Create a route-based VPN gateway using PowerShell
This article helps you quickly create a route-based Azure VPN gateway using PowerShell. A VPN gateway is used when creating a VPN connection to your on-premises network. You can also use a VPN gateway to connect VNets.
A VPN gateway is just one part of a connection architecture to help you securely access resources within a virtual network.
- The left side of the diagram shows the virtual network and the VPN gateway that you create by using the steps in this article.
- You can later add different types of connections, as shown on the right side of the diagram. For example, you can create site-to-site and point-to-site connections. To view different design architectures that you can build, see VPN gateway design.
Before you begin
The steps in this article will create a VNet, a subnet, a gateway subnet, and a route-based VPN gateway (virtual network gateway). Once the gateway creation has completed, you can then create connections. These steps require an Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
Working with Azure PowerShell
This article uses PowerShell cmdlets. To run the cmdlets, you can use Azure Cloud Shell. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
To open Cloud Shell, just select Open Cloudshell from the upper-right corner of a code block. You can also open Cloud Shell on a separate browser tab by going to https://shell.azure.com/powershell. Select Copy to copy the blocks of code, paste them into Cloud Shell, and select the Enter key to run them.
You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlets are updated frequently. If you haven't installed the latest version, the values specified in the instructions may fail. To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az cmdlet. To install or update, see Install the Azure PowerShell module.
Create a resource group
Create an Azure resource group with New-AzResourceGroup. A resource group is a logical container into which Azure resources are deployed and managed. If you're running PowerShell locally, open your PowerShell console with elevated privileges and connect to Azure using the Connect-AzAccount command.
New-AzResourceGroup -Name TestRG1 -Location EastUS
Create a virtual network
Create a virtual network with New-AzVirtualNetwork. The following example creates a virtual network named VNet1 in the EastUS location:
$virtualNetwork = New-AzVirtualNetwork `
-ResourceGroupName TestRG1 `
-Location EastUS `
-Name VNet1 `
-AddressPrefix 10.1.0.0/16
Create a subnet configuration using the New-AzVirtualNetworkSubnetConfig cmdlet.
$subnetConfig = Add-AzVirtualNetworkSubnetConfig `
-Name Frontend `
-AddressPrefix 10.1.0.0/24 `
-VirtualNetwork $virtualNetwork
Set the subnet configuration for the virtual network using the Set-AzVirtualNetwork cmdlet.
$virtualNetwork | Set-AzVirtualNetwork
Add a gateway subnet
The gateway subnet contains the reserved IP addresses that the virtual network gateway services use. Use the following examples to add a gateway subnet:
Set a variable for your VNet.
$vnet = Get-AzVirtualNetwork -ResourceGroupName TestRG1 -Name VNet1
Create the gateway subnet using the Add-AzVirtualNetworkSubnetConfig cmdlet.
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $vnet
Set the subnet configuration for the virtual network using the Set-AzVirtualNetwork cmdlet.
$vnet | Set-AzVirtualNetwork
Request a public IP address
A VPN gateway must have an allocated public IP address. When you create a connection to a VPN gateway, this is the IP address that you specify. Use the following example to request a public IP address:
$gwpip = New-AzPublicIpAddress -Name "VNet1GWIP" -ResourceGroupName "TestRG1" -Location "EastUS" -AllocationMethod Static
Create the gateway IP address configuration
The gateway configuration defines the subnet and the public IP address to use. Use the following example to create your gateway configuration:
$vnet = Get-AzVirtualNetwork -Name VNet1 -ResourceGroupName TestRG1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
$gwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id
Create the VPN gateway
Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. Once the gateway has completed, you can create a connection between your virtual network and another VNet. Or, create a connection between your virtual network and an on-premises location. Create a VPN gateway using the New-AzVirtualNetworkGateway cmdlet.
New-AzVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 `
-Location "East US" -IpConfigurations $gwipconfig -GatewayType "Vpn" `
-VpnType "RouteBased" -GatewaySku VpnGw2 -VpnGatewayGeneration "Generation2"
View the VPN gateway
You can view the VPN gateway using the Get-AzVirtualNetworkGateway cmdlet.
Get-AzVirtualNetworkGateway -Name Vnet1GW -ResourceGroup TestRG1
View the public IP address
To view the public IP address for your VPN gateway, use the Get-AzPublicIpAddress cmdlet.
Get-AzPublicIpAddress -Name VNet1GWIP -ResourceGroupName TestRG1
Clean up resources
When you no longer need the resources you created, use the Remove-AzResourceGroup command to delete the resource group. This deletes the resource group and all of the resources it contains.
Remove-AzResourceGroup -Name TestRG1
Next steps
Once the gateway has finished creating, you can create a connection between your virtual network and another VNet. Or, create a connection between your virtual network and an on-premises location.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for