azure-docs
azure-docs copied to clipboard
MicrosoftDocs
Can I move a VPN Gateway between subscriptions?
The supported resources page says "yes" to both publicipaddresses and virtualnetworkgateways. No asterisks or exceptions.
This page has a note that says,
Any resource, including a VPN Gateway, that is associated with a public IP Standard SKU address must be disassociated from the public IP address before moving across subscriptions.
So standard SKU addresses can only be moved if they are disassociated? Which article is right about moving publicipaddresses. Yes but only if they are disassociated, or "yes"
And, virtualnetworkgateways can be moved, but only if we disassociate the public IP address? According to this article changing or removing the public IP address is not supported.
Change or remove public IP address VPN gateway doesn't support changing the public IP address after creation.
Is there is some way to disassociate the public IP from the vpn gateway, move the resources and re-associate the public IP?
Please point me to an article that describes how to move a VPN gateway between subscriptions. Thanks!
p.s. assuming non-standard sku's do allow a vpn gateway to move, maybe we need to change the public IP address sku to enable support for moving between subscriptions?
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: d9962fb6-03f4-fd30-ab93-d2086713dc9b
- Version Independent ID: 9106c368-72fe-d2d8-9ed5-ef7a46241c75
- Content: Move Azure Networking resources to new subscription or resource group - Azure Resource Manager
- Content Source: articles/azure-resource-manager/management/move-limitations/networking-move-limitations.md
- Service: azure-resource-manager
- Sub-service: management
- GitHub Login: @tfitzmac
- Microsoft Alias: tomfitz
@jonwbstr Thanks for your feedback! We will investigate and update as appropriate.
Confirmed, VPN moved to another subscription without any issues using a standard Public IP. That was easy!
@jonwbstr was it definitely a standard SKU public IP you successfully moved with the VPN gateway? what VPN SKU did you move?
I have checked using the Azure portal to move a VPN gateway SKU of "VpnGW2" which uses the standard Public IP and I get the following error "Move for resource type publicIPAddresses is not supported"
as you mention docs say to disassociate public IP before move but you cant on a VPN gateway.
Tagging @tfitzmac for visibility, review and document enhancement consideration as appropriate to avoid any confusion.
@brianlehr - can you assist us with this issue? I don't see a way through the portal to disassociate a public IP address from a VPN Gateway. Is there an article we can link to?
I'll take the skew I move tomorrow, you can't disassociate IP address from VPN According to a different article
On Fri, Oct 28, 2022, 7:01 PM Tom FitzMacken @.***> wrote:
@brianlehr https://github.com/brianlehr - can you assist us with this issue? I don't see a way through the portal to disassociate a public IP address from a VPN Gateway. Is there an article we can link to?
— Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/99969#issuecomment-1295610953, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADXTPAEO6JGPDBNR35SFP3LWFRLKZANCNFSM6AAAAAARFJKAXA . You are receiving this because you were mentioned.Message ID: @.***>
Sorry for the confusion around this documentation. I have added a couple of notes to the supported resource type table that link to the networking guidance. Within that article, I clarified that resources associated with a public IP standard SKU can't be moved, but that VMs can be disassociated from the public IP.
@tfitzmac that is not correct, I moved a VPN gateway containing a standard IP attached to VPN gateway SKU: VpnGw1.
I also moved several machines with Public IPs assigned standard IPs, without disassociating the IP address
Moving IPs between regions is still hard, but moving resources using standard IPs between subscriptions in the same region has gotten easier
@tfitzmac This is still very confusing.
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/networking-move-limitations#dependent-resources
Any resource, including a VPN Gateway, that is associated with a public IP Standard SKU address can't be moved across subscriptions. For virtual machines, you can disassociate the public IP address before moving across subscriptions.
- States VPN Gateways can't be moved
When moving a resource, you must also move its dependent resources (for example - public IP addresses, virtual network gateways, all associated connection resources). Local network gateways can be in a different resource group.
- Implies VPN Gateways can be moved (a virtual network gateway is a VPN Gateway)
VPN Gateways
You cannot move VPN Gateways across subscriptions if they are of Basic SKU. Basic SKU is only meant for test environment usage and doesn't support resource move operation.
- States Basic VPN Gateways can't be moved, but others can
I also noticed in comments that @jonwbstr noted that he tested moving a VPN Gateway and it worked. Is it supported or is it not?
I am facing similar issues while moving my VPN with GW1 SKU between subscription. The document, https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/networking-move-limitations, seem to contradict themselves:
"When moving a resource, you must also move its dependent networking resources. However, any resource that is associated with a Standard SKU public IP address can't be moved across subscriptions. For example, you can't move a VPN Gateway that is associated with a Standard SKU public IP address to a new subscription."
"You can't move VPN Gateways across resource groups or subscriptions if they are of Basic SKU. Basic SKU is only meant for test environment usage and doesn't support resource move operation. A virtual network gateway must always be in the same resource group as its virtual network, they can't be moved separately"
When creating a VpnGw1 SKU VPN, public IP is by default a standard SKU public IP and we cannot change it. How do we move without having to delete and create the VPN again in the new subscription.
Did you try?
On Fri, Jul 7, 2023, 6:39 AM Bigfoot2049 @.***> wrote:
I am facing similar issues while moving my VPN with GW1 SKU between subscription. The document, https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/move-limitations/networking-move-limitations, seem to contradict themselves:
"When moving a resource, you must also move its dependent networking resources. However, any resource that is associated with a Standard SKU public IP address can't be moved across subscriptions. For example, you can't move a VPN Gateway that is associated with a Standard SKU public IP address to a new subscription."
"You can't move VPN Gateways across resource groups or subscriptions if they are of Basic SKU. Basic SKU is only meant for test environment usage and doesn't support resource move operation. A virtual network gateway must always be in the same resource group as its virtual network, they can't be moved separately"
When creating a VpnGw1 SKU VPN, public IP is by default a standard SKU public IP and we can change it. How do we move without having to delete and create the VPN again in the new subscription.
— Reply to this email directly, view it on GitHub https://github.com/MicrosoftDocs/azure-docs/issues/99969#issuecomment-1625216373, or unsubscribe https://github.com/notifications/unsubscribe-auth/ADXTPAHB32WUSDAWFUHNJQLXO7ROXANCNFSM6AAAAAARFJKAXA . You are receiving this because you were mentioned.Message ID: @.***>