Home / Documentation / Azure / Reference / PowerShell / Azure Virtual Network Gateway VPN Client Connection Cmdlets

Azure Virtual Network Gateway VPN Client Connection Cmdlets

This document provides a comprehensive reference for PowerShell cmdlets used to manage VPN client connections for Azure Virtual Network Gateways. These cmdlets allow you to configure, monitor, and troubleshoot VPN client connectivity for your Azure Virtual Network.

Overview

Azure Virtual Network Gateways facilitate secure connections to your virtual network. VPN client connections enable individual users or devices to connect to your Azure VNet over the public internet using a VPN client. The PowerShell cmdlets detailed here are part of the Az.Network module (or earlier AzureRM.Network).

Key Cmdlets

The following table lists the primary cmdlets for managing VPN client connections. Click on a cmdlet name for detailed parameter information and examples.

Cmdlet	Description	Module
`Get-AzVirtualNetworkGatewayVpnClientConnection`	Retrieves the VPN client connection configuration for a virtual network gateway.	Az.Network
`Set-AzVirtualNetworkGatewayVpnClientConnection`	Configures VPN client connection settings for a virtual network gateway.	Az.Network
`Add-AzVirtualNetworkGatewayVpnClientRootCertificate`	Adds a root certificate for VPN client authentication.	Az.Network
`Remove-AzVirtualNetworkGatewayVpnClientRootCertificate`	Removes a root certificate used for VPN client authentication.	Az.Network
`Get-AzVirtualNetworkGatewayVpnClientRevokedCertificate`	Retrieves revoked client certificates for a virtual network gateway.	Az.Network
`Add-AzVirtualNetworkGatewayVpnClientRevokedCertificate`	Adds a certificate to the revoked list for VPN client authentication.	Az.Network
`Remove-AzVirtualNetworkGatewayVpnClientRevokedCertificate`	Removes a certificate from the revoked list.	Az.Network
`Get-AzVirtualNetworkGatewayVpnClientIpConfiguration`	Retrieves the VPN client IP configuration details.	Az.Network
`Set-AzVirtualNetworkGatewayVpnClientIpConfiguration`	Configures the VPN client IP address pool.	Az.Network

Common Scenarios

1. Retrieving VPN Client Configuration

To view the current VPN client settings for your gateway:


Get-AzVirtualNetworkGatewayVpnClientConnection -VirtualNetworkGatewayName "myGateway" -ResourceGroupName "myResourceGroup"

2. Configuring VPN Client Settings

To enable IKEv2 and specify a DNS server for VPN clients:


# Get the existing gateway
$gateway = Get-AzVirtualNetworkGateway -VirtualNetworkGatewayName "myGateway" -ResourceGroupName "myResourceGroup"

# Configure VPN client settings
Set-AzVirtualNetworkGatewayVpnClientConnection -VirtualNetworkGateway $gateway -VpnClientIpPoolAddressRange "10.0.0.0/24" -VpnClientProtocols "Ikev2" -VpnClientDnsServers "10.0.0.5", "8.8.8.8"

# Update the gateway to apply the changes
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway

3. Managing Root Certificates for Authentication

You can use root certificates to authenticate VPN clients. This often involves uploading the certificate's public key.

Adding a Root Certificate:


Add-AzVirtualNetworkGatewayVpnClientRootCertificate -VirtualNetworkGatewayName "myGateway" -ResourceGroupName "myResourceGroup" -Name "RootCert1" -PublicCertData "MIIDhzCC...XYZ"

Removing a Root Certificate:


Remove-AzVirtualNetworkGatewayVpnClientRootCertificate -VirtualNetworkGatewayName "myGateway" -ResourceGroupName "myResourceGroup" -Name "RootCert1"

Cmdlet Details

`Get-AzVirtualNetworkGatewayVpnClientConnection`

Description: Retrieves the VPN client connection configuration of a virtual network gateway.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-GatewayVpnClientConnectionConfiguration <GatewayVpnClientConnectionConfiguration>: The gateway VPN client connection configuration object.

Example:


Get-AzVirtualNetworkGatewayVpnClientConnection -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network"

`Set-AzVirtualNetworkGatewayVpnClientConnection`

Description: Configures VPN client connection settings for a virtual network gateway.

Parameters:

-VirtualNetworkGateway <VirtualNetworkGateway>: The virtual network gateway object.
-VpnClientIpPoolAddressRange <String[]>: Specifies the IP address range from which the VPN client IP address is assigned.
-VpnClientProtocols <VpnClientProtocol[]>: Specifies the VPN client protocols that are enabled. Possible values are Ikev1, Ikev2, and VpnClientProtocolType.OpenVPN.
-VpnClientDnsServers <String[]>: Specifies the DNS servers to be used by the VPN clients.

Example:


$gw = Get-AzVirtualNetworkGateway -Name "myVpnGateway" -ResourceGroupName "rg-network"
Set-AzVirtualNetworkGatewayVpnClientConnection -VirtualNetworkGateway $gw -VpnClientIpPoolAddressRange "192.168.100.0/24" -VpnClientProtocols "Ikev2"
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gw

`Add-AzVirtualNetworkGatewayVpnClientRootCertificate`

Description: Adds a root certificate to the virtual network gateway for VPN client authentication.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-Name <String>: The name for the root certificate.
-PublicCertData <String>: The public certificate data, typically in Base64 encoded X.509 format.

Example:


Add-AzVirtualNetworkGatewayVpnClientRootCertificate -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network" -Name "MyCompanyRootCA" -PublicCertData "MIIDvzCCA...ABC"

`Remove-AzVirtualNetworkGatewayVpnClientRootCertificate`

Description: Removes a root certificate from the virtual network gateway.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-Name <String>: The name of the root certificate to remove.

Example:


Remove-AzVirtualNetworkGatewayVpnClientRootCertificate -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network" -Name "MyCompanyRootCA"

`Get-AzVirtualNetworkGatewayVpnClientRevokedCertificate`

Description: Retrieves a list of revoked client certificates for a virtual network gateway.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-Name <String>: The name of the revoked certificate to retrieve (optional).

Example:


Get-AzVirtualNetworkGatewayVpnClientRevokedCertificate -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network"

`Add-AzVirtualNetworkGatewayVpnClientRevokedCertificate`

Description: Adds a certificate to the revoked list for VPN client authentication.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-Name <String>: The name for the revoked certificate.
-Thumbprint <String>: The thumbprint of the certificate to revoke.

Example:


Add-AzVirtualNetworkGatewayVpnClientRevokedCertificate -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network" -Name "RevokedCert456" -Thumbprint "A1B2C3D4E5F67890ABCDEF1234567890ABCDEF12"

`Remove-AzVirtualNetworkGatewayVpnClientRevokedCertificate`

Description: Removes a certificate from the revoked list.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-Name <String>: The name of the revoked certificate to remove.

Example:


Remove-AzVirtualNetworkGatewayVpnClientRevokedCertificate -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network" -Name "RevokedCert456"

`Get-AzVirtualNetworkGatewayVpnClientIpConfiguration`

Description: Retrieves the VPN client IP configuration details for a virtual network gateway.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.

Example:


Get-AzVirtualNetworkGatewayVpnClientIpConfiguration -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network"

`Set-AzVirtualNetworkGatewayVpnClientIpConfiguration`

Description: Configures the VPN client IP address pool for a virtual network gateway.

Parameters:

-VirtualNetworkGatewayName <String>: The name of the virtual network gateway.
-ResourceGroupName <String>: The name of the resource group.
-VpnClientIpPoolAddressRange <String[]>: Specifies the IP address range from which VPN client IP addresses are assigned.

Example:


Set-AzVirtualNetworkGatewayVpnClientIpConfiguration -VirtualNetworkGatewayName "myVpnGateway" -ResourceGroupName "rg-network" -VpnClientIpPoolAddressRange "10.1.0.0/24"

Further Information

For detailed parameter descriptions, advanced configurations, and troubleshooting tips, please refer to the official Azure PowerShell documentation.