Skip to content

Use availability zone SKU for VPN gateways#

Reliability · Virtual Network Gateway · Azure.VNG.VPNAvailabilityZoneSKU

Use availability zone SKU for virtual network gateways deployed with VPN gateway type.

Description#

VPN gateways can be deployed in Availability Zones with the following SKUs:

  • VpnGw1AZ
  • VpnGw2AZ
  • VpnGw3AZ
  • VpnGw4AZ
  • VpnGw5AZ

This brings resiliency, scalability, and higher availability to VPN gateways. Deploying VPN gateways in Azure Availability Zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures.

Recommendation#

Consider deploying VPN gateways with an availability zone SKU to improve reliability of virtual network gateways.

Notes#

VPN gateway availability zones are managed via Public IP addresses, and are flagged separately under the Azure.PublicIP.AvailabilityZone rule.

Examples#

Configure with Azure template#

To configure an AZ SKU for a VPN gateway:

  • Set properties.gatewayType to 'Vpn'
  • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
    • 'VpnGw1AZ'
    • 'VpnGw2AZ'
    • 'VpnGw3AZ'
    • 'VpnGw4AZ'
    • 'VpnGw5AZ'

For example:

{
    "apiVersion": "2020-11-01",
    "name": "[parameters('name')]",
    "type": "Microsoft.Network/virtualNetworkGateways",
    "location": "[parameters('location')]",
    "dependsOn": [
        "[concat('Microsoft.Network/publicIPAddresses/', parameters('newPublicIpAddressName'))]"
    ],
    "tags": {},
    "properties": {
        "gatewayType": "Vpn",
        "ipConfigurations": [
            {
                "name": "default",
                "properties": {
                    "privateIPAllocationMethod": "Dynamic",
                    "subnet": {
                        "id": "[parameters('subnetId')]"
                    },
                    "publicIpAddress": {
                        "id": "[resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', parameters('newPublicIpAddressName'))]"
                    }
                }
            }
        ],
        "vpnType": "[parameters('vpnType')]",
        "vpnGatewayGeneration": "[parameters('vpnGatewayGeneration')]",
        "sku": {
            "name": "VpnGw1AZ",
            "tier": "VpnGw1AZ"
        }
    }
}

Configure with Bicep#

To configure an AZ SKU for a VPN gateway:

  • Set properties.gatewayType to 'Vpn'
  • Set properties.sku.name and properties.sku.tier to one of the following AZ SKUs:
    • 'VpnGw1AZ'
    • 'VpnGw2AZ'
    • 'VpnGw3AZ'
    • 'VpnGw4AZ'
    • 'VpnGw5AZ'

For example:

resource name_resource 'Microsoft.Network/virtualNetworkGateways@2020-11-01' = {
  name: name
  location: location
  tags: {}
  properties: {
    gatewayType: 'Vpn'
    ipConfigurations: [
      {
        name: 'default'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnetId
          }
          publicIPAddress: {
            id: resourceId('vpn-rg', 'Microsoft.Network/publicIPAddresses', newPublicIpAddressName)
          }
        }
      }
    ]
    vpnType: vpnType
    vpnGatewayGeneration: vpnGatewayGeneration
    sku: {
      name: 'VpnGw1AZ'
      tier: 'VpnGw1AZ'
    }
  }
  dependsOn: [
    newPublicIpAddressName_resource
  ]
}

Last update: 2021-10-19