to help you securely access resources within a virtual network (VNet).

Diagram of virtual network and VPN gateway.

  • The left side of the diagram shows the VNet and the VPN gateway that you create using the steps in this article.
  • You can later add different types of connections, as shown on the right side of the diagram. For example, you can create Site-to-Site and Point-to-site connections. See VPN Gateway design to view different design architectures that you can build.

If you want to learn more about the configuration settings used in this tutorial, see About VPN Gateway configuration settings. For more information about VPN Gateway, see What is VPN Gateway?

In this tutorial, you learn how to:

  • Create a VNet
  • Create a VPN gateway
  • View the gateway public IP address
  • Resize a VPN gateway (resize SKU)
  • Reset a VPN gateway


An Azure account with an active subscription. If you don't have one, create one for free.

Create a VNet

Create a VNet using the following values:

  • Resource group: TestRG1
  • Name: VNet1
  • Region: (US) East US
  • IPv4 address space:
  • Subnet name: FrontEnd
  • Subnet address space:
  1. Sign in to the Azure portal.

  2. In Search resources, service, and docs (G+/) at the top of the portal page, type virtual network. Select Virtual network from the Marketplace results to open the Virtual network page.

  3. On the Virtual network page, select Create. This opens the Create virtual network page.

  4. On the Basics tab, configure the VNet settings for Project details and Instance details. You'll see a green check mark when the values you enter are validated. The values shown in the example can be adjusted according to the settings that you require.

    Screenshot shows the Basics tab.

    • Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
    • Resource group: Select an existing resource group, or select Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
    • Name: Enter the name for your virtual network.
    • Region: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will live.
  5. Select Next or Security to advance to the Security tab. For this exercise, leave the default values for all the services on this page.

  6. Select IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab, configure the settings.

    • IPv4 address space: By default, an address space is automatically created. You can select the address space and adjust it to reflect your own values. You can also add a different address space and remove the default that was automatically created. For example, you can specify the starting address as and specify the address space size as /16, then Add that address space.
    • + Add subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, add a new subnet within that address space. Select + Add subnet to open the Add subnet window. Configure the following settings, then select Add at the bottom of the page to add the values.
      • Subnet name: Example: FrontEnd.
      • Subnet address range: The address range for this subnet. For example, and /24.
  7. Review the IP addresses page and remove any address spaces or subnets that you don't need.

  8. Select Review + create to validate the virtual network settings.

  9. After the settings have been validated, select Create to create the virtual network.

After you create your VNet, you can optionally configure Azure DDos Protection. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. For more information about Azure DDoS protection, see What is Azure DDoS Protection?

Create a VPN gateway

In this step, you create the virtual network gateway (VPN gateway) for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

Create a virtual network gateway using the following values:

  • Name: VNet1GW
  • Region: East US
  • Gateway type: VPN
  • SKU: VpnGw2
  • Generation: Generation 2
  • Virtual network: VNet1
  • Gateway subnet address range:
  • Public IP address: Create new
  • Public IP address name: VNet1GWpip

For this exercise, we won't be selecting a zone redundant SKU. If you want to learn about zone-redundant SKUs, see About zone-redundant VNet gateways.

  1. In Search resources, services, and docs (G+/) type virtual network gateway. Locate Virtual network gateway in the Marketplace search results and select it to open the Create virtual network gateway page.

    Screenshot of Search field.

  2. On the Basics tab, fill in the values for Project details and Instance details.

    Screenshot of Instance fields.

    • Subscription: Select the subscription you want to use from the dropdown.
    • Resource Group: This setting is autofilled when you select your virtual network on this page.
    • Name: Name your gateway. Naming your gateway not the same as naming a gateway subnet. It's the name of the gateway object you're creating.
    • Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.
    • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
    • SKU: Select the gateway SKU that supports the features you want to use from the dropdown. See Gateway SKUs. In the portal, the SKUs available in the dropdown depend on the VPN type you select. The Basic SKU can only be configured using Azure CLI or PowerShell. You can't configure the Basic SKU in the Azure portal.
    • Generation: Select the generation you want to use. We recommend using a Generation2 SKU. For more information, see Gateway SKUs.
    • Virtual network: From the dropdown, select the virtual network to which you want to add this gateway. If you can't see the VNet for which you want to create a gateway, make sure you selected the correct subscription and region in the previous settings.
    • Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway. If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. Select Subnets to view the range. If you want to change the range, you can delete and recreate the GatewaySubnet.
  1. Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The public IP address is assigned to this object when the VPN gateway is created. The only time the primary public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    Screenshot of public IP address field.

    • Public IP address type: For this exercise, if you have the option to choose the address type, select Standard.
    • Public IP address: Leave Create new selected.
    • Public IP address name: In the text box, type a name for your public IP address instance.
    • Public IP address SKU: Setting is autoselected.
    • Assignment: The assignment is typically autoselected and can be either Dynamic or Static.
    • Enable active-active mode: Select Disabled. Only enable this setting if you're creating an active-active gateway configuration.
    • Configure BGP: Select Disabled, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this value can be changed.
  2. Select Review + create to run validation.

  3. Once validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the VNet in the portal. The gateway appears as a connected device.


When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and ExpressRoute gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?.

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway. The public IP address is used when you configure a site-to-site connection to your VPN gateway.

Screenshot of Overview page used to view the Public IP address field.

To see additional information about the public IP address object, select the name/IP address link next to Public IP address.

Resize a gateway SKU

There are specific rules regarding resizing vs. changing a gateway SKU. In this section, we'll resize the SKU. For more information, see Resize or change gateway SKUs.

  1. Go to the Configuration page for your virtual network gateway.

  2. On the right side of the page, click the dropdown arrow to show a list of available SKUs.

    Notice that the list only populates SKUs that you are able to resize your current SKU to. If you don't see the SKU you want to use, instead of resizing, you have to instead, change to a new SKU.

    Screenshot showing how to resize the gateway.

  3. Select the SKU from the dropdown.

Reset a gateway

  1. In the portal, go to the virtual network gateway that you want to reset.
  2. On the Virtual network gateway page, in the left pane, scroll down to Reset.
  3. On the Reset page, click Reset. Once the command is issued, the current active instance of the Azure VPN gateway is rebooted immediately. Resetting the gateway will cause a gap in VPN connectivity, and may limit future root cause analysis of the issue.

Clean up resources

If you're not going to continue to use this application or go to the next tutorial, delete these resources using the following steps:

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

Once you've created a VPN gateway, you can configure additional gateway settings and connections. The following articles help you create a few of the most common configurations: