About gateway SKUs
When you create a VPN Gateway virtual network gateway, you specify the gateway SKU that you want to use. This article describes the factors that you should take into consideration when selecting a gateway SKU. If you're looking for information about ExpressRoute gateway SKUs, see Virtual network gateways for ExpressRoute. For Virtual WAN gateways, see Virtual WAN gateway settings.
When you configure a virtual network gateway SKU, select the SKU that satisfies your requirements based on the types of workloads, throughput, features, and SLAs. The following sections show the relevant information that you should use when deciding.
Note
We're simplifying our VPN Gateway SKU portfolio and will be transitioning all non availability zone (AZ) supported SKUs to AZ supported SKUs. For more information and timelines, see VPN Gateway SKU consolidation and migration.
Gateway SKUs by tunnel, connection, and throughput
| VPN Gateway Generation |
SKU | S2S/VNet-to-VNet Tunnels |
P2S SSTP Connections |
P2S IKEv2/OpenVPN Connections |
Aggregate Throughput Benchmark |
BGP | Zone-redundant | Supported Number of VMs in the Virtual Network |
|---|---|---|---|---|---|---|---|---|
| Generation1 | Basic | Max. 10 | Max. 128 | Not Supported | 100 Mbps | Not Supported | No | 200 |
| Generation1 | VpnGw1 | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | No | 450 |
| Generation1 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | No | 1300 |
| Generation1 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | No | 4000 |
| Generation1 | VpnGw1AZ | Max. 30 | Max. 128 | Max. 250 | 650 Mbps | Supported | Yes | 1000 |
| Generation1 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1 Gbps | Supported | Yes | 2000 |
| Generation1 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 1.25 Gbps | Supported | Yes | 5000 |
| Generation2 | VpnGw2 | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | No | 685 |
| Generation2 | VpnGw3 | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | No | 2240 |
| Generation2 | VpnGw4 | Max. 100* | Max. 128 | Max. 5000 | 5 Gbps | Supported | No | 5300 |
| Generation2 | VpnGw5 | Max. 100* | Max. 128 | Max. 10000 | 10 Gbps | Supported | No | 6700 |
| Generation2 | VpnGw2AZ | Max. 30 | Max. 128 | Max. 500 | 1.25 Gbps | Supported | Yes | 2000 |
| Generation2 | VpnGw3AZ | Max. 30 | Max. 128 | Max. 1000 | 2.5 Gbps | Supported | Yes | 3300 |
| Generation2 | VpnGw4AZ | Max. 100* | Max. 128 | Max. 5000 | 5 Gbps | Supported | Yes | 4400 |
| Generation2 | VpnGw5AZ | Max. 100* | Max. 128 | Max. 10000 | 10 Gbps | Supported | Yes | 9000 |
(*) If you need more than 100 S2S VPN tunnels, use Virtual WAN instead of VPN Gateway.
Additional information
Because Basic SKU public IP addresses are announced to retire September 30, 2025, we're no longer permitting new gateways to be created using Basic SKU public IP addresses. Starting December 1, 2023, when you create a new VPN gateway, you must use a Standard SKU public IP address. This limitation doesn't apply to new gateways that you create using the VPN Gateway Basic gateway SKU. You can still create a Basic SKU VPN gateway that uses a Basic SKU public IP address.
The Basic gateway SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic gateway SKU doesn't support RADIUS authentication.
These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.
If you have numerous P2S connections, it can negatively impact your S2S connections. The Aggregate Throughput Benchmarks were tested by maximizing a combination of S2S and P2S connections. A single P2S or S2S connection can have a much lower throughput.
See the Pricing page for pricing information.
See the SLA page for SLA (Service Level Agreement) information.
All benchmarks aren't guaranteed due to Internet traffic conditions and your application behaviors.
Gateway SKUs by performance
The table in this section lists the results of performance tests for VpnGw SKUs. A VPN tunnel connects to a VPN gateway instance. Each instance throughput is mentioned in the throughput table in the previous section and is available aggregated across all tunnels connecting to that instance. The table shows the observed bandwidth and packets per second throughput per tunnel for the different gateway SKUs. All testing was performed between gateways (endpoints) within Azure across different regions with 100 connections and under standard load conditions. We used publicly available iPerf and CTSTraffic tools to measure performances for site-to-site connections
- The best performance was obtained when we used the GCMAES256 algorithm for both IPsec Encryption and Integrity.
- Average performance was obtained when using AES256 for IPsec Encryption and SHA256 for Integrity.
- The lowest performance was obtained when we used DES3 for IPsec Encryption and SHA256 for Integrity.
| Generation | SKU | Algorithms used |
Throughput observed per tunnel |
Packets per second per tunnel observed |
|---|---|---|---|---|
| Generation1 | VpnGw1 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
650 Mbps 500 Mbps 130 Mbps |
62,000 47,000 12,000 |
| Generation1 | VpnGw2 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.2 Gbps 650 Mbps 140 Mbps |
100,000 61,000 13,000 |
| Generation1 | VpnGw3 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 700 Mbps 140 Mbps |
120,000 66,000 13,000 |
| Generation1 | VpnGw1AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
650 Mbps 500 Mbps 130 Mbps |
62,000 47,000 12,000 |
| Generation1 | VpnGw2AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.2 Gbps 650 Mbps 140 Mbps |
110,000 61,000 13,000 |
| Generation1 | VpnGw3AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 700 Mbps 140 Mbps |
120,000 66,000 13,000 |
| Generation2 | VpnGw2 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 550 Mbps 130 Mbps |
120,000 52,000 12,000 |
| Generation2 | VpnGw3 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.5 Gbps 700 Mbps 140 Mbps |
140,000 66,000 13,000 |
| Generation2 | VpnGw4 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
| Generation2 | VpnGw5 | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
| Generation2 | VpnGw2AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.25 Gbps 550 Mbps 130 Mbps |
120,000 52,000 12,000 |
| Generation2 | VpnGw3AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
1.5 Gbps 700 Mbps 140 Mbps |
140,000 66,000 13,000 |
| Generation2 | VpnGw4AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
| Generation2 | VpnGw5AZ | GCMAES256 AES256 & SHA256 DES3 & SHA256 |
2.3 Gbps 700 Mbps 140 Mbps |
220,000 66,000 13,000 |
Gateway SKUs by feature set
| SKU | Features |
|---|---|
| Basic (**) | Route-based VPN: 10 tunnels for S2S/connections; no RADIUS authentication for P2S; no IKEv2 for P2S Policy-based VPN: (IKEv1): 1 S2S/connection tunnel; no P2S |
| All Generation1 and Generation2 SKUs except Basic | Route-based VPN: up to 100 tunnels (*), P2S, BGP, active-active, custom IPsec/IKE policy, ExpressRoute/VPN coexistence |
(*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway to multiple on-premises policy-based firewall devices. Refer to Connect VPN gateways to multiple on-premises policy-based VPN devices using PowerShell for details.
(**) The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
Gateway SKUs - Production vs. Dev-Test workloads
Due to the differences in SLAs and feature sets, we recommend the following SKUs for production vs. dev-test:
| Workload | SKUs |
|---|---|
| Production, critical workloads | All Generation1 and Generation2 SKUs, except Basic |
| Dev-test or proof of concept | Basic (**) |
(**) The Basic SKU has certain feature and performance limitations and shouldn't be used for production purposes. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
If you're using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance. For information and instructions for old SKUs, see Gateway SKUs (legacy).
About legacy SKUs
For information about working with the legacy gateway SKUs (Standard and High Performance), including SKU deprecation, see Managing legacy gateway SKUs.
Specify a SKU
You specify the gateway SKU when you create your VPN Gateway. See the following article for steps:
Change or resize a SKU
Note
If you're working with a legacy gateway SKU (Standard and High Performance), see Managing Legacy gateway SKUs.
When you want to move to another SKU, there are multiple methods to choose from. The method you choose depends on the gateway SKU that you're starting from.
Resize a SKU: When you resize a SKU, you incur very little downtime. You don't need to follow a workflow to resize a SKU. You can resize a SKU quickly and easily in the Azure portal. Or, you can use PowerShell or the Azure CLI. You don't need to reconfigure your VPN device or your P2S clients.
Change a SKU: If you can't resize your SKU, you can change your SKU using a specific Workflow. Changing a SKU incurs more downtime than resizing. Additionally, there are multiple resources that need to be reconfigured when using this method.
Considerations
There are many things to consider when moving to a new gateway SKU. This section outlines the main items and also provides a table that helps you select the best method to use.
- You can't resize to downgrade a SKU.
- You can't resize a legacy SKU to one of the newer Azure SKUs (VpnGw1, VpnGw2AZ etc.) Legacy SKUs for the Resource Manager deployment model are: Standard, and High Performance. You must instead, change the SKU.
- You can resize a gateway SKU as long as it is in the same generation, except for the Basic SKU.
- You can change a Basic SKU to another SKU.
- When you change from a legacy SKU to a new SKU, you'll have connectivity downtime.
- When you change to a new gateway SKU, the public IP address for your VPN gateway changes. This happens even if you specified the same public IP address object that you used previously.
- If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway. However, you can resize between the legacy SKUs available for classic gateways. You can't change to the new SKUs.
- Standard and High Performance legacy SKUs are being deprecated. See Legacy SKU deprecation for SKU migration and upgrade timelines.
The following table helps you understand the required method to move from one SKU to another.
| Starting SKU | Target SKU | Resize | Change |
|---|---|---|---|
| Basic SKU | Any other SKU | No | Yes |
| Standard SKU | New Azure SKUs | No | Yes |
| Standard SKU | HighPerformance SKU | No | Not required |
| HighPerformance | New Azure SKUs | No | Yes |
| Generation 1 SKU | Generation 1 SKU | Yes | Not required |
| Generation 1 SKU | Generation 1 AZ SKU | No | Yes |
| Generation 1 AZ SKU | Generation 1 AZ SKU | Yes | Not required |
| Generation 1 AZ SKU | Generation 2 AZ SKU | No | Yes |
| Generation 2 SKU | Generation 2 SKU | Yes | Not required |
| Generation 2 SKU | Generation 2 AZ SKU | No | Yes |
| Generation 2 AZ SKU | Generation 2 AZ SKU | Yes | Not required |
Next steps
For more information about available connection configurations, see About VPN Gateway.