Tutorial – Create & manage a VPN gateway – Azure portal - Azure VPN Gateway (2024)

Table of Contents
In this article Prerequisites Create a virtual network Create a gateway subnet Create a VPN gateway View the public IP address Resize a gateway SKU Reset a gateway Clean up resources Next steps FAQs
  • Article

This tutorial helps you create and manage a virtual network gateway (VPN gateway) by using the Azure portal. The VPN gateway is just one part of a connection architecture to help you securely access resources within a virtual network.

  • The left side of the diagram shows the virtual network and the VPN gateway that you create by using the steps in this article.
  • You can later add different types of connections, as shown on the right side of the diagram. For example, you can create site-to-site and point-to-site connections. To view different design architectures that you can build, see VPN gateway design.

If you want to learn more about the configuration settings used in this tutorial, see About VPN Gateway configuration settings. For more information about Azure VPN Gateway, see What is Azure VPN Gateway.

In this tutorial, you learn how to:

  • Create a virtual network.
  • Create a VPN gateway.
  • View the gateway public IP address.
  • Resize a VPN gateway (resize SKU).
  • Reset a VPN gateway.

Prerequisites

You need an Azure account with an active subscription. If you don't have one, create one for free.

Create a virtual network

Create a virtual network by using the following values:

  • Resource group: TestRG1
  • Name: VNet1
  • Region: (US) East US
  • IPv4 address space: 10.1.0.0/16
  • Subnet name: FrontEnd
  • Subnet address space: 10.1.0.0/24

  1. Sign in to the Azure portal.

  2. In Search resources, service, and docs (G+/) at the top of the portal page, enter virtual network. Select Virtual network from the Marketplace search results to open the Virtual network page.

  3. On the Virtual network page, select Create to open the Create virtual network page.

  4. On the Basics tab, configure the virtual network settings for Project details and Instance details. You see a green check mark when the values you enter are validated. You can adjust the values shown in the example according to the settings that you require.

    • Subscription: Verify that the subscription listed is the correct one. You can change subscriptions by using the dropdown box.
    • Resource group: Select an existing resource group or select Create new to create a new one. For more information about resource groups, see Azure Resource Manager overview.
    • Name: Enter the name for your virtual network.
    • Region: Select the location for your virtual network. The location determines where the resources that you deploy to this virtual network will reside.

  5. Select Next or Security to go to the Security tab. For this exercise, leave the default values for all the services on this page.

  6. Select IP Addresses to go to the IP Addresses tab. On the IP Addresses tab, configure the settings.

    See Also
    Building a POC for TLS inspection in Azure FirewallImport a certificate into the portal—Portal for ArcGISHow to check what SSL/TLS versions are available for a website on a Plesk server? - Support Cases from Plesk Knowledge BaseAdd and manage TLS/SSL certificates - Azure App Service

    • IPv4 address space: By default, an address space is automatically created. You can select the address space and adjust it to reflect your own values. You can also add a different address space and remove the default that was automatically created. For example, you can specify the starting address as 10.1.0.0 and specify the address space size as /16. Then select Add to add that address space.

    • + Add subnet: If you use the default address space, a default subnet is created automatically. If you change the address space, add a new subnet within that address space. Select + Add subnet to open the Add subnet window. Configure the following settings, and then select Add at the bottom of the page to add the values.

      • Subnet name: An example is FrontEnd.
      • Subnet address range: The address range for this subnet. Examples are 10.1.0.0 and /24.

  7. Review the IP addresses page and remove any address spaces or subnets that you don't need.

  8. Select Review + create to validate the virtual network settings.

  9. After the settings are validated, select Create to create the virtual network.

After you create your virtual network, you can optionally configure Azure DDoS Protection. Protection is simple to enable on any new or existing virtual network, and it requires no application or resource changes. For more information about Azure DDoS Protection, see What is Azure DDoS Protection?.

Create a gateway subnet

The virtual network gateway requires a specific subnet named GatewaySubnet. The gateway subnet is part of the IP address range for your virtual network and contains the IP addresses that the virtual network gateway resources and services use. Specify a gateway subnet that's /27 or larger.

  1. On the page for your virtual network, on the left pane, select Subnets to open the Subnets page.
  2. At the top of the page, select + Gateway subnet to open the Add subnet pane.
  3. The name is automatically entered as GatewaySubnet. Adjust the IP address range value, if necessary. An example is 10.1.255.0/27.
  4. Don't adjust the other values on the page. Select Save at the bottom of the page to save the subnet.

Create a VPN gateway

In this step, you create the virtual network gateway (VPN gateway) for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

Create a virtual network gateway by using the following values:

  • Name: VNet1GW
  • Region: East US
  • Gateway type: VPN
  • SKU: VpnGw2
  • Generation: Generation 2
  • Virtual network: VNet1
  • Gateway subnet address range: 10.1.255.0/27
  • Public IP address: Create new
  • Public IP address name: VNet1GWpip

For this exercise, you won't select a zone-redundant SKU. If you want to learn about zone-redundant SKUs, see About zone-redundant virtual network gateways. Additionally, these steps aren't intended to configure an active-active gateway. For more information, see Configure active-active gateways.

  1. In Search resources, services, and docs (G+/), enter virtual network gateway. Locate Virtual network gateway in the Marketplace search results and select it to open the Create virtual network gateway page.

  2. On the Basics tab, fill in the values for Project details and Instance details.

    • Subscription: Select the subscription you want to use from the dropdown list.

    • Resource group: This setting is autofilled when you select your virtual network on this page.

    • Name: Name your gateway. Naming your gateway isn't the same as naming a gateway subnet. It's the name of the gateway object you're creating.

      See Also
      Check for TLS Protocol Latest Version

    • Region: Select the region in which you want to create this resource. The region for the gateway must be the same as the virtual network.

    • Gateway type: Select VPN. VPN gateways use the virtual network gateway type VPN.

    • SKU: From the dropdown list, select the gateway SKU that supports the features you want to use. See Gateway SKUs. In the portal, the SKUs available in the dropdown list depend on the VPN type you select. The Basic SKU can only be configured using Azure CLI or PowerShell. You can't configure the Basic SKU in the Azure portal.

    • Generation: Select the generation you want to use. We recommend using a Generation2 SKU. For more information, see Gateway SKUs.

    • Virtual network: From the dropdown list, select the virtual network to which you want to add this gateway. If you can't see the virtual network for which you want to create a gateway, make sure you selected the correct subscription and region in the previous settings.

    • Gateway subnet address range or Subnet: The gateway subnet is required to create a VPN gateway.

      At this time, this field can show various different settings options, depending on the virtual network address space and whether you already created a subnet named GatewaySubnet for your virtual network.

      If you don't have a gateway subnet and you don't see the option to create one on this page, go back to your virtual network and create the gateway subnet. Then, return to this page and configure the VPN gateway.

  1. Specify the values for Public IP address. These settings specify the public IP address object that gets associated to the VPN gateway. The public IP address is assigned to this object when the VPN gateway is created. The only time the primary public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

    • Public IP address type: If you are presented with this option, select Standard. The Basic public IP address SKU is only supported for Basic SKU VPN gateways.
    • Public IP address: Leave Create new selected.
    • Public IP address name: In the text box, enter a name for your public IP address instance.
    • Public IP address SKU: Setting is autoselected.
    • Assignment: The assignment is typically autoselected. For the Standard SKU, assignment is always Static.
    • Enable active-active mode: Select Disabled. Only enable this setting if you're creating an active-active gateway configuration.
    • Configure BGP: Select Disabled, unless your configuration specifically requires this setting. If you do require this setting, the default ASN is 65515, although this value can be changed.

  2. Select Review + create to run validation.

  3. After validation passes, select Create to deploy the VPN gateway.

A gateway can take 45 minutes or more to fully create and deploy. You can see the deployment status on the Overview page for your gateway. After the gateway is created, you can view the IP address assigned to it by looking at the virtual network in the portal. The gateway appears as a connected device.

Important

Network security groups (NSGs) on the gateway subnet are not supported. Associating a network security group to this subnet might cause your virtual network gateway (VPN and ExpressRoute gateways) to stop functioning as expected. For more information about network security groups, see What is a network security group?.

View the public IP address

You can view the gateway public IP address on the Overview page for your gateway. The public IP address is used when you configure a site-to-site connection to your VPN gateway.

To see more information about the public IP address object, select the name/IP address link next to Public IP address.

Resize a gateway SKU

There are specific rules for resizing versus changing a gateway SKU. In this section, you resize the SKU. For more information, see Resize or change gateway SKUs.

  1. Go to the Configuration page for your virtual network gateway.

  2. On the right side of the page, select the dropdown arrow to show a list of available SKUs.

    Notice that the list only populates SKUs that you're able to use to resize your current SKU. If you don't see the SKU you want to use, instead of resizing, you have to change to a new SKU.

  3. Select the SKU from the dropdown list.

Reset a gateway

  1. In the portal, go to the virtual network gateway that you want to reset.
  2. On the Virtual network gateway page, in the left pane, scroll down to Reset.
  3. On the Reset page, select Reset. After the command is issued, the current active instance of Azure VPN Gateway is rebooted immediately. Resetting the gateway causes a gap in VPN connectivity and might limit future root cause analysis of the issue.

Clean up resources

If you're not going to continue to use this application or go to the next tutorial, deletethese resources.

  1. Enter the name of your resource group in the Search box at the top of the portal and select it from the search results.

  2. Select Delete resource group.

  3. Enter your resource group for TYPE THE RESOURCE GROUP NAME and select Delete.

Next steps

After you create a VPN gateway, you can configure more gateway settings and connections. The following articles help you create a few of the most common configurations:

Site-to-site VPN connections

Point-to-site VPN connections

Tutorial – Create & manage a VPN gateway – Azure portal - Azure VPN Gateway (2024)

FAQs

How to create a basic VPN gateway in Azure? ›

Here is a brief summary of the steps:
  1. Go to the Azure portal.
  2. Create a virtual network gateway.
  3. Select the basic SKU.
  4. Wait for the gateway to fully create and deploy, which can take 45 minutes or more.
  5. View the public IP address assigned to the gateway on the Overview page.
Feb 27, 2023

Read On
How long does it take to create an Azure VPN gateway? ›

Create a VPN gateway. In this step, you create the virtual network gateway (VPN gateway) for your virtual network. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.

Discover More Details
What is a VPN gateway in Azure? ›

Azure VPN Gateway connects your on-premises networks to Azure through Site-to-Site VPNs in a similar way that you set up and connect to a remote branch office. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).

Continue Reading
Can you have multiple VPN gateways in Azure? ›

Depending on the VPN Client software used, you may be able to connect to multiple Virtual Network Gateways provided the virtual networks being connected to don't have conflicting address spaces between them or the network from with the client is connecting from.

See Details
What are the main components of an Azure VPN gateway setup? ›

What are the main components of an Azure VPN Gateway setup? An on-premises network with a complimentary gateway that can accept the encrypted data. The VPN Gateway must be attached to an Azure Virtual Network. A secure connection, called a tunnel, which encrypts the traffic sent through it.

Find Out More
How do I find my VPN gateway in Azure? ›

In the Azure portal, you can view the connection status of a VPN gateway by going to the connection. The following steps show one way to go to your connection and verify. On the Azure portal menu, select All resources or search for and select All resources from any page. Select your virtual network gateway.

Tell Me More
Can you have multiple VPN gateways per VNet? ›

You can only have 1 Virtual Network Gateway per Virtual Network - however, you can peer the virtual networks, to communicate across them with gateway transit, or have multiple S2S VPNs across the same gateway.

Show Me More
How many VPN gateways per VNet? ›

A VPN gateway is a specific type of VNet gateway that is used to send traffic between an Azure virtual network and an on-premises location over the public internet. You can also use a VPN gateway to send traffic between VNets. Each VNet can have only one VPN gateway.

Explore More
What is the difference between VPN server and VPN gateway? ›

A VPN Client is used to search for the access provided by the VPN Gateway in order to establish a connection, building a secure tunnel to traffic data of users and corporations. In simplified language, it is a “client-server” structure (VPN Gateway is the server and VPN Client is the client).

Continue Reading
When to use Azure VPN gateway? ›

Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet. You can also use VPN Gateway to send encrypted traffic between Azure virtual networks over the Microsoft network.

Show Me More

How does a VPN gateway work? ›

A VPN Gateway is a type of network gateway that works by creating a virtual tunnel between your device and the internet through which all data is encrypted and transmitted.

Read The Full Story
What is an example of a VPN gateway? ›

For example, OpenVPN Access Server is a marketplace solution for a VPN gateway. After you activate the appliance, you deploy a host VM for the gateway that allows transit to VMware Engine networks.

See Details
What is the benefit of Azure VPN gateway? ›

Point-to-Site VPN lets you connect to your virtual machines on Azure virtual networks from anywhere, whether you are on the road, working from your favorite café, managing your deployment, or doing a demo for your customers.

Get More Info Here
What is the difference between Azure Virtual WAN and VPN gateway? ›

How is Virtual WAN different from an Azure virtual network gateway? A virtual network gateway VPN is limited to 100 tunnels. For connections, you should use Virtual WAN for large-scale VPN. You can connect up to 1,000 branch connections per virtual hub with aggregate of 20 Gbps per hub.

Continue Reading
What is the difference between Azure Bastion and VPN gateway? ›

With Azure Bastion, you connect to the virtual machine directly from the Azure portal. You don't need an additional client, agent, or piece of software. A Point-to-Site (P2S) VPN gateway connection lets you create a secure connection to your virtual network from an individual client computer.

View More
How do I create a simple VPN server? ›

Create a VPN on Your Router
  1. Download custom firmware. Confirm compatibility between your router and preferred firmware, and then download it.
  2. Connect your computer to your router. Do this via a wired connection. ...
  3. Log into your router. ...
  4. Install the firmware. ...
  5. Reboot the router. ...
  6. Set up your VPN. ...
  7. Check if your VPN works.

View Details
How to create a VNet gateway? ›

Creating a virtual network (VNet) data gateway is a three-step process:
  1. Step 1: Register Microsoft.PowerPlatform as a resource provider.
  2. Step 2: Associate the subnet to Microsoft Power Platform.
  3. Step 3: Create a VNet data gateway.
May 6, 2024

See More
What is the difference between basic and standard IP in Azure? ›

How is a Standard Public IP different from a Basic Public IP? In addition to the features included in the Basic Public IP, the Standard Public IP provides zone resiliency. Coupled with the Standard Load Balancer, this provides high availability and zone resiliency.

Learn More
Does VPN have default gateway? ›

In actuality, the default gateway of a VPN client is really of no consequence. The default gateway is only significant when configured on an interface in a more traditional setting. However, when using VPNs such as AnyConnect, which uses a virtual interface, it doesn't need a default gateway.

Discover More Details
Top Articles
Aflac Supplemental Insurance
Aflac life insurance review 2024
Info | Giro d'Italia 2024
Giro d'Italia: Alle 21 Etappen in der Übersicht - Profile, Anstiege, Bergwertungen, Zeitfahren, Bergankünfte - Eurosport
Latest Posts
Top 10 Alternatives to Aflac
Aflac Supplemental Insurance
Article information

Author: Arline Emard IV

Last Updated:

Views: 5844

Rating: 4.1 / 5 (52 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Arline Emard IV

Birthday: 1996-07-10

Address: 8912 Hintz Shore, West Louie, AZ 69363-0747

Phone: +13454700762376

Job: Administration Technician

Hobby: Paintball, Horseback riding, Cycling, Running, Macrame, Playing musical instruments, Soapmaking

Introduction: My name is Arline Emard IV, I am a cheerful, gorgeous, colorful, joyous, excited, super, inquisitive person who loves writing and wants to share my knowledge and understanding with you.