Migrating Network Gateway

Question

Migrating Network Gateway

David 0

Hey,

So we recently received notice that some of our public IP's needed upgrading to standard , unfortunately one of these was the IP that is associated to the gateway used for our IP Sec tunnel between our on site network and Azure.

As it's not possible to temporarily disassociate the IP to upgrade IT, research showed the only option was to create a new gateway (It could do with upgrading to a different SKU anyway) with a new public IP, I have done this today however found that when creating it we could not use the same Azure network for this tunnel as it was already linked to the existing one.

I therefore created a new virtual network making sure to use the same address range / subnet as the existing one, I was then able to create the new gateway and connection (Exact clones of the existing one), this is now online and connected to our FortiGates, however when we tell traffic to go via that tunnel instead of the existing one, we can't access any of the resources in Azure.

As a test I have tried creating an allow any from any firewall rule in the NSG associated with one of the virtual machines, however we still can't connect to it.

I am reaching the conclusion the gateway is going to have to be in the same virtual network for this to work, unfortunately it does not seem to be possible to change the virtual network of an existing gateway, this means the only way to do it would be to completely remove the existing gateway, then create a new one using the existing virtual network.

As well as meaning approx 30 mins down time on the tunnel depending how fast Microsoft decides to complete the various deprovisioning / provisioning actions, it means we would not have the existing connection to fall back on if there are issues.

Is there anything I am missing / a better way to do this before we proceed

Thanks

1 answer

Your answer

Answer 1

TP 131.6K Volunteer Moderator

Hi David,

What SKU is your current VPN Gateway? Is it Active-Passive or Active-Active?

There either is a migration path or will be a migration path for you to upgrade your the public IP for your VPN Gateway to Standard SKU with small amount of downtime (much shorter than deleting/re-creating gateway).

The deadline to upgrade the public IP associated with your VPN Gateway is end of January 2026.

Please navigate to your VPN Gateway in the portal, click Settings -- Configuration to see if you have Migrate tab. If you have Migrate tab, please follow instructions in article below:

How to migrate a Basic SKU public IP address to Standard SKU - Preview

https://learn.microsoft.com/en-us/azure/vpn-gateway/basic-public-ip-migrate-howto

If Migrate tab is not there, it means the migration functionality hasn't rolled out to the region yet. Please see article below for more detailed information on timelines:

What's new in Azure VPN Gateway?

https://learn.microsoft.com/en-us/azure/vpn-gateway/whats-new#upcoming-projected-changes

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

David 0 Reputation points

2025-07-30T06:58:56.0933333+00:00

Hi,

Thanks for your response, the gateway SKU is currently only Basic and active-passive, having realised the limitations of this (Primarily the speed) I was going to take the opportunity to upgrade it to a higher level SKU, which I understand can only be done with a re-create.

However if we can Migrate the current one for now, we can plan the upgrade later, unfortunately I don't see the Migrate tab in the config section.

For my scenario, the 2nd page you've linked above says "Migration approach for Basic IP address for Basic Gateway SKU’s will be published by end of Jul 30, 2025" so maybe there will be some change by the end of today?

You say the deadline for upgrading the IP is the end of Jan 2026, however the email we have received from Microsoft states the end of September 2025?

I have set up peering between the two virtual networks but not yet been able to access the the servers in the original network from the new gateway yet, unsure if that's something I'm doing wrong in Azure or our side.
TP 131.6K Reputation points Volunteer Moderator

2025-07-30T07:14:23.61+00:00

Since you are on Basic SKU VPN Gateway there is no action needed (yet). You are correct, they are supposed to update guidance by the end of today (July 30th).

In regards to upgrading to faster SKU, I would hold off until we know more about the proposed migration path to upgrade to Standard SKU public IP. Reason I say that is, there is a possibility that the migration path will allow you to go from Basic to VpnGw1AZ SKU or similar.

The deadline for Basic SKU Public IP address used with VPN Gateway is end of January 2026. For confirmation, please look for this text on the second link above:
TP 131.6K Reputation points Volunteer Moderator

2025-08-05T16:52:38.3933333+00:00
The latest update published today states, in regards to Basic SKU VPN Gateway:

Your actual IP address will not change, and connectivity will not be interrupted.

An automated capability to remove the Basic public IP from your gateway will be available in Sept/Oct 2025

Deprecation timeline of Basic IP for all VPN Gateways is moved from Sep 2025 to end of Jan 2026

Because Microsoft is retiring Basic public IP resources, we’re updating the Basic VPN Gateway construct. You’ll see the Basic public IP reference as an attribute on your virtual network gateway.

If you have scripts, ARM templates, or monitoring solutions that reference the Basic public IP resource, update them to use the IP address property of the virtual network gateway instead.

No action needed at this time. I just wanted to give you latest info.

Please click Accept Answer and upvote if the above was helpful.

Thanks.

-TP

Share via

Migrating Network Gateway

1 answer

Your answer