Create and Manage VPN gateway with the Azure PowerShell module

Azure VPN gateways provide cross-premises connectivity between customer premises and Azure. This tutorial covers basic Azure VPN gateway deployment items such as creating and managing a VPN gateway. You learn how to:

  • Create a VPN gateway
  • Resize a VPN gateway
  • Reset a VPN gateway

The following diagram shows the virtual network and the VPN gateway created as part of this tutorial.

VNet and VPN gateway

Azure Cloud Shell and Azure PowerShell

The Azure Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account. Just click the Copy to copy the code, paste it into the Cloud Shell, and then press enter to run it. There are a few ways to launch the Cloud Shell:

Click Try It in the upper right corner of a code block. Cloud Shell in this article
Open Cloud Shell in your browser.
Click the Cloud Shell button on the menu in the upper right of the Azure portal. Cloud Shell in the portal

If you choose to install and use the PowerShell locally, this tutorial requires the Azure PowerShell module version 5.3 or later. Run Get-Module -ListAvailable AzureRM to find the version. If you need to upgrade, see Install Azure PowerShell module. If you are running PowerShell locally, you also need to run Login-AzureRmAccount to create a connection with Azure.

Common network parameter values

Change the values below based on your environment and network setup.

$RG1         = "TestRG1"
$VNet1       = "VNet1"
$Location1   = "East US"
$FESubnet1   = "FrontEnd"
$BESubnet1   = "Backend"
$GwSubnet1   = "GatewaySubnet"
$VNet1Prefix = ""
$FEPrefix1   = ""
$BEPrefix1   = ""
$GwPrefix1   = ""
$VNet1ASN    = 65010
$DNS1        = ""
$Gw1         = "VNet1GW"
$GwIP1       = "VNet1GWIP"
$GwIPConf1   = "gwipconf1"

Create resource group

Create a resource group with the New-AzureRmResourceGroup command. An Azure resource group is a logical container into which Azure resources are deployed and managed. A resource group must be created first. In the following example, a resource group named TestRG1 is created in the East US region:

New-AzureRmResourceGroup -ResourceGroupName $RG1 -Location $Location1

Create a virtual network

Azure VPN gateway provides cross-premises connectivity and P2S VPN server functionality for your virtual network. Add the VPN gateway to an existing virtual network or create a new virtual network and the gateway. This example creates a new virtual network with three subnets: Frontend, Backend, and GatewaySubnet using New-AzureRmVirtualNetworkSubnetConfig and New-AzureRmVirtualNetwork:

$fesub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1
$besub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $BESubnet1 -AddressPrefix $BEPrefix1
$gwsub1 = New-AzureRmVirtualNetworkSubnetConfig -Name $GWSubnet1 -AddressPrefix $GwPrefix1
$vnet   = New-AzureRmVirtualNetwork `
            -Name $VNet1 `
            -ResourceGroupName $RG1 `
            -Location $Location1 `
            -AddressPrefix $VNet1Prefix `
            -Subnet $fesub1,$besub1,$gwsub1

Request a public IP address for the VPN gateway

Azure VPN gateways communicate with your on-premises VPN devices over the Internet to performs IKE (Internet Key Exchange) negotiation and establish IPsec tunnels. Create and assign a public IP address to your VPN gateway as shown in the example below with New-AzureRmPublicIpAddress and New-AzureRmVirtualNetworkGatewayIpConfig:


Currently, you can only use a Dynamic public IP address for the gateway. Static IP address is not supported on Azure VPN gateways.

$gwpip    = New-AzureRmPublicIpAddress -Name $GwIP1 -ResourceGroupName $RG1 `
              -Location $Location1 -AllocationMethod Dynamic
$subnet   = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' `
              -VirtualNetwork $vnet
$gwipconf = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GwIPConf1 `
              -Subnet $subnet -PublicIpAddress $gwpip

Create VPN gateway

A VPN gateway can take 45 minutes or more to create. Once the gateway creation has completed, you can create a connection between your virtual network and another VNet. Or create a connection between your virtual network and an on-premises location. Create a VPN gateway using the New-AzureRmVirtualNetworkGateway cmdlet.

New-AzureRmVirtualNetworkGateway -Name $Gw1 -ResourceGroupName $RG1 `
  -Location $Location1 -IpConfigurations $gwipconf -GatewayType Vpn `
  -VpnType RouteBased -GatewaySku VpnGw1

Key parameter values:

  • GatewayType: Use Vpn for site-to-site and VNet-to-VNet connections
  • VpnType: Use RouteBased to interact with wider range of VPN devices and more routing features
  • GatewaySku: VpnGw1 is the default; change it to VpnGw2 or VpnGw3 if you need higher throughputs or more connections. For more information, see Gateway SKUs.

Once the gateway creation has completed, you can create a connection between your virtual network and another VNet, or create a connection between your virtual network and an on-premises location. You can also configure a P2S connection to your VNet from a client computer.

Resize VPN gateway

You can change the VPN gateway SKU after the gateway is created. Different gateway SKUs support different specifications such as throughputs, number of connections, etc. The following example uses Resize-AzureRmVirtualNetworkGateway to resize your gateway from VpnGw1 to VpnGw2. For more information, see Gateway SKUs.

$gateway = Get-AzureRmVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
Resize-AzureRmVirtualNetworkGateway -GatewaySku VpnGw2 -VirtualNetworkGateway $gateway

Resizing a VPN gateway also takes about 30 to 45 minutes, although this operation will not interrupt or remove existing connections and configurations.

Reset VPN gateway

As part of the troubleshooting steps, you can reset your Azure VPN gateway to force the VPN gateway to restart the IPsec/IKE tunnel configurations. Use Reset-AzureRmVirtualNetworkGateway to reset your gateway.

$gateway = Get-AzureRmVirtualNetworkGateway -Name $Gw1 -ResourceGroup $RG1
Reset-AzureRmVirtualNetworkGateway -VirtualNetworkGateway $gateway

For more information, see Reset a VPN gateway.

Get the gateway public IP address

If you know the name of the public IP address, use Get-AzureRmPublicIpAddress to show the public IP address assigned to the gateway.

$myGwIp = Get-AzureRmPublicIpAddress -Name $GwIP1 -ResourceGroup $RG1

Delete VPN gateway

A complete configuration of cross-premises and VNet-to-VNet connectivity requires multipel resource types in addition to VPN gateway. Delete the connections associated with the VPN gateway before deleting the gateway itself. Once the gateway is deleted, you can then delete the public IP address(es) for the gateway. See Delete a VPN gateway for the detailed steps.

If the gateway is part of a protype or proof-of-conceopt deployment, you can use Remove-AzureRmResourceGroup command to remove the resource group, the VPN gateway, and all related resources.

Remove-AzureRmResourceGroup -Name $RG1

Next steps

In this tutorial, you learned about basic VPN gateway creation and management such as how to:

  • Create a VPN gateway
  • Resize a VPN gateway
  • Reset a VPN gateway

Advance to the following tutorials to learn about S2S, VNet-to-VNet, and P2S connections.