Action required: Migrate your VPN Gateway to Standard Public IP

CSq Support 0 Reputation points

Hi, im trying to get a vpn standard sku vpn gateway with basic ip address updated to use a standard sku and use the migration process, this seems to fail and says i don't have permission ( global admin) i then read that this seems to be a common issue, i tried the power shell commands to migrate the ip sku but that doesn't seem to work, the real question is will Microsoft not just automatically migrate the sku to standard and retain the ip come migration day?

Many thanks

0 comments No comments
Sign in to comment

2 answers

  1. Thanmayi Godithi 10,655 Reputation points β€’ Microsoft External Staff β€’ Moderator

    Hi CSq Support ,

    Thank you for reaching out on Microsoft Q&A forum.

    The behavior you’re seeing is expected based on how Azure handles the migration from Basic SKU Public IP to Standard SKU for VPN Gateways.

    1. Why migration is failing (permission error)

    Even if you are a Global Admin, migration requires Azure RBAC permissions on the resource itself (such as Owner or Network Contributor on the subscription/resource group). Global Admin alone does not grant resource-level permissions, which is why you may see permission-related errors.

    Additionally, the migration can fail if prerequisites are not met, for example:

    • Gateway subnet must have sufficient free IPs (at least /27 recommended)
    • Migration feature must be available in your region
    • Gateway must be in a supported SKU/state

    Refer:

    1. Will Microsoft automatically migrate and retain the IP?
    • No β€” Microsoft does not automatically migrate your VPN Gateway Public IP SKU on your behalf.
    • Migration must be initiated by the customer using the built-in migration tool (Portal / PowerShell / CLI)
    • The migration tool is designed to preserve the same public IP address (no change to VPN configurations) if completed successfully
    1. Important context about deprecation
    • Basic SKU Public IPs have been retired (Sept 30, 2025)
    • Continuing to use them long-term is not supported, and migration is required to maintain supportability and reliability,

    Kindly let us know if the above helps or you need further assistance on this issue.

    If the answer is helpful, please "Accept the answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    1. Ganesh Patapati 11,915 Reputation points β€’ Microsoft External Staff β€’ Moderator

      Hi CSq Support

      I see Thanmayi Godithi has addressed your queries.

      Just checking in to see if the information was helpful. If you have any further updates on this issue, please feel free to post back.

      please don’t forget to close the thread by clicking Accept the answer wherever the information provided helps you, as this can be beneficial to other community members.

    Sign in to comment

  2. AI answer

    Microsoft will attempt automatic migration only in specific cases and it is not guaranteed to succeed or preserve the gateway if prerequisites are not met.

    From the documented behavior:

    • For VPN gateways using Basic public IPs, the required path is to use the Basic IP migration tool to move from Basic to Standard public IP for VPN Gateway. This tool also upgrades the gateway to the next-generation (Gen2) and AZ-supported SKUs; no separate Gen2 migration is required.
    • After Jun 2026, Microsoft will attempt to automatically migrate gateways that still use the retired Standard or High Performance gateway SKUs:
      • Standard β†’ VpnGw1AZ
      • High Performance β†’ VpnGw2AZ
    • If automatic migration encounters constraints (for example, insufficient gateway subnet size), the automatic migration cannot be completed. In that case, manual action is required, and the portal-based migration remains the supported path.
    • Documentation explicitly recommends using the Basic IP migration tool to retain the existing IP address. Relying on backend/automatic migration is not the prescribed way to ensure IP retention.

    Therefore:

    • To ensure the IP address is retained, the supported and recommended approach is to complete the Basic β†’ Standard public IP migration using the VPN Gateway migration tool (portal or PowerShell), not to wait and rely on automatic backend migration.
    • If the migration is failing with a permissions error even as a global admin, this is not covered in the provided documentation. The guidance in context is to follow the documented migration steps (portal or PowerShell) and ensure prerequisites such as sufficient free IPs in the gateway subnet are met. For unresolved permission issues, opening a support case with Microsoft would be required.

    Regarding downtime:

    • For the Basic IP β†’ Standard IP migration via the VPN Gateway migration tool, the portal documentation states there is about 5 minutes of downtime during the migrate step, and configuration changes are blocked during that time.
    • For the later SKU consolidation (Standard/High Performance β†’ VpnGw1AZ/VpnGw2AZ), the FAQ states that migration is seamless with no expected downtime.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer