Skip to content

Use availability zone SKU for VPN gateways#

Reliability · Virtual Network Gateway · Rule · 2021_12 · Important

Use availability zone SKU for virtual network gateways deployed with VPN gateway type.

Description#

VPN gateways can be deployed in Availability Zones with the following SKUs:

  • VpnGw1AZ
  • VpnGw2AZ
  • VpnGw3AZ
  • VpnGw4AZ
  • VpnGw5AZ

This brings resiliency, scalability, and higher availability to VPN gateways. Deploying VPN gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

Recommendation#

Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.

Examples#

Configure with Azure template#

To configure VPN gateways that pass this rule:

  • Set properties.gatewayType to Vpn.
  • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
    • VpnGw1AZ
    • VpnGw2AZ
    • VpnGw3AZ
    • VpnGw4AZ
    • VpnGw5AZ

For example:

Azure Template snippet
{
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2023-11-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "gatewayType": "Vpn",
    "ipConfigurations": [
      {
        "name": "default",
        "properties": {
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[parameters('subnetId')]"
          },
          "publicIPAddress": {
            "id": "[parameters('pipId')]"
          }
        }
      }
    ],
    "activeActive": true,
    "vpnType": "RouteBased",
    "vpnGatewayGeneration": "Generation2",
    "sku": {
      "name": "VpnGw1AZ",
      "tier": "VpnGw1AZ"
    }
  }
}

Configure with Bicep#

To configure VPN gateways that pass this rule:

  • Set properties.gatewayType to Vpn.
  • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
    • VpnGw1AZ
    • VpnGw2AZ
    • VpnGw3AZ
    • VpnGw4AZ
    • VpnGw5AZ

For example:

Azure Bicep snippet
resource vng 'Microsoft.Network/virtualNetworkGateways@2023-11-01' = {
  name: name
  location: location
  properties: {
    gatewayType: 'Vpn'
    ipConfigurations: [
      {
        name: 'default'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnetId
          }
          publicIPAddress: {
            id: pipId
          }
        }
      }
    ]
    activeActive: true
    vpnType: 'RouteBased'
    vpnGatewayGeneration: 'Generation2'
    sku: {
      name: 'VpnGw1AZ'
      tier: 'VpnGw1AZ'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/virtual-network-gateway:<version>

To use the latest version:

br/public:avm/res/network/virtual-network-gateway:0.5.0

Notes#

VPN gateway availability zones are managed via Public IP addresses, and are flagged separately under the Azure.PublicIP.AvailabilityZone rule.

Comments