Tutorial: Create and manage a VPN gateway using the Azure portal
Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial covers basic Azure VPN Gateway deployment items, such as creating and managing a VPN gateway. You can also create a gateway using Azure CLI or Azure PowerShell. If you want to learn more about the configuration settings used in this tutorial, see About VPN Gateway configuration settings.
In this tutorial, you learn how to:
- Create a virtual network
- Create a VPN gateway
- View the gateway public IP address
- Resize a VPN gateway (resize SKU)
- Reset a VPN gateway
The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.
An Azure account with an active subscription. If you don't have one, create one for free.
Create a virtual network
Create a VNet using the following values:
- Resource group: TestRG1
- Name: VNet1
- Region: (US) East US
- IPv4 address space: 10.1.0.0/16
- Subnet name: FrontEnd
- Subnet address space: 10.1.0.0/24
Sign in to the Azure portal.
In Search resources, service, and docs (G+/), type virtual network. Select Virtual network from the Marketplace results to open the Virtual network page.
On the Virtual network page, select Create. This opens the Create virtual network page.
On the Basics tab, configure the VNet settings for Project details and Instance details. You'll see a green check mark when the values you enter are validated. The values shown in the example can be adjusted according to the settings that you require.
- Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
- Resource group: Select an existing resource group, or select Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
- Name: Enter the name for your virtual network.
- Region: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will live.
Select Security to advance to the Security tab. At this time, leave the default values.
- BastionHost: Disable
- DDoS Protection Standard: Disable
- Firewall: Disable
Select IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab, configure the settings. The values shown in the example can be adjusted according to the settings that you require.
- IPv4 address space: By default, an address space is automatically created. You can select the address space and adjust it to reflect your own values. You can also add more address spaces by selecting the box below the existing address space and specifying the values for the additional address space.
- + Add subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, you need to add a subnet. Select + Add subnet to open the Add subnet window. Configure the following settings, then select Add at the bottom of the page to add the values.
- Subnet name: In this example, we named the subnet "FrontEnd".
- Subnet address range: The address range for this subnet.
Select Review + create to validate the virtual network settings.
After the settings have been validated, select Create to create the virtual network.
Create a VPN gateway
In this step, you create the virtual network gateway (VPN gateway) for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.
Create a virtual network gateway using the following values:
- Name: VNet1GW
- Region: East US
- Gateway type: VPN
- VPN type: Route-based
- SKU: VpnGw2
- Generation: Generation 2
- Virtual network: VNet1
- Gateway subnet address range: 10.1.255.0/27
- Public IP address: Create new
- Public IP address name: VNet1GWpip
In Search resources, services, and docs (G+/) type virtual network gateway. Locate Virtual network gateway in the Marketplace search results and select it to open the Create virtual network gateway page.
On the Basics tab, fill in the values for Project details and Instance details.
- Subscription: Select the subscription you want to use from the dropdown.
- Resource Group: This setting is autofilled when you select your virtual network on this page.
- Name: Name your gateway. Naming your gateway not the same as naming a gateway subnet. It's the name of the gateway object you're creating.
- Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.
- Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
- VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
- SKU: Select the gateway SKU you want to use from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. Make sure to select a SKU that supports the features you want to use. For more information about gateway SKUs, see Gateway SKUs.
- Generation: Select the generation you want to use. For more information, see Gateway SKUs.
- Virtual network: From the dropdown, select the virtual network to which you want to add this gateway. If you can't see the VNet for which you want to create a gateway, make sure you selected the correct subscription and region in the previous settings.
- Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway. We don't recommend creating a range any smaller than /28. If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. Select Subnets to view the range. If you want to change the range, you can delete and recreate the GatewaySubnet.
Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.
- Public IP address type: In most cases, you want to use the Basic Public IP address type. If you don't see this field on the portal page, you may have selected a gateway SKU that pre-selects this value for you.
- Public IP address: Leave Create new selected.
- Public IP address name: In the text box, type a name for your public IP address instance.
- Public IP address SKU: This field is controlled by the Public IP Address Type setting.
- Assignment: VPN gateway supports only Dynamic.
- Enable active-active mode: Only select Enable active-active mode if you're creating an active-active gateway configuration. Otherwise, leave this setting Disabled.
- Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this value can be changed.
Select Review + create to run validation.
Once validation passes, select Create to deploy the VPN gateway.
A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.
When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?.
View the public IP address
You can view the gateway public IP address on the Overview page for your gateway.
To see additional information about the public IP address object, select the name/IP address link next to Public IP address.
Resize a gateway SKU
There are specific rules regarding resizing vs. changing a gateway SKU. In this section, we'll resize the SKU. For more information, see Gateway settings - resizing and changing SKUs.
Go to the Configuration page for your virtual network gateway.
On the right side of the page, click the dropdown arrow to show the available gateway SKUs.
Select the SKU from the dropdown.
Reset a gateway
- In the portal, go to the virtual network gateway that you want to reset.
- On the Virtual network gateway page, in the left pane, scroll down to the Support + Troubleshooting section and select Reset.
- On the Reset page, click Reset. Once the command is issued, the current active instance of the Azure VPN gateway is rebooted immediately. Resetting the gateway will cause a gap in VPN connectivity, and may limit future root cause analysis of the issue.
Clean up resources
If you're not going to continue to use this application or go to the next tutorial, delete these resources using the following steps:
Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.
Select Delete resource group.
Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.
Once you have a VPN gateway, you can configure connections. The articles below will help you create a few of the most common configurations:
Submit and view feedback for