Tutorial: Create and manage a VPN gateway using Azure portal

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. You can also create a gateway using Azure CLI or Azure PowerShell. If you want to learn more about the configuration settings used in this tutorial, see About VPN Gateway configuration settings.

In this tutorial, you learn how to:

  • Create a virtual network
  • Create a VPN gateway
  • View the gateway public IP address
  • Resize a VPN gateway (resize SKU)
  • Reset a VPN gateway

The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.

VNet and VPN gateway diagram.

Prerequisites

An Azure account with an active subscription. If you don't have one, create one for free.

Create a virtual network

Create a VNet using the following values:

  • Resource group: TestRG1
  • Name: VNet1
  • Region: (US) East US
  • IPv4 address space: 10.1.0.0/16
  • Subnet name: FrontEnd
  • Subnet address space: 10.1.0.0/24
  1. Sign in to the Azure portal.

  2. In Search resources, service, and docs (G+/), type virtual network. Select Virtual network from the Marketplace results to open the Virtual network page.

    Screenshot shows the Azure portal Search bar results and selecting Virtual Network from Marketplace.

  3. On the Virtual network page, click Create. This opens the Create virtual network page.

  4. On the Basics tab, configure the VNet settings for Project details and Instance details. You'll see a green check mark when the values you enter are validated. The values shown in the example can be adjusted according to the settings that you require.

    Screenshot shows the Basics tab.

    • Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the drop-down.
    • Resource group: Select an existing resource group, or click Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
    • Name: Enter the name for your virtual network.
    • Region: Select the location for your VNet. The location determines where the resources that you deploy to this VNet will live.
  5. Click IP Addresses to advance to the IP Addresses tab. On the IP Addresses tab, configure the settings. The values shown in the example can be adjusted according to the settings that you require.

    Screenshot shows the IP Addresses tab.

    • IPv4 address space: By default, an address space is automatically created. You can click the address space to adjust it to reflect your own values. You can also add more address spaces.
    • Subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, you need to add a subnet. Select + Add subnet to open the Add subnet window. Configure the following settings and then select Add to add the values.
      • Subnet name: In this example, we named the subnet "FrontEnd".
      • Subnet address range: The address range for this subnet.
  6. Click Security to advance to the Security tab. At this time, leave the default values.

    • BastionHost: Disable
    • DDoS Protection Standard: Disable
    • Firewall: Disable
  7. Select Review + create to validate the virtual network settings.

  8. After the settings have been validated, click Create to create the virtual network.

Create a VPN gateway

In this step, you create the virtual network gateway (VPN gateway) for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

Create a virtual network gateway using the following values:

  • Name: VNet1GW
  • Region: East US
  • Gateway type: VPN
  • VPN type: Route-based
  • SKU: VpnGw2
  • Generation: Generation 2
  • Virtual network: VNet1
  • Gateway subnet address range: 10.1.255.0/27
  • Public IP address: Create new
  • Public IP address name: VNet1GWpip
  1. In Search resources, services, and docs (G+/) type virtual network gateway. Locate Virtual network gateway in the search results and select it.

    Screenshot of Search field.

  2. On the Virtual network gateways page, select + Create. This opens the Create virtual network gateway page.

    Screenshot of virtual network gateways page with Create highlighted.

  3. On the Basics tab, fill in the values for Project details and Instance details.

    Screenshot of Instance fields.

    • Subscription: Select the subscription you want to use from the dropdown.
    • Resource Group: This setting is autofilled when you select your virtual network on this page.
    • Name: Name your gateway. Naming your gateway not the same as naming a gateway subnet. It's the name of the gateway object you are creating.
    • Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.
    • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.
    • VPN type: Select the VPN type that is specified for your configuration. Most configurations require a Route-based VPN type.
    • SKU: Select the gateway SKU you want to use from the dropdown. The SKUs listed in the dropdown depend on the VPN type you select. Make sure to select a SKU that supports the features you want to use. For more information about gateway SKUs, see Gateway SKUs.
    • Generation: Select the generation you want to use. For more information, see Gateway SKUs.
    • Virtual network: From the dropdown, select the virtual network to which you want to add this gateway.
    • Gateway subnet address range: This field only appears if your VNet doesn't have a gateway subnet. It's best to specify /27 or larger (/26,/25 etc.). This allows enough IP addresses for future changes, such as adding an ExpressRoute gateway. We don't recommend creating a range any smaller than /28. If you already have a gateway subnet, you can view GatewaySubnet details by navigating to your virtual network. Click Subnets to view the range. If you want to change the range, you can delete and recreate the GatewaySubnet.
  1. Specify in the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. The only time the Public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    Screenshot of public IP address field.

    • Public IP address: Leave Create new selected.
    • Public IP address name: In the text box, type a name for your public IP address instance.
    • Assignment: VPN gateway supports only Dynamic.
    • Enable active-active mode: Only select Enable active-active mode if you are creating an active-active gateway configuration. Otherwise, leave this setting Disabled.
    • Leave Configure BGP as Disabled, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this can be changed.
  2. Select Review + create to run validation.

  3. Once validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address that has been assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

Important

When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?.

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway.

Screenshot of Overview page.

To see additional information about the public IP address object, click the name/IP address link next to Public IP address.

Resize a gateway SKU

There are specific rules regarding resizing vs. changing a gateway SKU. In this section, we will resize the SKU. For more information, see Gateway settings - resizing and changing SKUs.

  1. Go to the Configuration page for your virtual network gateway.

  2. Select the arrows for the dropdown.

    Resize the gateway

  3. Select the SKU from the dropdown.

    Select the SKU

Reset a gateway

  1. In the portal, navigate to the virtual network gateway that you want to reset.

  2. On the page for the virtual network gateway, select Reset.

    Menu - reset gateway

  3. On the Reset page, click Reset. Once the command is issued, the current active instance of the Azure VPN gateway is rebooted immediately. Resetting the gateway will cause a gap in VPN connectivity, and may limit future root cause analysis of the issue.

    Reset gateway

Clean up resources

If you're not going to continue to use this application or go to the next tutorial, delete these resources using the following steps:

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

Once you have a VPN gateway, you can configure connections. The articles below will help you create a few of the most common configurations: