Edit

Share via


Working with VPN Gateway legacy SKUs

This article contains information about the legacy (old) virtual network gateway SKUs. The legacy SKUs still work in both deployment models for existing VPN gateways. Classic VPN gateways continue to use the legacy SKUs, both for existing gateways, and for new gateways. When creating new Resource Manager VPN gateways, use the new gateway SKUs. For information about the new SKUs, see About VPN Gateway. For the projected gateway SKU deprecation/migration timeline, see the What's new? article.

Legacy gateway SKUs

The legacy (old) VPN Gateway SKUs are:

  • Standard
  • High Performance

When working with the legacy SKUs, consider the following:

  • Active-active S2S VPN Gateway connections can be configured on the High Performance SKU only.
  • VPN Gateway doesn't use the UltraPerformance gateway SKU. For information about the UltraPerformance SKU, see the ExpressRoute documentation.

You can view legacy gateway pricing in the Virtual Network Gateways section, which is located on the ExpressRoute pricing page.

For SKU deprecation, see the SKU deprecation and SKU deprecation FAQs sections of this article.

Estimated aggregate throughput by SKU

The following table shows the gateway types and the estimated aggregate throughput by gateway SKU. This table applies to the Resource Manager and classic deployment models.

Pricing differs between gateway SKUs. For more information, see VPN Gateway Pricing.

The UltraPerformance gateway SKU isn't represented in this table. For information about the UltraPerformance SKU, see the ExpressRoute documentation.

VPN Gateway throughput (1) VPN Gateway max IPsec tunnels (2) ExpressRoute Gateway throughput VPN Gateway and ExpressRoute coexist
Standard SKU (3)(4) 100 Mbps 10 1,000 Mbps Yes
High Performance SKU (3) 200 Mbps 30 2,000 Mbps Yes

(1) The VPN throughput is a rough estimate based on the measurements between VNets in the same Azure region. It isn't a guaranteed throughput for cross-premises connections across the Internet. It's the maximum possible throughput measurement.

(2) The number of tunnels refers to RouteBased VPNs. A PolicyBased VPN can only support one Site-to-Site VPN tunnel.

(3) PolicyBased VPNs aren't supported for this SKU. They're supported for the Basic SKU.

(4) Active-active S2S VPN Gateway connections aren't supported for this SKU. Active-active is supported on the HighPerformance SKU.

Supported configurations by SKU and VPN type

The following table lists the requirements for PolicyBased and RouteBased VPN gateways. This table applies to both the Resource Manager and classic deployment models. For the classic model, PolicyBased VPN gateways are the same as Static gateways, and Route-based gateways are the same as Dynamic gateways.

PolicyBased Basic VPN Gateway RouteBased Basic VPN Gateway RouteBased Standard VPN Gateway RouteBased High Performance VPN Gateway
Site-to-Site connectivity (S2S) PolicyBased VPN configuration RouteBased VPN configuration RouteBased VPN configuration RouteBased VPN configuration
Point-to-Site connectivity (P2S) Not supported Supported (Can coexist with S2S) Supported (Can coexist with S2S) Supported (Can coexist with S2S)
Authentication method Pre-shared key Pre-shared key for S2S connectivity, Certificates for P2S connectivity Pre-shared key for S2S connectivity, Certificates for P2S connectivity Pre-shared key for S2S connectivity, Certificates for P2S connectivity
Maximum number of S2S connections 1 10 10 30
Maximum number of P2S connections Not supported 128 128 128
Active routing support (BGP) Not supported Not supported Supported Supported

Move to another gateway SKU

Considerations

  • You can't upgrade a legacy SKU to one of the newer Azure SKUs (VpnGw1AZ, VpnGw2AZ, etc.) Legacy SKUs for the Resource Manager deployment model are: Standard, and High Performance. If you want to use a new Azure SKU, you must delete the gateway, and then create a new one.
  • When you go from a legacy SKU to a newer gateway SKU, you incur connectivity downtime.
  • When you go from a legacy SKU to a newer gateway SKU, the public IP address for your VPN gateway changes. The IP address change happens even if you specified the same public IP address object that you used previously.
  • If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway. However, you can upgrade between the legacy SKUs available for classic gateways. You can't change to the new SKUs.
  • Standard and High Performance legacy SKUs are being deprecated. See Legacy SKU deprecation for SKU migration and upgrade timelines.

Migrate a gateway SKU

Your legacy SKU will be migrated to AZ SKU as part of Basic IP address migration. All legacy SKUs use Basic IP today and you can use the portal experience to migrate the Basic IP address to Standard IP address before the retirement date. This is different from the initial approach of seamlessly migrating from backend. See What's new in Azure VPN Gateway? for updated timeline.

Upgrade to a gateway SKU in the same SKU family

Upgrading a legacy SKU has limitations. You can only upgrade your gateway to a gateway SKU within the same SKU family (except for the Basic SKU).

For example, if you have a Standard SKU, you can upgrade to a High Performance SKU. However, you can't upgrade your VPN gateway between the old SKUs and the new SKU families. You can't go from a Standard SKU to a VpnGw2 SKU, or from a Basic SKU to VpnGw1 by resizing.

Resource Manager

You can upgrade a gateway for the Resource Manager deployment model using the Azure portal or PowerShell. For PowerShell, use the following command:

$gw = Get-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku HighPerformance

Classic

To upgrade a gateway for the classic deployment model, you must use the Service Management PowerShell cmdlets. Use the following command:

Resize-AzureVirtualNetworkGateway -GatewayId <Gateway ID> -GatewaySKU HighPerformance

Change to the new gateway SKUs

Standard and High Performance SKUs will be deprecated on March 31, 2026 (extended from September 30, 2025). The product team will migrate the legacy SKUs from backend. For more information, See the Legacy SKU deprecation section. You can choose to change from a legacy SKU to one of the new SKUs at any point. However, changing to a new SKU requires more steps than migrating and incurs downtime.

If you're working with the Resource Manager deployment model, you can change to the new gateway SKUs. When you change from a legacy gateway SKU to a new SKU, you delete the existing VPN gateway and create a new VPN gateway.

Workflow:

  1. Remove any connections to the virtual network gateway.
  2. Delete the old VPN gateway.
  3. Create the new VPN gateway.
  4. Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
  5. Update the gateway IP address value for any VNet-to-VNet local network gateways that connect to this gateway.
  6. Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
  7. Recreate the connections to the virtual network gateway.

Considerations:

  • To move to the new SKUs, your VPN gateway must be in the Resource Manager deployment model.
  • If you have a classic VPN gateway, you must continue using the older legacy SKUs for that gateway, however, you can resize between the legacy SKUs. You can't change to the new SKUs.
  • When you change from a legacy SKU to a new SKU, you'll have connectivity downtime.
  • When changing to a new gateway SKU, the public IP address for your VPN gateway changes. This happens even if you specified the same public IP address object that you used previously.

SKU deprecation

The Standard and High Performance SKUs will be deprecated on March 31, 2026 (extended from September 30, 2025). Your legacy SKU will be migrated to AZ SKU as part of Basic IP address migration. All legacy SKUs use Basic IP today and you can use the portal experience to migrate the Basic IP address to Standard IP address before the retirement date. The customer controlled portal experience will be available for the legacy SKUs by Nov 2025. This is different from the initial approach of seamlessly migrating from backend.

When the migration path becomes available, as part of Basic IP migration, your gateway SKU will automatically migrate to the following SKUs:

  • Standard SKU: -> VpnGw1AZ
  • High Performance SKU: -> VpnGw2AZ

As a benefit, there's a performance improvement after migrating:

  • Standard SKU: 6.5x
  • High Performance SKU: 5x

Important Dates:

  • December 1, 2023: No new gateway creations are possible using Standard or High Performance SKUs.
  • Nov 15, 2025: Begin Basic IP address migration through portal with automaticlaly migrating gateways to other SKUs.
  • End of Mar, 2026: Standard/High Performance SKUs will be retired and remaining deprecated legacy gateways will be automatically migrated and upgraded to AZ SKUs.

SKU deprecation FAQs

Can I create a new gateway that uses a Standard or High Performance SKU after the deprecation announcement on November 30, 2023?

No. As of December 1, 2023, you can't create gateways that use Standard or High Performance SKUs. You can create gateways that use VpnGw1 and VpnGw2 SKUs for the same price as the Standard and High Performance SKUs, listed respectively on the pricing page.

How long will my existing gateways be supported on the Standard and High Performance SKUs?

All existing gateways that use the Standard or High Performance SKU will be supported until February 28, 2026 (extended from initial September 30, 2025 timeline).

Will my IP address change when my Legacy VPN gateway SKU (Standard or HighPerformance) is migrated as part of Basic IP address migration initiated through Azure portal?

No, the IP address won't change when you migrate Basic IP using Azure portal experience. You can choose to migrate the Basic SKU IP address to Standard SKU IP address through a customer controlled portal experience. For more information about Basic SKU IP migration, see About migrating a Basic SKU public IP address to Standard SKU for VPN Gateway article.

Do I need to migrate my gateways from the Standard or High Performance SKU right now?

No, you're required to migrate the Basic IP address on your gateway using the portal experience if you want to retain the IP address. As part of this migration, your gateways are automatically migrated to AZ SKUs.

Will there be any pricing difference for my gateways after migration?

Your SKUs are automatically migrated and upgraded to AZ SKUs as part of Basic IP migration. See VPN Gateway pricing for more details.

Will there be any performance impact on my gateways with this migration?

Yes. You get better performance with VpnGw1AZ and VpnGw2AZ. For more information about SKU throughput, see About gateway SKUs.

What happens if I don't migrate by February 28, 2026?

All gateways that still use the Standard or High Performance SKU will be migrated automatically and upgraded to the following AZ SKUs:

  • Standard to VpnGw1AZ
  • High Performance to VpnGw2AZ

We'll send communication before initiating migration on any gateways.

Is the VPN Gateway Basic SKU also retiring?

No, the VPN Gateway Basic SKU isn't retiring. You can create a VPN gateway by using the Basic SKU via Azure PowerShell or the Azure CLI.

Currently, the VPN Gateway Basic SKU supports only the Basic SKU public IP address resource (which is on a path to retirement). We're working on adding support for the Standard SKU public IP address resource to the VPN Gateway Basic SKU.

Next steps

For more information about the new Gateway SKUs, see Gateway SKUs.

For more information about configuration settings, see About VPN Gateway configuration settings.