Working with virtual network gateway SKUs (legacy SKUs)
This article contains information about the legacy (old) virtual network gateway SKUs. The legacy SKUs still work in both deployment models for VPN gateways that have already been created. Classic VPN gateways continue to use the legacy SKUs, both for existing gateways, and for new gateways. When creating new Resource Manager VPN gateways, use the new gateway SKUs. For information about the new SKUs, see About VPN Gateway.
The legacy (old) VPN gateway SKUs are:
VPN Gateway does not use the UltraPerformance gateway SKU. For information about the UltraPerformance SKU, see the ExpressRoute documentation.
When working with the legacy SKUs, consider the following:
- If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called Static Routing) are not supported on any other SKU.
- BGP is not supported on the Basic SKU.
- ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.
- Active-active S2S VPN Gateway connections can be configured on the HighPerformance SKU only.
Estimated aggregate throughput by SKU
The following table shows the gateway types and the estimated aggregate throughput by gateway SKU. This table applies to the Resource Manager and classic deployment models.
Pricing differs between gateway SKUs. For more information, see VPN Gateway Pricing.
Note that the UltraPerformance gateway SKU is not represented in this table. For information about the UltraPerformance SKU, see the ExpressRoute documentation.
|VPN Gateway throughput (1)||VPN Gateway max IPsec tunnels (2)||ExpressRoute Gateway throughput||VPN Gateway and ExpressRoute coexist|
|Basic SKU (3)(5)(6)||100 Mbps||10||500 Mbps (6)||No|
|Standard SKU (4)(5)||100 Mbps||10||1000 Mbps||Yes|
|High Performance SKU (4)||200 Mbps||30||2000 Mbps||Yes|
(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure region. It is not a guaranteed throughput for cross-premises connections across the Internet. It is the maximum possible throughput measurement.
(2) The number of tunnels refer to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN tunnel.
(3) BGP is not supported for the Basic SKU.
(4) PolicyBased VPNs are not supported for this SKU. They are supported for the Basic SKU only.
(5) Active-active S2S VPN Gateway connections are not supported for this SKU. Active-active is supported on the HighPerformance SKU only.
(6) Basic SKU is deprecated for use with ExpressRoute.
Supported configurations by SKU and VPN type
The following table lists the requirements for PolicyBased and RouteBased VPN gateways. This table applies to both the Resource Manager and classic deployment models. For the classic model, PolicyBased VPN gateways are the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.
|PolicyBased Basic VPN Gateway||RouteBased Basic VPN Gateway||RouteBased Standard VPN Gateway||RouteBased High Performance VPN Gateway|
|Site-to-Site connectivity (S2S)||PolicyBased VPN configuration||RouteBased VPN configuration||RouteBased VPN configuration||RouteBased VPN configuration|
|Point-to-Site connectivity (P2S)||Not supported||Supported (Can coexist with S2S)||Supported (Can coexist with S2S)||Supported (Can coexist with S2S)|
|Authentication method||Pre-shared key||Pre-shared key for S2S connectivity, Certificates for P2S connectivity||Pre-shared key for S2S connectivity, Certificates for P2S connectivity||Pre-shared key for S2S connectivity, Certificates for P2S connectivity|
|Maximum number of S2S connections||1||10||10||30|
|Maximum number of P2S connections||Not supported||128||128||128|
|Active routing support (BGP)||Not supported||Not supported||Supported||Supported|
Resize a gateway (change a gateway SKU)
You can resize a gateway SKU within the same SKU family. For example, if you have a Standard SKU, you can resize to a HighPerformance SKU. You can't resize your VPN gateways between the old SKUs and the new SKU families. For example, you can't go from a Standard SKU to a VpnGw2 SKU.
To resize a gateway SKU for the classic deployment model, use the following command:
Resize-AzureVirtualNetworkGateway -GatewayId <Gateway ID> -GatewaySKU HighPerformance
To resize a gateway SKU for the Resource Manager deployment model, use the following command:
$gw = Get-AzureRmVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg Resize-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku HighPerformance
Migrate to the new gateway SKUs
If you are working with the Resource Manager deployment model, you can migrate to the new gateway SKUS. If you are working with the classic deployment model, you can't migrate to the new SKUs and must instead continue to use the legacy SKUs.
- The VPN gateway Public IP address will change when migrating from an old SKU to a new SKU.
- You can't migrate classic VPN gateways to the new SKUs. Classic VPN gateways can only use the legacy (old) SKUs.
You can't resize your Azure VPN gateways between the old SKUs and the new SKU families. If you have VPN gateways in the Resource Manager deployment model that are using the older version of the SKUs, you can migrate to the new SKUs. To migrate, you delete the existing VPN gateway for your virtual network, then create a new one.
- Remove any connections to the virtual network gateway.
- Delete the old VPN gateway.
- Create the new VPN gateway.
- Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
- Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this gateway.
- Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
- Recreate the connections to the virtual network gateway.
For more information about the new Gateway SKUs, see Gateway SKUs.
For more information about configuration settings, see About VPN Gateway configuration settings.