Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article helps you upgrade a VPN Gateway virtual network gateway SKU. Upgrading a gateway SKU is a relatively fast process with minimal downtime (approximately 45 minutes). You can upgrade a SKU easily in the Azure portal, or by using PowerShell or Azure CLI. When you upgrade a SKU, the public IP address assigned to your gateway SKU doesn't change and you don't need to reconfigure your VPN device or your P2S clients.
Considerations
There are many things to consider when upgrading to a new gateway SKU. The following table helps you understand the required method to move from one SKU to another. Notice that not all gateway SKUs are eligible to be upgraded directly. Some SKUs require you to delete the existing gateway and create a new one.
| Starting SKU | Target SKU | Eligible for SKU upgrade | Delete/Recreate only | 
|---|---|---|---|
| Basic SKU | Any other SKU | No | Yes | 
| Generation 1 SKU | Generation 1 AZ SKU | Yes | No | 
| Generation 1 SKU | Generation 2 AZ SKU | No | Yes | 
| Generation 2 SKU | Generation 2 AZ SKU | Yes | No | 
| Generation 2 SKU | Generation 1 AZ SKU | No | Yes | 
For gateway SKU throughput and connection limits, see About gateway SKUs.
Limitations and restrictions
- You can't upgrade a Basic SKU to a new SKU. You must delete the gateway, and then create a new one.
- You can't downgrade a SKU without deleting the gateway and creating a new one.
- Legacy gateway SKUs (Standard and High Performance) can't be upgraded to the new SKU families. You must delete the gateway and create a new one. For more information about working with legacy gateway SKUS, see VPN Gateway legacy SKUs
Upgrade a gateway SKU using the Azure portal
Upgrading a gateway SKU takes about 45 minutes to complete.
- Go to the Configuration page for your virtual network gateway.
- On the right side of the page, click the dropdown arrow to show a list of available SKUs. The options listed are based on the starting SKU and SKU Generation. Select the SKU from the dropdown.
- Save your changes to begin the SKU upgrade.
- If you are switching to an AZ SKU within the same tier (e.g., VpnGw1 → VpnGw1AZ), there will be no downtime.
- The upgrade process typically takes about 45 minutes to complete for all other scenarios (e.g., VpnGw1 → VpnGw2AZ).
 
Workflow for SKUs that can't be upgraded
For SKUs that can't be directly upgraded (Basic and legacy gateway SKUs), you must delete the existing gateway and create a new one. This process incurs downtime. The public IP address assigned to your gateway SKU changes. You must also reconfigure your VPN device and P2S clients.
The high level workflow is:
- Remove any connections to the virtual network gateway.
- Delete the old VPN gateway.
- Create the new VPN gateway.
- Update your on-premises VPN devices with the new VPN gateway IP address (for site-to-site connections).
- Update the gateway IP address value for any VNet-to-VNet local network gateways that connect to this gateway.
- Download new client VPN configuration packages for point-to-site clients connecting to the virtual network through this VPN gateway.
- Recreate the connections to the virtual network gateway.
Next steps
For more information about gateway SKUs, see About gateway SKUs.