az network vnet-gateway
Use an Azure Virtual Network Gateway to establish secure, cross-premises connectivity.
To learn more about Azure Virtual Network Gateways, visit https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli.
Commands
| az network vnet-gateway aad |
Manage AAD(Azure Active Directory) authentication of a virtual network gateway. |
| az network vnet-gateway aad assign |
Assign/Update AAD(Azure Active Directory) authentication to a virtual network gateway. |
| az network vnet-gateway aad remove |
Remove AAD(Azure Active Directory) authentication from a virtual network gateway. |
| az network vnet-gateway aad show |
Show AAD(Azure Active Directory) authentication of a virtual network gateway. |
| az network vnet-gateway create |
Create a virtual network gateway. |
| az network vnet-gateway delete |
Delete a virtual network gateway. |
| az network vnet-gateway disconnect-vpn-connections |
Disconnect vpn connections of virtual network gateway. |
| az network vnet-gateway ipsec-policy |
Manage virtual network gateway IPSec policies. |
| az network vnet-gateway ipsec-policy add |
Add a virtual network gateway IPSec policy. |
| az network vnet-gateway ipsec-policy clear |
Delete all IPsec policies on a virtual network gateway. |
| az network vnet-gateway ipsec-policy list |
List IPSec policies associated with a virtual network gateway. |
| az network vnet-gateway list |
List virtual network gateways. |
| az network vnet-gateway list-advertised-routes |
List the routes of a virtual network gateway advertised to the specified peer. |
| az network vnet-gateway list-bgp-peer-status |
Retrieve the status of BGP peers. |
| az network vnet-gateway list-learned-routes |
This operation retrieves a list of routes the virtual network gateway has learned, including routes learned from BGP peers. |
| az network vnet-gateway nat-rule |
Manage nat rule in a virtual network gateway. |
| az network vnet-gateway nat-rule add |
Add nat rule in a virtual network gateway. |
| az network vnet-gateway nat-rule list |
List nat rule for a virtual network gateway. |
| az network vnet-gateway nat-rule remove |
Remove nat rule from a virtual network gateway. |
| az network vnet-gateway nat-rule wait |
Place the CLI in a waiting state until a condition of the vnet gateway nat rule is met. |
| az network vnet-gateway packet-capture |
Manage packet capture on a virtual network gateway. |
| az network vnet-gateway packet-capture start |
Start packet capture on a virtual network gateway. |
| az network vnet-gateway packet-capture stop |
Stop packet capture on a virtual network gateway. |
| az network vnet-gateway packet-capture wait |
Place the CLI in a waiting state until a condition of the vnet gateway packet capture is met. |
| az network vnet-gateway reset |
Reset a virtual network gateway. |
| az network vnet-gateway revoked-cert |
Manage revoked certificates in a virtual network gateway. |
| az network vnet-gateway revoked-cert create |
Revoke a certificate. |
| az network vnet-gateway revoked-cert delete |
Delete a revoked certificate. |
| az network vnet-gateway root-cert |
Manage root certificates of a virtual network gateway. |
| az network vnet-gateway root-cert create |
Upload a root certificate. |
| az network vnet-gateway root-cert delete |
Delete a root certificate. |
| az network vnet-gateway show |
Get the details of a virtual network gateway. |
| az network vnet-gateway show-supported-devices |
Get a xml format representation for supported vpn devices. |
| az network vnet-gateway update |
Update a virtual network gateway. |
| az network vnet-gateway vpn-client |
Download a VPN client configuration required to connect to Azure via point-to-site. |
| az network vnet-gateway vpn-client generate |
Generate VPN client configuration. |
| az network vnet-gateway vpn-client ipsec-policy |
Manage the VPN client connection ipsec-policy for P2S client connection of the virtual network gateway. |
| az network vnet-gateway vpn-client ipsec-policy set |
Set the VPN client connection ipsec policy per P2S client connection of the virtual network gateway. |
| az network vnet-gateway vpn-client ipsec-policy show |
Get the VPN client connection ipsec policy per P2S client connection of the virtual network gateway. |
| az network vnet-gateway vpn-client ipsec-policy wait |
Place the CLI in a waiting state until a condition of the vnet gateway vpn client ipsec policy is met. |
| az network vnet-gateway vpn-client show-health |
Get the VPN client connection health detail per P2S client connection of the virtual network gateway. |
| az network vnet-gateway vpn-client show-url |
Retrieve a pre-generated VPN client configuration. |
| az network vnet-gateway wait |
Place the CLI in a waiting state until a condition of the virtual network gateway is met. |
az network vnet-gateway create
Create a virtual network gateway.
az network vnet-gateway create --name
--resource-group
--vnet
[--aad-audience]
[--aad-issuer]
[--aad-tenant]
[--address-prefixes]
[--asn]
[--bgp-peering-address]
[--client-protocol {IkeV2, OpenVPN, SSTP}]
[--custom-routes]
[--edge-zone]
[--edge-zone-vnet-id]
[--gateway-default-site]
[--gateway-type {ExpressRoute, LocalGateway, Vpn}]
[--location]
[--nat-rule]
[--no-wait]
[--peer-weight]
[--public-ip-addresses]
[--radius-secret]
[--radius-server]
[--root-cert-data]
[--root-cert-name]
[--sku {Basic, ErGw1AZ, ErGw2AZ, ErGw3AZ, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, VpnGw5AZ}]
[--tags]
[--vpn-auth-type {AAD, Certificate, Radius}]
[--vpn-gateway-generation {Generation1, Generation2}]
[--vpn-type {PolicyBased, RouteBased}]Examples
Create a basic virtual network gateway for site-to-site connectivity.
az network vnet-gateway create -g MyResourceGroup -n MyVnetGateway --public-ip-address MyGatewayIp \
--vnet MyVnet --gateway-type Vpn --sku VpnGw1 --vpn-type RouteBased --no-waitCreate a basic virtual network gateway that provides point-to-site connectivity with a RADIUS secret that matches what is configured on a RADIUS server.
az network vnet-gateway create -g MyResourceGroup -n MyVnetGateway --public-ip-address MyGatewayIp \
--vnet MyVnet --gateway-type Vpn --sku VpnGw1 --vpn-type RouteBased --address-prefixes 40.1.0.0/24 \
--client-protocol IkeV2 SSTP --radius-secret 111_aaa --radius-server 30.1.1.15 --vpn-gateway-generation Generation1Create a basic virtual network gateway with multi authentication
az network vnet-gateway create -g MyResourceGroup -n MyVnetGateway --public-ip-address MyGatewayIp --vnet MyVnet --gateway-type Vpn --sku VpnGw1 --vpn-type RouteBased --address-prefixes 40.1.0.0/24 --client-protocol OpenVPN --radius-secret 111_aaa --radius-server 30.1.1.15 --aad-issuer https://sts.windows.net/00000-000000-00000-0000-000/ --aad-tenant https://login.microsoftonline.com/000 --aad-audience 0000-000 --root-cert-name root-cert --root-cert-data "root-cert.cer" --vpn-auth-type AAD Certificate RadiusCreate a virtual network gateway. (autogenerated)
az network vnet-gateway create --gateway-type Vpn --location westus2 --name MyVnetGateway --no-wait --public-ip-addresses myVGPublicIPAddress --resource-group MyResourceGroup --sku Basic --vnet MyVnet --vpn-type PolicyBasedRequired Parameters
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of an existing virtual network which has a subnet named 'GatewaySubnet'.
Optional Parameters
The AADAudience ID of the VirtualNetworkGateway.
The AAD Issuer URI of the VirtualNetworkGateway.
The AAD Tenant URI of the VirtualNetworkGateway.
Space-separated list of CIDR prefixes representing the address space for the P2S Vpnclient.
Autonomous System Number to use for the BGP settings.
IP address to use for BGP peering.
Protocols to use for connecting.
Space-separated list of CIDR prefixes representing the custom routes address space specified by the customer for VpnClient.
The name of edge zone.
The Extended vnet resource id of the local gateway.
Name or ID of a local network gateway representing a local network site with default routes.
The gateway type.
Location. Values from: az account list-locations. You can configure the default location using az configure --defaults location=<location>.
VirtualNetworkGatewayNatRule Resource.
Do not wait for the long-running operation to finish.
Weight (0-100) added to routes learned through BGP peering.
Specify a single public IP (name or ID) for an active-standby gateway. Specify two space-separated public IPs for an active-active gateway.
Radius secret to use for authentication.
Radius server address to connect to.
Base64 contents of the root certificate file or file path.
Root certificate name.
VNet gateway SKU.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
VPN authentication types enabled for the virtual network gateway.
The generation for the virtual network gateway. vpn_gateway_generation should not be provided if gateway_type is not Vpn.
VPN routing type.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway delete
Delete a virtual network gateway.
In order to delete a Virtual Network Gateway, you must first delete ALL Connection objects in Azure that are connected to the Gateway. After deleting the Gateway, proceed to delete other resources now not in use. For more information, follow the order of instructions on this page: https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-delete-vnet-gateway-portal.
az network vnet-gateway delete [--ids]
[--name]
[--no-wait]
[--resource-group]
[--subscription]Examples
Delete a virtual network gateway.
az network vnet-gateway delete -g MyResourceGroup -n MyVnetGatewayOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway disconnect-vpn-connections
Disconnect vpn connections of virtual network gateway.
az network vnet-gateway disconnect-vpn-connections --vpn-connections
[--ids]
[--name]
[--no-wait]
[--resource-group]
[--subscription]Examples
Disconnect vpn connections of virtual network gateway.
az network vnet-gateway disconnect-vpn-connections -g MyResourceGroup -n MyVnetGateway --vpn-connections MyConnetion1ByName MyConnection2ByIDRequired Parameters
List of Name or ID of VPN connections.
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Do not wait for the long-running operation to finish.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway list
List virtual network gateways.
az network vnet-gateway list --resource-groupExamples
List virtual network gateways in a resource group.
az network vnet-gateway list -g MyResourceGroupRequired Parameters
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway list-advertised-routes
List the routes of a virtual network gateway advertised to the specified peer.
az network vnet-gateway list-advertised-routes --peer
[--ids]
[--name]
[--resource-group]
[--subscription]Examples
List the routes of a virtual network gateway advertised to the specified peer.
az network vnet-gateway list-advertised-routes -g MyResourceGroup -n MyVnetGateway --peer 23.10.10.9Required Parameters
The IP address of the peer.
Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway list-bgp-peer-status
Retrieve the status of BGP peers.
az network vnet-gateway list-bgp-peer-status [--ids]
[--name]
[--peer]
[--resource-group]
[--subscription]Examples
Retrieve the status of a BGP peer.
az network vnet-gateway list-bgp-peer-status -g MyResourceGroup -n MyVnetGateway --peer 23.10.10.9Optional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
The IP address of the peer to retrieve the status of. Default value is None.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway list-learned-routes
This operation retrieves a list of routes the virtual network gateway has learned, including routes learned from BGP peers.
az network vnet-gateway list-learned-routes [--ids]
[--name]
[--resource-group]
[--subscription]Examples
Retrieve a list of learned routes.
az network vnet-gateway list-learned-routes -g MyResourceGroup -n MyVnetGatewayOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway reset
Reset a virtual network gateway.
az network vnet-gateway reset [--gateway-vip]
[--ids]
[--name]
[--resource-group]
[--subscription]Examples
Reset a virtual network gateway.
az network vnet-gateway reset -g MyResourceGroup -n MyVnetGatewayReset a virtual network gateway with Active-Active feature enabled.
az network vnet-gateway reset -g MyResourceGroup -n MyVnetGateway --gateway-vip MyGatewayIPOptional Parameters
Virtual network gateway vip address supplied to the begin reset of the active-active feature enabled gateway. Default value is None.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway show
Get the details of a virtual network gateway.
az network vnet-gateway show [--ids]
[--name]
[--resource-group]
[--subscription]Examples
Get the details of a virtual network gateway.
az network vnet-gateway show -g MyResourceGroup -n MyVnetGatewayOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway show-supported-devices
Get a xml format representation for supported vpn devices.
az network vnet-gateway show-supported-devices [--ids]
[--name]
[--resource-group]
[--subscription]Examples
Get a xml format representation for supported vpn devices.
az network vnet-gateway show-supported-devices -g MyResourceGroup -n MyVnetGatewayOptional Parameters
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway update
Update a virtual network gateway.
az network vnet-gateway update [--aad-audience]
[--aad-issuer]
[--aad-tenant]
[--add]
[--address-prefixes]
[--asn]
[--bgp-peering-address]
[--client-protocol {IkeV2, OpenVPN, SSTP}]
[--custom-routes]
[--enable-bgp {false, true}]
[--force-string]
[--gateway-default-site]
[--gateway-type {ExpressRoute, LocalGateway, Vpn}]
[--ids]
[--name]
[--no-wait]
[--peer-weight]
[--public-ip-addresses]
[--radius-secret]
[--radius-server]
[--remove]
[--resource-group]
[--root-cert-data]
[--root-cert-name]
[--set]
[--sku {Basic, ErGw1AZ, ErGw2AZ, ErGw3AZ, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw1AZ, VpnGw2, VpnGw2AZ, VpnGw3, VpnGw3AZ, VpnGw4, VpnGw4AZ, VpnGw5, VpnGw5AZ}]
[--subscription]
[--tags]
[--vnet]
[--vpn-auth-type {AAD, Certificate, Radius}]
[--vpn-type {PolicyBased, RouteBased}]Examples
Change the SKU of a virtual network gateway.
az network vnet-gateway update -g MyResourceGroup -n MyVnetGateway --sku VpnGw2Update a virtual network gateway. (autogenerated)
az network vnet-gateway update --address-prefixes 40.1.0.0/24 --client-protocol IkeV2 --name MyVnetGateway --resource-group MyResourceGroupOptional Parameters
The AADAudience ID of the VirtualNetworkGateway.
The AAD Issuer URI of the VirtualNetworkGateway.
The AAD Tenant URI of the VirtualNetworkGateway.
Add an object to a list of objects by specifying a path and key value pairs. Example: --add property.listProperty <key=value, string or JSON string>.
Space-separated list of CIDR prefixes representing the address space for the P2S Vpnclient.
Autonomous System Number to use for the BGP settings.
IP address to use for BGP peering.
Protocols to use for connecting.
Space-separated list of CIDR prefixes representing the custom routes address space specified by the customer for VpnClient.
Enable BGP (Border Gateway Protocol).
When using 'set' or 'add', preserve string literals instead of attempting to convert to JSON.
Name or ID of a local network gateway representing a local network site with default routes.
The gateway type.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Name of the VNet gateway.
Do not wait for the long-running operation to finish.
Weight (0-100) added to routes learned through BGP peering.
Specify a single public IP (name or ID) for an active-standby gateway. Specify two space-separated public IPs for an active-active gateway.
Radius secret to use for authentication.
Radius server address to connect to.
Remove a property or an element from a list. Example: --remove property.list OR --remove propertyToRemove.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Base64 contents of the root certificate file or file path.
Root certificate name.
Update an object by specifying a property path and value to set. Example: --set property1.property2=.
VNet gateway SKU.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Space-separated tags: key[=value] [key[=value] ...]. Use "" to clear existing tags.
Name or ID of a virtual network that contains a subnet named 'GatewaySubnet'.
VPN authentication types enabled for the virtual network gateway.
VPN routing type.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az network vnet-gateway wait
Place the CLI in a waiting state until a condition of the virtual network gateway is met.
az network vnet-gateway wait [--created]
[--custom]
[--deleted]
[--exists]
[--ids]
[--interval]
[--name]
[--resource-group]
[--subscription]
[--timeout]
[--updated]Examples
Pause CLI until the virtual network gateway is created.
az network vnet-gateway wait -g MyResourceGroup -n MyVnetGateway --createdPlace the CLI in a waiting state until a condition of the virtual network gateway is met. (autogenerated)
az network vnet-gateway wait --name MyVnetGateway --resource-group MyResourceGroup --updatedOptional Parameters
Wait until created with 'provisioningState' at 'Succeeded'.
Wait until the condition satisfies a custom JMESPath query. E.g. provisioningState!='InProgress', instanceView.statuses[?code=='PowerState/running'].
Wait until deleted.
Wait until the resource exists.
One or more resource IDs (space-delimited). It should be a complete resource ID containing all information of 'Resource Id' arguments. You should provide either --ids or other 'Resource Id' arguments.
Polling interval in seconds.
Name of the VNet gateway.
Name of resource group. You can configure the default group using az configure --defaults group=<name>.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Maximum wait in seconds.
Wait until updated with provisioningState at 'Succeeded'.
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
Feedback
Submit and view feedback for