Share via

Unable to Migrate VPN Gateway from Dynamic Basic Public IP to Static Standard SKU – Guidance Needed

GOPINATH M 60 Reputation points
2025-09-03T11:56:24.9+00:00

As everyone is aware, Basic Public IPs are being deprecated.

I currently have a VPN Gateway configured in active-active mode, using two dynamic Basic Public IPs. Here's the issue I'm encountering:

When attempting to migrate to Standard SKU, I receive the following error:

"Failed to prepare for migration to Standard IP-based deployment. Error: Currently upgrading deployment to Standard IP is not enabled for this gateway resource."

Additionally, I’m unable to disassociate the Basic IPs from the VPN Gateway.

Since this environment is in production, I’d like to avoid deleting and recreating the VPN Gateway from scratch.

Question:

Is there any supported or recommended method to upgrade from dynamic Basic IPs to static Standard IPs for an existing VPN Gateway, without disrupting the current deployment?

Any guidance, workaround, or roadmap information would be highly appreciated.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Michele Ariis 6,260 Reputation points MVP
    2025-09-03T12:05:22.32+00:00

    Hi, there is no in-place upgrade from Basic (dynamic) to Standard (static) on VPN Gateway nor can you detach the PIPs: to avoid downtime, create a staging gateway with static Standard PIPs (active-active with 2 IPs), set up parallel tunnels from on-prem, connect to the production VNet (peering with transit or vWAN gateway), then delete the old gateway, recreate the definitive one in prod with Standard PIPs and move the tunnels; if you accept a short window, do delete/recreate directly; keep PSK/IKE and BGP/ASN consistent and pre-align the allowlist with the new IPs.

    1 person found this answer helpful.
    0 comments
  2. TP 145.2K Reputation points Volunteer Moderator
    2025-09-03T12:07:14.1466667+00:00

    Hi,

    The deadline for Basic SKU Public IPs when used with VPN Gateway is end of January 2026, so you still have time.

    User's image

    According to current timeline article, tentative timeline for the migration tool for Active-Active VPN Gateway is end of September 2025. In other words, the tool for migrating active-active isn't ready yet, which is why you are seeing error during prepare.

    User's image

    Please click Accept Answer and upvote if the above was helpful.

    Thanks.

    -TP

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.