azure-vpn-gateway

Expert knowledge for Azure VPN Gateway development including troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. Use when building, debugging, or optimizing Azure VPN Gateway applications. Not for Azure Virtual Network (use azure-virtual-network), Azure Virtual WAN (use azure-virtual-wan), Azure ExpressRoute (use azure-expressroute), Azure Application Gateway (use azure-application-gateway).

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "azure-vpn-gateway" with this command: npx skills add microsoftdocs/agent-skills/microsoftdocs-agent-skills-azure-vpn-gateway

Azure VPN Gateway Skill

This skill provides expert guidance for Azure VPN Gateway. Covers troubleshooting, best practices, decision making, architecture & design patterns, limits & quotas, security, configuration, integrations & coding patterns, and deployment. It combines local quick-reference content with remote documentation fetching capabilities.

How to Use This Skill

IMPORTANT for Agent: This file may be large. Use the Category Index below to locate relevant sections, then use read_file with specific line ranges (e.g., L136-L144) to read the sections needed for the user's question

IMPORTANT for Agent: If metadata.generated_at is more than 3 months old, suggest the user pull the latest version from the repository. If mcp_microsoftdocs tools are not available, suggest the user install it: Installation Guide

This skill requires network access to fetch documentation content:

  • Preferred: Use mcp_microsoftdocs:microsoft_docs_fetch with query string from=learn-agent-skill. Returns Markdown.
  • Fallback: Use fetch_webpage with query string from=learn-agent-skill&accept=text/markdown. Returns Markdown.

Category Index

CategoryLinesDescription
TroubleshootingL37-L44Diagnosing and fixing Azure VPN Gateway issues: S2S/P2S connection failures, certificate/auth errors, macOS IKEv2, throughput, health checks, resets, and packet-capture/log-based debugging
Best PracticesL45-L49Guidance on using network virtual appliances (NVAs) in Azure as VPN endpoints for remote access, including design, routing, security, and integration with Azure VPN Gateway.
Decision MakingL50-L59Guidance on choosing VPN Gateway SKUs, planning/migrating IPs and gateways (Classic→ARM), shifting P2S protocols (SSTP→IKEv2/OpenVPN), and designing remote work P2S VPN setups.
Architecture & Design PatternsL60-L66Design patterns and guidance for choosing VPN Gateway topologies, configuring active-active gateways, and building highly available, resilient site-to-site connectivity.
Limits & QuotasL67-L73VPN Gateway client version history, SKU comparisons, and FAQs about gateway limits, scale, performance, and connection behavior
SecurityL74-L97Securing Azure VPN Gateway: IPsec/IKE policies, forced tunneling, cert/RADIUS auth, Entra ID & MFA for P2S, client config (Win/macOS/Linux), access control, roles, and crypto best practices.
ConfigurationL98-L154Configuring Azure VPN Gateway and clients: S2S/P2S setup, certificates/RADIUS/Entra auth, BGP, IPsec/NAT/IPv6, routing, monitoring, VNet-to-VNet, and client configs for Windows/macOS/Linux/iOS.
Integrations & Coding PatternsL155-L162Configuring Azure VPN Gateway with on-prem devices and services: NPS/RADIUS VSAs for P2S, S2S over ExpressRoute, Cisco ASA samples, and BGP VPN connectivity with AWS.
DeploymentL163-L175Deploying and configuring VPN Gateways: creating gateways and S2S tunnels via PowerShell/CLI, changing SKUs/modes, enabling zone redundancy, migrating IPs, and deploying VPN client profiles.

Troubleshooting

TopicURL
Run Azure VPN Client prerequisites check and fix issueshttps://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-prerequisites-check
Use packet capture on VPN Gateway for diagnosticshttps://learn.microsoft.com/en-us/azure/vpn-gateway/packet-capture
Reset VPN Gateway or connection to restore IPsec tunnelshttps://learn.microsoft.com/en-us/azure/vpn-gateway/reset-gateway
Verify Azure VPN Gateway connection healthhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-verify-connection-resource-manager

Best Practices

TopicURL
Use NVAs in Azure for remote access scenarioshttps://learn.microsoft.com/en-us/azure/vpn-gateway/nva-work-remotely-support

Decision Making

TopicURL
Choose appropriate Azure VPN Gateway SKUshttps://learn.microsoft.com/en-us/azure/vpn-gateway/about-gateway-skus
Plan migration from Basic to Standard public IPhttps://learn.microsoft.com/en-us/azure/vpn-gateway/basic-public-ip-migrate-about
Understand Azure VPN Gateway SKU mappingshttps://learn.microsoft.com/en-us/azure/vpn-gateway/gateway-sku-consolidation
Migrate P2S connections from SSTP to IKEv2/OpenVPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/ikev2-openvpn-from-sstp
Migrate VPN Gateways from Classic to Resource Managerhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-classic-resource-manager-migration
Plan remote work using P2S VPN Gatewayshttps://learn.microsoft.com/en-us/azure/vpn-gateway/work-remotely-support

Architecture & Design Patterns

TopicURL
Design and configure active-active VPN Gatewayshttps://learn.microsoft.com/en-us/azure/vpn-gateway/about-active-active-gateways
Select Azure VPN Gateway topologies and designshttps://learn.microsoft.com/en-us/azure/vpn-gateway/design
Design highly available Azure VPN Gateway connectivityhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-highlyavailable

Limits & Quotas

TopicURL
Reference of Azure VPN Client versionshttps://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-versions
Compare Azure VPN Gateway legacy SKUs and limitshttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy
Azure VPN Gateway FAQ with limits and behaviorshttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

Security

TopicURL
Implement forced tunneling for S2S VPN connectionshttps://learn.microsoft.com/en-us/azure/vpn-gateway/about-site-to-site-tunneling
Configure custom IPsec/IKE policies in Azure portalhttps://learn.microsoft.com/en-us/azure/vpn-gateway/ipsec-ike-policy-howto
Enable multifactor authentication for P2S VPN usershttps://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-mfa
Configure P2S VPN with Entra ID and manual app registrationhttps://learn.microsoft.com/en-us/azure/vpn-gateway/openvpn-azure-ad-tenant
Configure P2S VPN with Microsoft Entra ID authhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-gateway
Migrate P2S Entra VPN from manual to Microsoft app IDhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-gateway-update
Create or update custom Entra app ID for P2S VPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-register-custom-app
Configure P2S access control by Entra users and groupshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-users-access
Configure Linux Azure VPN Client for Entra ID P2S authhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-linux
Configure macOS Azure VPN Client for Entra ID P2S authhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-mac
Configure Windows Azure VPN Client for Entra ID P2S authhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-windows
Configure Device SSO with Azure VPN Client on Windowshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-entra-vpn-client-windows-device-sso
Configure Azure VPN Gateway for P2S RADIUS authenticationhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-radius-gateway
Understand roles and permissions for VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/roles-permissions
Apply security best practices to Azure VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/secure-vpn-gateway
Use certificate authentication for S2S VPN connectionshttps://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-certificate-authentication-gateway-about
Configure S2S certificate authentication using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-certificate-authentication-gateway-powershell
Meet cryptographic requirements for Azure VPN gatewayshttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-compliance-crypto
Configure custom IPsec/IKE policies with PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-ipsecikepolicy-rm-powershell
Integrate Azure P2S RADIUS with NPS for MFAhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-radius-mfa-nsp

Configuration

TopicURL
Generate P2S VPN client profiles for Entra authenticationhttps://learn.microsoft.com/en-us/azure/vpn-gateway/about-vpn-profile-download
Add or remove S2S connections on a VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/add-remove-site-to-site-connections
Configure optional Azure VPN Client settingshttps://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations
Configure BGP for VPN Gateway using Azure CLIhttps://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-how-to-cli
Configure BGP for VPN Gateway using portalhttps://learn.microsoft.com/en-us/azure/vpn-gateway/bgp-howto
Create custom IPsec policies for P2S VPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/create-custom-policies-p2s-ps
Configure custom traffic selectors for VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/custom-traffic-selectors
Configure customer-controlled maintenance windows for VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/customer-controlled-gateway-maintenance
Configure IPv6 dual-stack support on VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/ipv6-configuration
Configure monitoring for Azure VPN Gateway with Azure Monitorhttps://learn.microsoft.com/en-us/azure/vpn-gateway/monitor-vpn-gateway
Reference for Azure VPN Gateway monitoring datahttps://learn.microsoft.com/en-us/azure/vpn-gateway/monitor-vpn-gateway-reference
Configure NAT rules on Azure VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/nat-howto
View and disconnect Azure P2S VPN sessionshttps://learn.microsoft.com/en-us/azure/vpn-gateway/p2s-session-management
Configure Azure VPN Client for Linux with P2S certificateshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-certificate-client-linux-azure-vpn-client
Configure P2S certificate authentication on VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-certificate-gateway
Generate P2S VPN certificates on Linux with OpenSSLhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-certificates-linux-openssl
Configure P2S VPN with RADIUS using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-radius-ps
Install P2S client certificates on Windows, macOS, Linuxhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-how-to-vpn-client-install-azure-cert
Understand P2S user groups and IP pools behaviorhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-user-groups-about
Configure P2S user groups and IP pools via PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-user-groups-create
Configure macOS native VPN client for P2S certificateshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-cert-mac
Configure Linux strongSwan IKEv2 client for P2S certificateshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-ike-linux
Configure iOS OpenVPN client for P2S certificate VPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-openvpn-ios
Configure Linux OpenVPN client for P2S certificate VPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-openvpn-linux
Configure macOS OpenVPN client for P2S certificate VPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-openvpn-mac
Configure Azure VPN Client on Windows for P2S certificateshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-windows-azure-vpn-client
Configure Windows native client for P2S certificate VPNhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-windows-native
Configure OpenVPN 2.x Windows client for P2S certificateshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-windows-openvpn-client
Configure OpenVPN 3.x Windows client for P2S certificateshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-certificate-windows-openvpn-client-version-3
Configure VPN client for P2S RADIUS certificate authhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-radius-certificate
Configure VPN client for other P2S RADIUS methodshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-radius-other
Configure VPN client for P2S RADIUS password authhttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-vpn-client-configuration-radius-password
Configure high-bandwidth S2S tunnels via ExpressRoutehttps://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-high-bandwidth-tunnel
Configure forced tunneling for S2S VPN with Default Sitehttps://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-tunneling
Overview of partner VPN device configurations for Azurehttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-overview
Understand Point-to-Site VPN routing behavior in Azurehttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-point-to-site-routing
Supported VPN devices and IPsec parameters for Azurehttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices
Azure VPN Gateway resource and connection settingshttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings
Configure BGP for VPN Gateway using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-bgp-resource-manager-ps
Generate P2S VPN certificates using Windows PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site
Generate P2S VPN certificates on Linux with strongSwanhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-linux
Generate P2S VPN certificates using MakeCerthttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-certificates-point-to-site-makecert
Connect classic VNets to ARM VNets via portalhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-different-deployment-models-portal
Connect classic VNets to ARM VNets with PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-different-deployment-models-powershell
Connect route-based gateway to multiple policy-based deviceshttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps
Configure Always On VPN device tunnel to Azurehttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-always-on-device-tunnel
Configure Always On VPN user tunnel to Azurehttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-always-on-user-tunnel
Configure P2S VPN with certificate auth using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-point-to-site-rm-ps
Connect VNets with VNet-to-VNet using Azure CLIhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-cli
Configure VNet-to-VNet VPN connection in portalhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal
Advertise custom routes to P2S VPN clientshttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes
Configure VPN gateway transit for VNet peeringhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
Connect VNets with VNet-to-VNet using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps

Integrations & Coding Patterns

TopicURL
Configure NPS RADIUS VSAs for P2S user groupshttps://learn.microsoft.com/en-us/azure/vpn-gateway/point-to-site-user-groups-radius
Configure S2S VPN over ExpressRoute private peeringhttps://learn.microsoft.com/en-us/azure/vpn-gateway/site-to-site-vpn-private-peering
Sample Cisco ASA configuration for Azure VPN Gatewayhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-3rdparty-device-config-cisco-asa
Configure BGP VPN connection between Azure and AWShttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-aws-bgp

Deployment

TopicURL
Migrate VPN Gateway public IP from Basic to Standardhttps://learn.microsoft.com/en-us/azure/vpn-gateway/basic-public-ip-migrate-howto
Create a Basic SKU VPN Gateway via PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/create-gateway-basic-sku-powershell
Deploy a VPN Gateway using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/create-gateway-powershell
Deploy a VPN Gateway using Azure CLIhttps://learn.microsoft.com/en-us/azure/vpn-gateway/create-routebased-vpn-gateway-cli
Deploy zone-redundant VPN and ExpressRoute gatewayshttps://learn.microsoft.com/en-us/azure/vpn-gateway/create-zone-redundant-vnet-gateway
Change Azure VPN Gateway between active and active-activehttps://learn.microsoft.com/en-us/azure/vpn-gateway/gateway-change-active-active
Upgrade Azure VPN Gateway SKUs with minimal downtimehttps://learn.microsoft.com/en-us/azure/vpn-gateway/gateway-sku-upgrade
Create S2S VPN with shared key using PowerShellhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-create-site-to-site-rm-powershell
Create S2S VPN with shared key using Azure CLIhttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-site-to-site-resource-manager-cli
Deploy Azure VPN client profiles using Intunehttps://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-profile-intune

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

azure-security

No summary provided by upstream source.

Repository SourceNeeds Review
7-microsoftdocs
Automation

azure-architecture

No summary provided by upstream source.

Repository SourceNeeds Review
10-microsoftdocs
Automation

azure-logic-apps

No summary provided by upstream source.

Repository SourceNeeds Review
8-microsoftdocs
Automation

azure-blob-storage

No summary provided by upstream source.

Repository SourceNeeds Review
8-microsoftdocs