Working with virtual network gateway SKUs (old SKUs)

This article contains information about the old virtual network gateway SKUs. For information on the current SKUs, see About VPN Gateway.

Gateway SKUs

The old VPN gateway SKUs are:

  • Basic
  • Standard
  • HighPerformance

VPN Gateway does not use the UltraPerformance gateway SKU. For information about the UltraPerformance SKU, see the ExpressRoute documentation.

When working with the old SKUs, consider the following:

  • If you want to use a PolicyBased VPN type, you must use the Basic SKU. PolicyBased VPNs (previously called Static Routing) are not supported on any other SKU.
  • BGP is not supported on the Basic SKU.
  • ExpressRoute-VPN Gateway coexist configurations are not supported on the Basic SKU.
  • Active-active S2S VPN Gateway connections can be configured on the HighPerformance SKU only.

Estimated aggregate throughput by SKU

The following table shows the gateway types and the estimated aggregate throughput by gateway SKU. This table applies to the Resource Manager and classic deployment models.

Pricing differs between gateway SKUs. For more information, see VPN Gateway Pricing.

Note that the UltraPerformance gateway SKU is not represented in this table. For information about the UltraPerformance SKU, see the ExpressRoute documentation.

VPN Gateway throughput (1) VPN Gateway max IPsec tunnels (2) ExpressRoute Gateway throughput VPN Gateway and ExpressRoute coexist
Basic SKU (3)(5)(6) 100 Mbps 10 500 Mbps (6) No
Standard SKU (4)(5) 100 Mbps 10 1000 Mbps Yes
High Performance SKU (4) 200 Mbps 30 2000 Mbps Yes

(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure region. It is not a guaranteed throughput for cross-premises connections across the Internet. It is the maximum possible throughput measurement.

(2) The number of tunnels refer to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN tunnel.

(3) BGP is not supported for the Basic SKU.

(4) PolicyBased VPNs are not supported for this SKU. They are supported for the Basic SKU only.

(5) Active-active S2S VPN Gateway connections are not supported for this SKU. Active-active is supported on the HighPerformance SKU only.

(6) Basic SKU is deprecated for use with ExpressRoute.

Supported configurations by SKU and VPN type

The following table lists the requirements for PolicyBased and RouteBased VPN gateways. This table applies to both the Resource Manager and classic deployment models. For the classic model, PolicyBased VPN gateways are the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.

PolicyBased Basic VPN Gateway RouteBased Basic VPN Gateway RouteBased Standard VPN Gateway RouteBased High Performance VPN Gateway
Site-to-Site connectivity (S2S) PolicyBased VPN configuration RouteBased VPN configuration RouteBased VPN configuration RouteBased VPN configuration
Point-to-Site connectivity (P2S) Not supported Supported (Can coexist with S2S) Supported (Can coexist with S2S) Supported (Can coexist with S2S)
Authentication method Pre-shared key Pre-shared key for S2S connectivity, Certificates for P2S connectivity Pre-shared key for S2S connectivity, Certificates for P2S connectivity Pre-shared key for S2S connectivity, Certificates for P2S connectivity
Maximum number of S2S connections 1 10 10 30
Maximum number of P2S connections Not supported 128 128 128
Active routing support (BGP) Not supported Not supported Supported Supported

Migrating to the new gateway SKUs

Note

The VPN Gateway Public IP address will change when migrating from an old SKU to a new SKU.

You can't resize your Azure VPN gateways directly between the old SKUs and the new SKU families. If you have VPN gateways in the Resource Manager deployment model that are using the older version of the SKUs, you can migrate to the new SKUs. To migrate, you delete the existing VPN gateway for your virtual network, then create a new one.

Migration workflow:

  1. Remove any connections to the virtual network gateway.
  2. Delete the old VPN gateway.
  3. Create the new VPN gateway.
  4. Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
  5. Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this gateway.
  6. Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
  7. Recreate the connections to the virtual network gateway.

For more information about the new Gateway SKUs, see Gateway SKUs.