Share via

I was not able to migrate Standard IP for Virtual Network Gateway

Maciej Kurzeja 25 Reputation points
2025-10-10T06:35:48.14+00:00

I was trying to Migrate to Standard IP for my Virtual network gateway (non-az sku), active-passive with built within portal "Migrate to Standard IP Based Deployment".

Despite Azure validation is showing "Succeeded" (this is a bug i think) after click "Prepare" it turned out that Gatewy Subnet is too small (is /29).migration1

I have tried to extend prefix with bellow command:

Set-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet -AddressPrefix '10.0.122.0/29','10.0.122.0/27'

I have received below error:

Set-AzVirtualNetwork: IPPrefix 10.0.122.0/29 on Subnet GatewaySubnet has active allocations and cannot be deleted. 
Status code: 400
ReasonPhrase:
ErrorCode: InUsePrefixCannotBeDeleted
ErrorMessage: IPPrefix 10.0.122.0/29 on Subnet GatewaySubnet has active allocations and cannot be deleted. 
(...)

Do I need to modify my command to look like this? (different subnet with /27 prefix) ? Iyf yes then what excatly is going to happen here?

Set-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet -AddressPrefix '10.0.122.0/29','10.0.123.0/27'
Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Thanmayi Godithi 1,715 Reputation points Microsoft External Staff Moderator
    2025-10-10T09:55:43.9933333+00:00

    Hi @Maciej Kurzeja,

    Thank you for reaching out on Microsoft Q&A forum.

    The InUsePrefixCannotBeDeleted error occurred because your PowerShell command tried to modify the existing /29 GatewaySubnet (10.0.122.0/29), which is actively used by the VPN Gateway.

    Azure locks in-use prefixes to prevent disruption of allocated IPs. Additionally, a /29 subnet is too small for migrating to a Standard Public IP, which requires /27 or larger. This explains why the "Prepare" step failed despite the portal showing "Succeeded."

    You can try the below options to overcome that error.

    Option 1: Expand the GatewaySubnet (Recommended)

    If adjacent address space is available, you can expand the GatewaySubnet by adding a non-overlapping /27 prefix (e.g., 10.0.123.0/27) alongside the existing /29:

    $vnet = Get-AzVirtualNetwork -Name <YourVNetName> -ResourceGroupName <YourResourceGroupName>
Set-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet -AddressPrefix '10.0.122.0/29','10.0.123.0/27'
Set-AzVirtualNetwork -VirtualNetwork $vnet

    This keeps the gateway running with its existing /29 IPs, adds 32 additional IPs from /27, and satisfies the Standard IP migration requirement. Ensure the new /27 range is free and adjacent-Add or Change Subnet Configuration

    Option 2: Delete and Recreate the VPN Gateway

    If expansion isn’t possible, delete and recreate the VPN Gateway in a new /27 subnet:

    1.Delete the gateway:Delete VPN Gateway

    Remove-AzVirtualNetworkGateway -Name <YourGatewayName> -ResourceGroupName <YourResourceGroupName>

    2.Update GatewaySubnet to /27:

    $vnet = Get-AzVirtualNetwork -Name <YourVNetName> -ResourceGroupName <YourResourceGroupName>
Set-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet -AddressPrefix '10.0.123.0/27'
Set-AzVirtualNetwork -VirtualNetwork $vnet

    3.Recreate the gateway with a Standard SKU Public IP. Expect downtime during deletion and redeployment; the Public IP may change unless a Standard SKU IP is reused- Create VPN Gateway

    Your command attempted to use 10.0.122.0/27, which overlaps with the existing /29 prefix. Azure interprets this as a modification of the in-use prefix, triggering the InUsePrefixCannotBeDeleted error. Using a non-overlapping /27 (e.g., 10.0.123.0/27) avoids the conflict, provided the address space is available.

    Kindly let us know if the above helps or you need further assistance on this issue.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.