New-AzVirtualNetworkGateway

Creates a Virtual Network Gateway

Syntax

New-AzVirtualNetworkGateway
   -Name <String>
   -ResourceGroupName <String>
   -Location <String>
   [-IpConfigurations <PSVirtualNetworkGatewayIpConfiguration[]>]
   [-GatewayType <String>]
   [-VpnType <String>]
   [-EnableBgp <Boolean>]
   [-EnableActiveActiveFeature]
   [-EnablePrivateIpAddress]
   [-GatewaySku <String>]
   [-GatewayDefaultSite <PSLocalNetworkGateway>]
   [-VpnClientAddressPool <String[]>]
   [-VpnClientProtocol <String[]>]
   [-VpnAuthenticationType <String[]>]
   [-VpnClientRootCertificates <PSVpnClientRootCertificate[]>]
   [-VpnClientRevokedCertificates <PSVpnClientRevokedCertificate[]>]
   [-VpnClientIpsecPolicy <PSIpsecPolicy[]>]
   [-Asn <UInt32>]
   [-PeerWeight <Int32>]
   [-IpConfigurationBgpPeeringAddresses <PSIpConfigurationBgpPeeringAddress[]>]
   [-NatRule <PSVirtualNetworkGatewayNatRule[]>]
   [-EnableBgpRouteTranslationForNat]
   [-Tag <Hashtable>]
   [-Force]
   [-RadiusServerAddress <String>]
   [-RadiusServerSecret <SecureString>]
   [-RadiusServerList <PSRadiusServer[]>]
   [-AadTenantUri <String>]
   [-AadAudienceId <String>]
   [-AadIssuerUri <String>]
   [-CustomRoute <String[]>]
   [-VpnGatewayGeneration <String>]
   [-AsJob]
   [-DefaultProfile <IAzureContextContainer>]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Virtual Network Gateway is the object representing your gateway in Azure. The New-AzVirtualNetworkGateway cmdlet creates the object of your gateway in Azure based on the Name, Resource Group Name, Location, and IP configuration, as well as the Gateway Type and if VPN, the VPN Type. You can also name the Gateway SKU. If this Gateway is being used for Point-to-Site connections, you will also need to include the VPN Client Address Pool from which to assign addresses to connecting clients and the VPN Client Root Certificate used to authenticate VPN clients connecting to the Gateway. You can also choose to include other features like BGP and Active-Active.

Examples

Example 1: Create a Virtual Network Gateway

New-AzResourceGroup -Location "UK West" -Name "vnet-gateway"
$subnet = New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "vnet-gateway" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "vnet-gateway" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ngwipconfig -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id

New-AzVirtualNetworkGateway -Name myNGW -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig  -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "Basic" -CustomRoute 192.168.0.0/24

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway in Azure. The gateway will be called "myNGW" within the resource group "vnet-gateway" in the location "UK West" with the previously created IP configurations saved in the variable "ngwIPConfig," the gateway type of "VPN," the vpn type "RouteBased," and the sku "Basic."

Example 2: Create a Virtual Network Gateway with External Radius Configuration

New-AzResourceGroup -Location "UK West" -Name "vnet-gateway"
New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "vnet-gateway" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "vnet-gateway" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ngwipconfig -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id
$Secure_String_Pwd = ConvertTo-SecureString "TestRadiusServerPassword" -AsPlainText -Force

New-AzVirtualNetworkGateway -Name myNGW -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig  -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "Basic" -RadiusServerAddress "TestRadiusServer" -RadiusServerSecret $Secure_String_Pwd -CustomRoute 192.168.0.0/24

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway in Azure. The gateway will be called "myNGW" within the resource group "vnet-gateway" in the location "UK West" with the previously created IP configurations saved in the variable "ngwIPConfig," the gateway type of "VPN," the vpn type "RouteBased," and the sku "Basic." It also adds an external radius server with address "TestRadiusServer". It will also set custom routes specified by customers on gateway.

Example 3: Create a Virtual Network Gateway with P2S settings

New-AzResourceGroup -Location "UK West" -Name "vnet-gateway"
$subnet = New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "vnet-gateway" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "vnet-gateway" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ngwipconfig -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id
$rootCert = New-AzVpnClientRootCertificate -Name $clientRootCertName -PublicCertData $samplePublicCertData
$vpnclientipsecpolicy = New-AzVpnClientIpsecPolicy -IpsecEncryption AES256 -IpsecIntegrity SHA256 -SALifeTimeSeconds 86471 -SADataSizeKilobytes 429496 -IkeEncryption AES256 -IkeIntegrity SHA384 -DhGroup DHGroup2 -PfsGroup PFS2

New-AzVirtualNetworkGateway -Name myNGW -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig  -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1" -VpnClientProtocol IkeV2 -VpnClientAddressPool 201.169.0.0/16 -VpnClientRootCertificates $rootCert -VpnClientIpsecPolicy $vpnclientipsecpolicy -CustomRoute 192.168.0.0/24

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway with P2S settings e.g. VpnProtocol,VpnClientAddressPool,VpnClientRootCertificates,VpnClientIpsecPolicy etc. in Azure. The gateway will be called "myNGW" within the resource group "vnet-gateway" in the location "UK West" with the previously created IP configurations saved in the variable "ngwIPConfig," the gateway type of "VPN," the vpn type "RouteBased," and the sku "VpnGw1." Vpn settings will be set on Gateway such as VpnProtocol set as Ikev2, VpnClientAddressPool as "201.169.0.0/16", VpnClientRootCertificate set as passed one: clientRootCertName and custom vpn ipsec policy passed in object:$vpnclientipsecpolicy
It will also set custom routes specified by customers on gateway.

Example 4: Create a Virtual Network Gateway with AAD authentication Configuration for VpnClient of virtual network gateway.

New-AzResourceGroup -Location "UK West" -Name "vnet-gateway"
New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "vnet-gateway" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "vnet-gateway" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ngwipconfig -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id
$Secure_String_Pwd = ConvertTo-SecureString "TestRadiusServerPassword" -AsPlainText -Force

New-AzVirtualNetworkGateway -Name myNGW -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig  -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw1" -VpnClientProtocol OpenVPN   -VpnClientAddressPool 201.169.0.0/16 -AadTenantUri "https://login.microsoftonline.com/0ab2c4f4-81e6-44cc-a0b2-b3a47a1443f4" -AadIssuerUri "https://sts.windows.net/0ab2c4f4-81e6-44cc-a0b2-b3a47a1443f4/" -AadAudienceId "a21fce82-76af-45e6-8583-a08cb3b956f9"

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway in Azure. The gateway will be called "myNGW" within the resource group "vnet-gateway" in the location "UK West" with the previously created IP configurations saved in the variable "ngwIPConfig," the gateway type of "VPN," the vpn type "RouteBased," and the sku "Basic." It also configures AAD authentication configurations: AadTenantUri, AadIssuerUri and AadAudienceId for VpnClient of virtual network gateway.

Example 5: Create a Virtual Network Gateway with VpnGatewayGeneration

New-AzResourceGroup -Location "UK West" -Name "vnet-gateway"
$subnet = New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "vnet-gateway" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "vnet-gateway" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ngwipconfig -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id

New-AzVirtualNetworkGateway -Name myNGW -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig  -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw4" -VpnGatewayGeneration "Generation2"

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway in Azure. The gateway will be called "myNGW" within the resource group "vnet-gateway" in the location "UK West" with the previously created IP configurations saved in the variable "ngwIPConfig," the gateway type of "VPN", the vpn type "RouteBased", the sku "VpnGw4" and VpnGatewayGeneration Generation2 enabled.

Example 6: Create a Virtual Network Gateway with IpConfigurationBgpPeeringAddresses

New-AzResourceGroup -Location "UK West" -Name "resourcegroup1"
$subnet = New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "resourcegroup1" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "resourcegroup1" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id

$ipconfigurationId1 = ngwipconfig.id
$addresslist1 = @('169.254.21.10')
$gw1ipconfBgp1 = New-AzIpConfigurationBgpPeeringAddressObject -IpConfigurationId $ipconfigurationId1 -CustomAddress $addresslist1

New-AzVirtualNetworkGateway -Name gateway1 -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig -IpConfigurationBgpPeeringAddresses $gw1ipconfBgp1 -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw4" -VpnGatewayGeneration "Generation2"

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway in Azure. ipconfigurationId1 of gateway ipconfiguration just created and stored in ngwipconfig. The gateway will be called "gateway1" within the resource group "resourcegroup1resourcegroup1" in the location "UK West" with the previously created IP configurations Bgppeering address saved in the variable "gw1ipconfBgp1," the gateway type of "VPN", the vpn type "RouteBased", the sku "VpnGw4" and VpnGatewayGeneration Generation2 enabled.

Example 6: Create a Virtual Network Gateway with NatRules

New-AzResourceGroup -Location "UK West" -Name "resourcegroup1"
$subnet = New-AzVirtualNetworkSubnetConfig -Name 'gatewaysubnet' -AddressPrefix '10.254.0.0/27'

$ngwpip = New-AzPublicIpAddress -Name ngwpip -ResourceGroupName "resourcegroup1" -Location "UK West" -AllocationMethod Dynamic
$vnet = New-AzVirtualNetwork -AddressPrefix "10.254.0.0/27" -Location "UK West" -Name vnet-gateway -ResourceGroupName "resourcegroup1" -Subnet $subnet
$subnet = Get-AzVirtualNetworkSubnetConfig -name 'gatewaysubnet' -VirtualNetwork $vnet
$ngwipconfig = New-AzVirtualNetworkGatewayIpConfig -Name ipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $ngwpip.Id

$natRule = New-AzVirtualNetworkGatewayNatRule -Name "natRule1" -Type "Static" -Mode "IngressSnat" -InternalMapping @("25.0.0.0/16") -ExternalMapping @("30.0.0.0/16")

New-AzVirtualNetworkGateway -Name gateway1 -ResourceGroupName vnet-gateway -Location "UK West" -IpConfigurations $ngwIpConfig -GatewayType "Vpn" -VpnType "RouteBased" -GatewaySku "VpnGw4" -VpnGatewayGeneration "Generation2" -NatRule $natRule -EnableBgpRouteTranslationForNat

The above will create a resource group, request a Public IP Address, create a Virtual Network and subnet and create a Virtual Network Gateway in Azure. ipconfigurationId1 of gateway ipconfiguration just created and stored in ngwipconfig. The gateway will be called "gateway1" within the resource group "resourcegroup1resourcegroup1" in the location "UK West" New virtualNetworkGateway NatRule will be saved in the variable "natRule" the gateway type of "VPN", the vpn type "RouteBased", the sku "VpnGw4" and VpnGatewayGeneration Generation2 enabled and BgpRouteTranslationForNat enabled.

Parameters

-AadAudienceId

P2S AAD authentication option:AadAudienceId.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-AadIssuerUri

P2S AAD authentication option:AadIssuerUri.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-AadTenantUri

P2S AAD authentication option:AadTenantUri.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-AsJob

Run cmdlet in the background

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Asn

The virtual network gateway's ASN for BGP over VPN

Type:UInt32
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-CustomRoute

Custom routes AddressPool specified by customer

Type:String[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-DefaultProfile

The credentials, account, tenant, and subscription used for communication with Azure.

Type:IAzureContextContainer
Aliases:AzContext, AzureRmContext, AzureCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableActiveActiveFeature

Flag to enable Active Active feature on virtual network gateway

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnableBgp

EnableBgp Flag

Type:Boolean
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-EnableBgpRouteTranslationForNat

Flag to enable BgpRouteTranslationForNat on this VirtualNetworkGateway.

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-EnablePrivateIpAddress

Flag to enable private IPAddress on virtual network gateway

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-Force

Do not ask for confirmation if you want to overwrite a resource

Type:SwitchParameter
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-GatewayDefaultSite

GatewayDefaultSite

Type:PSLocalNetworkGateway
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-GatewaySku

The Gateway Sku Tier

Type:String
Accepted values:Basic, Standard, HighPerformance, UltraPerformance, VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ, ErGw1AZ, ErGw2AZ, ErGw3AZ
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-GatewayType

The type of this virtual network gateway: Vpn, ExpressRoute

Type:String
Accepted values:Vpn, ExpressRoute
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-IpConfigurationBgpPeeringAddresses

The BgpPeeringAddresses for Virtual network gateway bgpsettings.

Type:PSIpConfigurationBgpPeeringAddress[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-IpConfigurations

The IpConfigurations for Virtual network gateway.

Type:PSVirtualNetworkGatewayIpConfiguration[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Location

location.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Name

The resource name.

Type:String
Aliases:ResourceName
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-NatRule

The NatRules for Virtual network gateway.

Type:PSVirtualNetworkGatewayNatRule[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-PeerWeight

The weight added to routes learned over BGP from this virtual network gateway

Type:Int32
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-RadiusServerAddress

P2S External Radius server address.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-RadiusServerList

P2S multiple external Radius server servers.

Type:PSRadiusServer[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-RadiusServerSecret

P2S External Radius server secret.

Type:SecureString
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-ResourceGroupName

The resource group name.

Type:String
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-Tag

A hashtable which represents resource tags.

Type:Hashtable
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnAuthenticationType

The list of P2S VPN client authentication types.

Type:String[]
Accepted values:Certificate, Radius, AAD
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnClientAddressPool

P2S VpnClient AddressPool

Type:String[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnClientIpsecPolicy

A list of IPSec policies for P2S VPN client tunneling protocols.

Type:PSIpsecPolicy[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnClientProtocol

The list of P2S VPN client tunneling protocols

Type:String[]
Accepted values:SSTP, IkeV2, OpenVPN
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnClientRevokedCertificates

The list of VpnClientCertificates to be revoked.

Type:PSVpnClientRevokedCertificate[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnClientRootCertificates

The list of VpnClientRootCertificates to be added.

Type:PSVpnClientRootCertificate[]
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-VpnGatewayGeneration

The generation for this VirtualNetwork VPN gateway. Must be None if GatewayType is not VPN.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False
-VpnType

The type of the Vpn:PolicyBased/RouteBased

Type:String
Accepted values:PolicyBased, RouteBased
Position:Named
Default value:None
Accept pipeline input:True
Accept wildcard characters:False
-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

String

PSVirtualNetworkGatewayIpConfiguration[]

Boolean

PSLocalNetworkGateway

String[]

PSVpnClientRootCertificate[]

PSVpnClientRevokedCertificate[]

PSIpsecPolicy[]

UInt32

Int32

PSIpConfigurationBgpPeeringAddress[]

PSVirtualNetworkGatewayNatRule[]

Hashtable

SecureString

PSRadiusServer[]

Outputs

PSVirtualNetworkGateway