Share via

Safe Update of Azure VPN Gateway API Version Without Downtime

Damian Wolski 25 Reputation points
2025-03-05T17:59:46.1933333+00:00

I am currently integrating Azure VPN Gateway with Managed Identity for VPN authentication using certificates (preview feature). However, I encountered the following error during deployment:

{
  "error": {
    "code": "InvalidTemplateDeployment",
    "message": "The template deployment 'VirtualNetworkGatewayUpdate' is not valid according to the validation procedure. The tracking id is ''. See inner errors for details.",
    "details": [
      {
        "code": "VpnGatewayManagedIdentityNotSupportedInSpecifiedApiVersion",
        "target": "<resource_id>",
        "message": "Specified api-version 2019-08-01 does not meet the minimum required api-version 2024-01-01 for property Identity.",
        "details": []
      }
    ]
  }
}

It appears that the deployed template is using an outdated API version (2019-08-01), while the feature requires at least 2024-01-01.

Is there a safe approach to update the API version of the VPN Gateway without disrupting existing VPN connections? My priority is to avoid any downtime.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,678 questions
Accepted answer
  1. Suwarna S Kale 1,191 Reputation points
    2025-03-06T00:13:49.91+00:00

    Hello Damian Wolski,

    Thank you for posting your question in the Microsoft Q&A forum.

    Integrating Azure VPN Gateway with Managed Identity for VPN authentication using certificates is a powerful feature that enhances security and simplifies certificate management. However, during deployment, you may encounter errors related to outdated API versions, such as the VpnGatewayManagedIdentityNotSupportedInSpecifiedApiVersion error. This error occurs because the Managed Identity feature requires a minimum API version of 2024-01-01, while your deployment is using an older version (2019-08-01). To resolve this issue without disrupting existing VPN connections, you need to carefully update the API version of the VPN Gateway.

    Verify Current Configuration:

    1. Navigate to the Azure Portal and locate your VPN Gateway resource.
    2. Check the API version under the JSON View or Properties section.
    3. Document the existing VPN connections, IP configurations, and other settings to ensure you have a complete understanding of the current setup.

    Above steps would help to ensure that you have a baseline configuration to refer to in case any issues arise during the update process.

    To update the API version, you need to modify the Azure Resource Manager (ARM) template used for deployment. Follow these steps:

    1. Export the Current Template:
      • In the Azure Portal, navigate to your VPN Gateway resource.
        • Click on Export template under the Automation section.
          • Download the template and parameters file for backup and modification.
    2. Update the API Version:
    • Open the downloaded template file (in JSON format).
    • Locate the apiVersion property for the VPN Gateway resource and update it to 2024-01-01 or later.
      • Ensure that the identity property is correctly configured for Managed Identity.
      • Use the Azure Portal or Azure CLI to validate the updated template: az deployment group validate --resource-group <your-resource-group> --template-file <path-to-template> --parameters <path-to-parameters>
    1. Once the template is validated, deploy it to update the VPN Gateway
      • Monitor the deployment progress in the Azure Portal or using the Azure CLI.
        • Ensure that the VPN Gateway remains operational during the update.

    After the deployment is complete, test the VPN connectivity to ensure there is no disruption:

    1. Use the Azure Portal to check the status of the VPN Gateway and connections.
    2. Test connectivity from on-premises or other connected networks.
    3. Verify that the Managed Identity feature is functioning as expected.

    In case of any issues, have a rollback plan ready:

    • Revert to the previous ARM template with the older API version.
    • Use the Azure CLI or Portal to redeploy the previous configuration.
    • Test connectivity again to ensure the rollback was successful.

     

    Some useful links to refer:

    https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-portal

    https://learn.microsoft.com/en-us/azure/templates/microsoft.network/virtualnetworkgateways?pivots=deployment-language-bicep

    If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.

     

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.