Azure Virtual Network Gateway VPN Client Connection Cmdlets: Capacity Examples

Table of Contents

Introduction
Prerequisites
Get-AzVpnClientConnection
Examples
Capacity Considerations
Further Reading

Introduction

This document provides examples and considerations for using Azure PowerShell cmdlets to manage VPN client connections to Azure Virtual Network Gateways, with a focus on capacity-related scenarios.

Azure VPN Gateway enables secure, cross-premises connectivity. Managing VPN client connections involves configuring and monitoring these connections to ensure optimal performance and availability.

Prerequisites

Before you begin, ensure you have the following:

An Azure subscription.
An Azure Virtual Network Gateway deployed and configured for VPN client access.
Azure PowerShell module installed and connected to your Azure account.
Necessary permissions to manage Azure resources.

You can install the Azure PowerShell module using:

Install-Module -Name Az -AllowClobber -Scope CurrentUser

And connect to your Azure account with:

Connect-AzAccount

Get-AzVpnClientConnection

The Get-AzVpnClientConnection cmdlet retrieves information about VPN client connections to an Azure Virtual Network Gateway. This is a crucial cmdlet for monitoring and understanding current connection status, which can inform capacity planning.

Syntax

Get-AzVpnClientConnection
    [-GatewayName <String>]
    [-ResourceGroupName <String>]
    [-SubscriptionId <String>]
    [-DefaultProfile <IAzureContextContainer>]
    [-WhatIf]
    [-Confirm]

Parameters

Name	Description	Required
`-GatewayName`	The name of the Virtual Network Gateway.	No (if `-ResourceGroupName` is provided and there's only one gateway in the RG)
`-ResourceGroupName`	The name of the resource group.	No (if `-GatewayName` is provided and there's only one gateway in the RG)
`-SubscriptionId`	The ID of the subscription.	No

Examples

Here are some common examples demonstrating how to use the Get-AzVpnClientConnection cmdlet.

Example 1: Get all VPN client connections for a specific gateway

Retrieves all active VPN client connections for a Virtual Network Gateway named 'MyVpnGateway' in the resource group 'MyResourceGroup'.

Get-AzVpnClientConnection -ResourceGroupName "MyResourceGroup" -GatewayName "MyVpnGateway"

Example 2: Get connections and filter by specific criteria

This example shows how to get connection details and then potentially filter them further. For instance, you might want to see connections from specific IP addresses or users, though Get-AzVpnClientConnection primarily provides aggregated status.

To get more granular details, you'd often need to look at Network Watcher or logs.

$connections = Get-AzVpnClientConnection -ResourceGroupName "MyResourceGroup" -GatewayName "MyVpnGateway"
$connections | Where-Object { $_.ConnectionStatus -eq "Connected" }

Example 3: Counting active connections

A common capacity-related task is to know the number of active connections. This example counts them.

$connectedCount = (Get-AzVpnClientConnection -ResourceGroupName "MyResourceGroup" -GatewayName "MyVpnGateway").Count
Write-Host "Number of active VPN client connections: $connectedCount"

Example 4: Getting connections from all gateways in a resource group

If you manage multiple VPN gateways within a resource group, you can retrieve connections from all of them.

Get-AzVirtualNetworkGateway -ResourceGroupName "MyResourceGroup" | ForEach-Object {
    $gatewayName = $_.Name
    Write-Host "--- Connections for Gateway: $gatewayName ---"
    Get-AzVpnClientConnection -ResourceGroupName "MyResourceGroup" -GatewayName $gatewayName
}

Capacity Considerations

Understanding the capacity limits of your Azure VPN Gateway is crucial for ensuring reliable VPN client connectivity. The Get-AzVpnClientConnection cmdlet helps you monitor current usage against these limits.

Key Metrics to Monitor:

Number of Active Connections: Each VPN Gateway SKU has a limit on the number of concurrent connections it can support. Exceeding this limit will result in new connection attempts failing.
Throughput: The gateway SKU also dictates the maximum aggregate bandwidth for all connections. High traffic volumes from connected clients can saturate the gateway's throughput.

Using Cmdlets for Capacity Planning:

Regular Monitoring: Schedule scripts to run Get-AzVpnClientConnection periodically to track the number of connections over time.
Peak Usage Analysis: Analyze connection counts during peak hours or specific events to understand maximum demand.
Alerting: Integrate the output of these cmdlets into Azure Monitor or custom alerting solutions. For example, trigger an alert if the connection count exceeds 80% of the SKU's limit.

Note: The specific connection limits and throughput capabilities depend on the Azure VPN Gateway SKU you have deployed (e.g., Basic, VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5, VpnGw1AZ, etc.). Always refer to the official Azure VPN Gateway pricing and performance documentation for the exact limits of your SKU.

Important: The Get-AzVpnClientConnection cmdlet primarily shows the number of established client connections. It does not directly provide detailed per-client bandwidth usage. For detailed throughput monitoring, consider using Azure Monitor metrics for the VPN Gateway, which offer insights into aggregate ingress/egress data.

Scaling Your VPN Gateway

If you consistently approach your gateway's capacity limits, you may need to scale up:

Upgrade SKU: Transition to a higher-tier VPN Gateway SKU (e.g., from VpnGw1 to VpnGw2) which offers more concurrent connections and higher throughput.
Add Gateway Instances: For active-active configurations or higher availability SKUs (like AZ SKUs), you might be able to scale by adding more instances within the same SKU, though this is more for redundancy and high availability than raw connection count scaling beyond the SKU's limit.