Working with VPN Gateway legacy SKUs
This article contains information about the legacy (old) virtual network gateway SKUs. The legacy SKUs still work in both deployment models for VPN gateways that have already been created. Classic VPN gateways continue to use the legacy SKUs, both for existing gateways, and for new gateways. When creating new Resource Manager VPN gateways, use the new gateway SKUs. For information about the new SKUs, see About VPN Gateway.
Legacy gateway SKUs
The legacy (old) VPN Gateway SKUs are:
- Default (Basic)
- Standard
- High Performance
When working with the legacy SKUs, consider the following:
- If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called Static Routing) aren't supported on any other SKU.
- BGP isn't supported on the Basic SKU.
- ExpressRoute-VPN Gateway coexist configurations aren't supported on the Basic SKU.
- Active-active S2S VPN Gateway connections can be configured on the High Performance SKU only.
- VPN Gateway doesn't use the UltraPerformance gateway SKU. For information about the UltraPerformance SKU, see the ExpressRoute documentation.
You can view legacy gateway pricing in the Virtual Network Gateways section, which is located on the ExpressRoute pricing page.
For SKU deprecation, see the SKU deprecation and SKU deprecation FAQs sections of this article.
Estimated aggregate throughput by SKU
The following table shows the gateway types and the estimated aggregate throughput by gateway SKU. This table applies to the Resource Manager and classic deployment models.
Pricing differs between gateway SKUs. For more information, see VPN Gateway Pricing.
Note that the UltraPerformance gateway SKU is not represented in this table. For information about the UltraPerformance SKU, see the ExpressRoute documentation.
| VPN Gateway throughput (1) | VPN Gateway max IPsec tunnels (2) | ExpressRoute Gateway throughput | VPN Gateway and ExpressRoute coexist | |
|---|---|---|---|---|
| Basic SKU (3)(5)(6) | 100 Mbps | 10 | 500 Mbps (6) | No |
| Standard SKU (4)(5) | 100 Mbps | 10 | 1000 Mbps | Yes |
| High Performance SKU (4) | 200 Mbps | 30 | 2000 Mbps | Yes |
(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure region. It is not a guaranteed throughput for cross-premises connections across the Internet. It is the maximum possible throughput measurement.
(2) The number of tunnels refer to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN tunnel.
(3) BGP is not supported for the Basic SKU.
(4) PolicyBased VPNs are not supported for this SKU. They are supported for the Basic SKU only.
(5) Active-active S2S VPN Gateway connections are not supported for this SKU. Active-active is supported on the HighPerformance SKU only.
(6) Basic SKU is deprecated for use with ExpressRoute.
Supported configurations by SKU and VPN type
The following table lists the requirements for PolicyBased and RouteBased VPN gateways. This table applies to both the Resource Manager and classic deployment models. For the classic model, PolicyBased VPN gateways are the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.
| PolicyBased Basic VPN Gateway | RouteBased Basic VPN Gateway | RouteBased Standard VPN Gateway | RouteBased High Performance VPN Gateway | |
|---|---|---|---|---|
| Site-to-Site connectivity (S2S) | PolicyBased VPN configuration | RouteBased VPN configuration | RouteBased VPN configuration | RouteBased VPN configuration |
| Point-to-Site connectivity (P2S) | Not supported | Supported (Can coexist with S2S) | Supported (Can coexist with S2S) | Supported (Can coexist with S2S) |
| Authentication method | Pre-shared key | Pre-shared key for S2S connectivity, Certificates for P2S connectivity | Pre-shared key for S2S connectivity, Certificates for P2S connectivity | Pre-shared key for S2S connectivity, Certificates for P2S connectivity |
| Maximum number of S2S connections | 1 | 10 | 10 | 30 |
| Maximum number of P2S connections | Not supported | 128 | 128 | 128 |
| Active routing support (BGP) | Not supported | Not supported | Supported | Supported |
Resize, migrate, and change SKUs
Resize a gateway SKU
Resizing a gateway SKU incurs less downtime and fewer configuration changes than the process to change to a new SKU. However, there are limitations. You can only resize your gateway to a gateway SKU within the same SKU family (except for the Basic SKU).
For example, if you have a Standard SKU, you can resize to a High Performance SKU. However, you can't resize your VPN gateway between the old SKUs and the new SKU families. You can't go from a Standard SKU to a VpnGw2 SKU, or from a Basic SKU to VpnGw1 by resizing. For more information, see Resize a gateway SKU.
Resource Manager
You can resize a gateway for the Resource Manager deployment model using the Azure portal or PowerShell. For PowerShell, use the following command:
$gw = Get-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku HighPerformance
Classic
To resize a gateway for the classic deployment model, you must use the Service Management PowerShell cmdlets. Use the following command:
Resize-AzureVirtualNetworkGateway -GatewayId <Gateway ID> -GatewaySKU HighPerformance
Migrate a gateway SKU
A gateway SKU migration process is similar to a resize. It requires fewer steps and configuration changes than changing to a new gateway SKU. At this time, gateway SKU migration isn't available. You can migrate a deprecated legacy gateway SKU December 2024 through September 30, 2025. We'll make a migration path available along with detailed documentation.
Change to the new gateway SKUs
Standard and High Performance SKUs will be deprecated September 30, 2025. The product team will make a migration path available for legacy SKUs. See the Legacy SKU deprecation section for more information. You can choose to change from a legacy SKU to one of the new SKUs at any point. However, changing to a new SKU requires more steps than migrating and incurs more downtime.
If you're working with the Resource Manager deployment model, you can change to the new gateway SKUs. When you change from a legacy gateway SKU to a new SKU, you delete the existing VPN gateway and create a new VPN gateway.
Workflow:
- Remove any connections to the virtual network gateway.
- Delete the old VPN gateway.
- Create the new VPN gateway.
- Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
- Update the gateway IP address value for any VNet-to-VNet local network gateways that connect to this gateway.
- Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
- Recreate the connections to the virtual network gateway.
Considerations:
- To move to the new SKUs, your VPN gateway must be in the Resource Manager deployment model.
- If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway, however, you can resize between the legacy SKUs. You can't change to the new SKUs.
- When you change from a legacy SKU to a new SKU, you'll have connectivity downtime.
- When changing to a new gateway SKU, the public IP address for your VPN gateway changes. This happens even if you specified the same public IP address object that you used previously.
SKU deprecation
The Standard and High Performance SKUs will be deprecated on September 30, 2025. The product team will make a migration path available for these SKUs by November 30, 2024. At this time, there's no action that you need to take.
- View the Announcement
- See the SKU deprecation FAQs
When the migration path becomes available, you can migrate your legacy SKUs to the following SKUs:
- Standard SKU: -> VpnGw1
- High Performance SKU: -> VpnGw2
There are no price changes if you migrate to Standard (VpnGw1) and High Performance (VpnGw2) gateways. As a benefit, there's a performance improvement after migrating:
- Standard SKU: 6.5x
- High Performance SKU: 5x
If you don't migrate your gateway SKUs by September 30, 2025, your gateway will be automatically migrated and upgraded to an AZ gateway SKU:
- Standard SKU: -> VpnGw1AZ
- High Performance SKU: -> VpnGw2AZ
Important Dates:
- December 1, 2023: No new gateway creations are possible using Standard or High Performance SKUs.
- November 30, 2024: Begin migrating gateways to other SKUs.
- September 30, 2025: Standard/High Performance SKUs will be retired and remaining deprecated legacy gateways will be automatically migrated and upgraded to AZ SKUs.
SKU deprecation FAQs
Can I create a new Standard/High Performance SKU after the deprecation announcement on November 30, 2023?
No. Starting December 1, 2023 you can't create new gateways with Standard or High Performance SKUs. You can create new gateways using VpnGw1 and VpnGw2 for the same price as the Standard and High Performance SKUs, listed respectively on our pricing page.
How long will my existing gateways be supported on Standard/High Performance SKUs?
All existing gateways using Standard or High Performance SKUs will be supported until September 30, 2025.
Do I need to migrate my Standard/High Performance gateway SKUs right now?
No, there's no action required right now. You'll be able to migrate your SKUs starting December 2024. We'll send communication with detailed documentation about the migration steps.
Which SKU can I migrate my gateway to?
When gateway SKU migration becomes available, SKUs can be migrated as follows:
- Standard -> VpnGw1
- High Performance -> VpnGw2
What if I want to migrate to an AZ SKU?
You can't migrate your legacy SKU to an AZ SKU. However, note that all gateways that are still using Standard or High Performance SKUs after September 30, 2025 will be migrated and upgraded automatically to the following SKUs:
- Standard -> VpnGw1AZ
- High Performance -> VpnGw2AZ
You can use this strategy to have your SKUs automatically migrated and upgraded to an AZ SKU. You can then resize your SKU within that SKU family if necessary. See our pricing page for AZ SKU pricing. For throughput information by SKU, see About gateway SKUs.
Will there be any pricing difference for my gateways after migration?
If you migrate your SKUs by September 30, 2025, there will be no pricing difference. VpnGw1 and VpnGw2 SKUs are offered at the same price as Standard and High Performance SKUs, respectively. If you don't migrate by that date, your SKUs will automatically be migrated and upgraded to AZ SKUs. In that case, there's a pricing difference.
Will there be any performance impact on my gateways with this migration?
Yes, you get better performance with VpnGw1 and VpnGw2. Currently, VpnGw1 at 650 Mbps provides a 6.5x and VpnGw2 at 1 Gbps provides a 5x performance improvement at the same price as the legacy Standard and High Performance gateways, respectively. For more SKU throughput information, see About gateway SKUs.
What happens if I don't migrate SKUs by September 30, 2025?
All gateways that are still using Standard or High Performance SKUs will be migrated automatically and upgraded to the following AZ SKUs:
- Standard -> VpnGw1AZ
- High Performance -> VpnGw2AZ
Final communication will be sent before initiating migration on any gateways.
Is VPN Gateway Basic SKU retiring as well?
No, the VPN Gateway Basic SKU is here to stay. You can create a VPN gateway using the Basic gateway SKU via PowerShell or CLI. Currently, VPN Gateway Basic gateway SKUs only support the Basic SKU public IP address resource (which is on a path to retirement). We're working on adding support to the VPN Gateway Basic gateway SKU for the Standard SKU public IP address resource.
Next steps
For more information about the new Gateway SKUs, see Gateway SKUs.
For more information about configuration settings, see About VPN Gateway configuration settings.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for