Currently I have a Generation1 Basic SKU virtual network gateway setup for my site-to-site VPN. The on-prem side is currently running DH Group 2 and is asking about upgrading to DH Group 14.
From what I can tell (please correct me if I am wrong) using the Gen1 Basic SKU will not support DH Group 14 so it will require an upgrade.
I also found the only way to upgrade is to remove the entire network settings from Azure then re-build it from scratch. I have a few questions about this:
- Is there a way to run both networks simultaneously? I know there will be an IP overlap that could cause issues, but I am wondering if perhaps you can set it all up then change the network settings afterwards.
- Is there a way (other then manually) to document all the existing settings just in case it does need to be removed and re-built.
Any guidance on getting this setup would be appreciated.
Just in case anyone comes across this…the on-prem VPN setting was changed from DH2 to DH14 and there has been no issues while still using the Basic SKU.
Let’s start on the second one: You could export an ARM Template from your existing VPN Gateway. By doing so, you could redeploy the template and the VPN would work as before - given, the vnet does not change. Keep in mind, that the public ip of the VPN will probably change, since you cannot “save” that exact ip.
I also found the only way to upgrade is to remove the entire network settings from Azure then re-build it from scratch.
Do you mean, that you would need to throw away the VPN gateway, the public ip and the virtual network which the VPN gateway is attached to?
I didn’t see any documentation saying the Basic SKU doesn’t support DH 14, only that it doesn’t support IKEv2. However, MS seems to scatter this type of information across a dozen different links. Quick way to confirm, you could create a new connection and see if it allows DH Group 14. This shouldn’t interrupt the existing connection.
I’ll take a look online to see if I can find instructions on how to export that ARM template but that sounds like the best option if that works to migrate to a different SKU.
Here are the instructions that I found for the upgrade
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy
- Remove any connections to the virtual network gateway.
- Delete the old VPN gateway.
- Create the new VPN gateway.
- Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
- Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this gateway.
- Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
- Recreate the connections to the virtual network gateway.
I’ll take a look online to see if I can find instructions on how to export that ARM template but that sounds like the best option if that works to migrate to a different SKU.
Just go the resource in the portal, scroll the blade on the left hand side all the way down until you find “Export template”. Microsoft creates the ARM template (one huge JSON-file) and let’s you download it. Keep in mind, that all the small properties of an VPN gateway are exported. Also you may save your Pre-Shared-Key seperatly. I’m not sure if it is exported.
Remove any connections to the virtual network gateway.
Delete the old VPN gateway.
Create the new VPN gateway.
Update your on-premises VPN devices with the new VPN gateway IP address (for Site-to-Site connections).
Update the gateway IP address value for any VNet-to-VNet local network gateways that will connect to this gateway.
Download new client VPN configuration packages for P2S clients connecting to the virtual network through this VPN gateway.
Recreate the connections to the virtual network gateway.
You may get away with only deleting the VPN and NOT the public ip address. If so, your network config might still be valid. You’d still need to change your VPN Gateway settings since you obviously changing the DH-Group.
Thanks for the help. This seems a lot easier to do then I was expecting.