Create a zone-redundant virtual network gateway in availability zones
You can deploy VPN and ExpressRoute gateways in Azure availability zones. This brings resiliency, scalability, and higher availability to virtual network gateways. Deploying gateways in availability zones physically and logically separates gateways within a region, while protecting your on-premises network connectivity to Azure from zone-level failures. For more information, see About zone-redundant virtual network gateways, What are availability zones?, and Azure regions with availability zones.
Azure portal workflow
This section outlines the basic workflow to specify a zone-redundant gateway for an Azure VPN gateway.
VPN Gateway
Create a virtual network and configure a virtual network gateway using these steps: Create a VPN gateway. When creating the gateway, configure the appropriate SKU and availability zone settings.
SKU: Select an "AZ" SKU from the dropdown. For example, VpnGw2AZ. If you don't select an AZ SKU, you can't configure an availability zone setting.
Availability zone: Select the Availability zone from the dropdown.
ExpressRoute
For an ExpressRoute gateway, follow the ExpressRoute documentation, selecting the proper ExpressRoute gateway zone-redundant SKU.
SKU: Select an "AZ" SKU from the dropdown. For example, ErGw2AZ. If you don't select an AZ SKU, you can't configure an availability zone setting.
Availability zone: Select the Availability zone from the dropdown.
PowerShell workflow
This article uses PowerShell cmdlets. To run the cmdlets, you can use Azure Cloud Shell. Cloud Shell is a free interactive shell that you can use to run the steps in this article. It has common Azure tools preinstalled and configured to use with your account.
To open Cloud Shell, just select Open Cloudshell from the upper-right corner of a code block. You can also open Cloud Shell on a separate browser tab by going to https://shell.azure.com/powershell. Select Copy to copy the blocks of code, paste them into Cloud Shell, and select the Enter key to run them.
You can also install and run the Azure PowerShell cmdlets locally on your computer. PowerShell cmdlets are updated frequently. If you haven't installed the latest version, the values specified in the instructions may fail. To find the versions of Azure PowerShell installed on your computer, use the Get-Module -ListAvailable Az
cmdlet. To install or update, see Install the Azure PowerShell module.
1. Declare your variables
Declare the variables that you want to use. Use the following sample, substituting the values for your own when necessary. If you close your PowerShell/Cloud Shell session at any point during the exercise, just copy and paste the values again to redeclare the variables. When specifying location, verify that the region you specify is supported. For more information, see Azure regions with availability zones.
$RG1 = "TestRG1"
$VNet1 = "VNet1"
$Location1 = "EastUS"
$FESubnet1 = "FrontEnd"
$BESubnet1 = "Backend"
$GwSubnet1 = "GatewaySubnet"
$VNet1Prefix = "10.1.0.0/16"
$FEPrefix1 = "10.1.0.0/24"
$BEPrefix1 = "10.1.1.0/24"
$GwPrefix1 = "10.1.255.0/27"
$Gw1 = "VNet1GW"
$GwIP1 = "VNet1GWIP"
$GwIPConf1 = "gwipconf1"
2. Create the virtual network
Create a resource group.
New-AzResourceGroup -ResourceGroupName $RG1 -Location $Location1
Create a virtual network.
$fesub1 = New-AzVirtualNetworkSubnetConfig -Name $FESubnet1 -AddressPrefix $FEPrefix1
$besub1 = New-AzVirtualNetworkSubnetConfig -Name $BESubnet1 -AddressPrefix $BEPrefix1
$vnet = New-AzVirtualNetwork -Name $VNet1 -ResourceGroupName $RG1 -Location $Location1 -AddressPrefix $VNet1Prefix -Subnet $fesub1,$besub1
3. Add the gateway subnet
The gateway subnet contains the reserved IP addresses that the virtual network gateway services use. Use the following examples to add and set a gateway subnet:
Add the gateway subnet.
$getvnet = Get-AzVirtualNetwork -ResourceGroupName $RG1 -Name VNet1
Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.1.255.0/27 -VirtualNetwork $getvnet
Set the gateway subnet configuration for the virtual network.
$getvnet | Set-AzVirtualNetwork
4. Request a public IP address
In this step, choose the instructions that apply to the gateway that you want to create. The selection of zones for deploying the gateways depends on the zones specified for the public IP address.
For zone-redundant gateways
Request a public IP address with a Standard PublicIpaddress SKU and don't specify any zone. In this case, the Standard public IP address created is a zone-redundant public IP.
$pip1 = New-AzPublicIpAddress -ResourceGroup $RG1 -Location $Location1 -Name $GwIP1 -AllocationMethod Static -Sku Standard
For zonal gateways
Request a public IP address with a Standard PublicIpaddress SKU. Specify the zone (1, 2 or 3). All gateway instances are deployed in this zone.
$pip1 = New-AzPublicIpAddress -ResourceGroup $RG1 -Location $Location1 -Name $GwIP1 -AllocationMethod Static -Sku Standard -Zone 1
5. Create the IP configuration
$getvnet = Get-AzVirtualNetwork -ResourceGroupName $RG1 -Name $VNet1
$subnet = Get-AzVirtualNetworkSubnetConfig -Name $GwSubnet1 -VirtualNetwork $getvnet
$gwipconf1 = New-AzVirtualNetworkGatewayIpConfig -Name $GwIPConf1 -Subnet $subnet -PublicIpAddress $pip1
6. Create the virtual network gateway
VPN Gateway example
New-AzVirtualNetworkGateway -ResourceGroup $RG1 -Location $Location1 -Name $Gw1 -IpConfigurations $GwIPConf1 -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw2AZ
ExpressRoute example
New-AzVirtualNetworkGateway -ResourceGroup $RG1 -Location $Location1 -Name $Gw1 -IpConfigurations $GwIPConf1 -GatewayType ExpressRoute -GatewaySku ErGw2AZ
Next steps
See the VPN Gateway and ExpressRoute pages for other configuration information.