Migrate from legacy VPN gateway SKUs

Reliability · Virtual Network Gateway · Rule · 2020_06 · Critical

Migrate from legacy SKUs to improve reliability and performance of VPN gateways.

Description

When deploying a VPN gateway a number of options are available including SKU/ size. The gateway SKU affects the reliance and performance of the underlying gateway instances. Previously the following SKUs were available however have been depreciated.

• Basic
• Standard
• HighPerformance

The Standard and High Performance SKUs will be deprecated on September 30, 2025.

Recommendation

Consider redeploying VPN gateways using new SKUs to improve reliability and performance of gateways.

Examples

Configure with Azure template

To configure VPN gateways that pass this rule:

• Set properties.gatewayType to Vpn.
• Set properties.sku.name and properties.sku.tier to one of the following SKUs:
  • VpnGw1
  • VpnGw1AZ
  • VpnGw2
  • VpnGw2AZ
  • VpnGw3
  • VpnGw3AZ
  • VpnGw4
  • VpnGw4AZ
  • VpnGw5
  • VpnGw5AZ

For example:

Azure Template snippet

{
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2023-11-01",
  "name": "[parameters('name')]",
  "location": "[parameters('location')]",
  "properties": {
    "gatewayType": "Vpn",
    "ipConfigurations": [
      {
        "name": "default",
        "properties": {
          "privateIPAllocationMethod": "Dynamic",
          "subnet": {
            "id": "[parameters('subnetId')]"
          },
          "publicIPAddress": {
            "id": "[parameters('pipId')]"
          }
        }
      }
    ],
    "activeActive": true,
    "vpnType": "RouteBased",
    "vpnGatewayGeneration": "Generation2",
    "sku": {
      "name": "VpnGw1AZ",
      "tier": "VpnGw1AZ"
    }
  }
}

Configure with Bicep

To configure VPN gateways that pass this rule:

• Set properties.gatewayType to Vpn.
• Set properties.sku.name and properties.sku.tier to one of the following SKUs:
  • VpnGw1
  • VpnGw1AZ
  • VpnGw2
  • VpnGw2AZ
  • VpnGw3
  • VpnGw3AZ
  • VpnGw4
  • VpnGw4AZ
  • VpnGw5
  • VpnGw5AZ

For example:

Azure Bicep snippet

resource vng 'Microsoft.Network/virtualNetworkGateways@2023-11-01' = {
  name: name
  location: location
  properties: {
    gatewayType: 'Vpn'
    ipConfigurations: [
      {
        name: 'default'
        properties: {
          privateIPAllocationMethod: 'Dynamic'
          subnet: {
            id: subnetId
          }
          publicIPAddress: {
            id: pipId
          }
        }
      }
    ]
    activeActive: true
    vpnType: 'RouteBased'
    vpnGatewayGeneration: 'Generation2'
    sku: {
      name: 'VpnGw1AZ'
      tier: 'VpnGw1AZ'
    }
  }
}

Configure with Azure Verified Modules

A pre-validated module supported by Microsoft is available from the Azure Bicep public registry. To reference the module, please use the following syntax:

br/public:avm/res/network/virtual-network-gateway:<version>

To use the latest version:

br/public:avm/res/network/virtual-network-gateway:0.5.0

---

• What is Azure Verified Modules?
• Usage and parameters for this module

Links

• RE:04 Target metrics
• Change to the new gateway SKUs
• Azure deployment reference

Comments