Configure a virtual network gateway for ExpressRoute using PowerShell

This article shows you how to add, resize, and remove a virtual network gateway for a preexisting virtual network using PowerShell. The steps apply to virtual networks created with the Resource Manager deployment model for ExpressRoute. For more information, see About ExpressRoute virtual network gateways.

Prerequisites

Before you begin, make sure you have:

An Azure account with an active subscription.
An existing virtual network where you want to create the gateway. For more information, see Create a virtual network using PowerShell.
Azure PowerShell installed. For more information, see Install Azure PowerShell.
Sufficient address space in your virtual network for a gateway subnet (/27 or larger).

Example configuration values

The following table shows example values used in this article. You can use these values to create a test environment or refer to them to better understand the examples:

Setting	Value
Virtual Network Name	TestVNet
Virtual Network address space	192.168.0.0/16
Resource Group	TestRG
Subnet1 Name	FrontEnd
Subnet1 address space	192.168.1.0/24
Subnet1 Name	FrontEnd
Gateway Subnet name	GatewaySubnet
Gateway Subnet address space	192.168.200.0/26
Region	China East
Gateway Name	GW
Gateway IP Name	GWIP
Gateway IP configuration Name	gwipconf
Type	ExpressRoute

Add a gateway

Important

If you plan to use IPv6-based private peering over ExpressRoute, select an availability zone-enabled SKU (ErGw1Az, ErGw2Az, ErGw3Az) for -GatewaySku, or use a non-availability zone SKU (Standard, HighPerformance, UltraPerformance) with Standard and Static Public IP.

Connect to your Azure account.

Connect-AzAccount -Environment AzureChinaCloud

Declare your variables for this article. Edit the sample values to reflect your configuration:

$RG = "TestRG"
$Location = "China East"
$GWName = "GW"
$GWIPName = "GWIP"
$GWIPconfName = "gwipconf"
$VNetName = "TestVNet"

Store the virtual network object as a variable:

$vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG

Add a gateway subnet to your virtual network. The gateway subnet must be named GatewaySubnet. The gateway subnet must be /27 or larger (/26, /25, and so on). If you plan to connect 16 ExpressRoute circuits to your gateway, you must create a gateway subnet of /26 or larger:
```
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix 192.168.200.0/26
```
If you're using a dual stack virtual network and plan to use IPv6-based private peering over ExpressRoute, create a dual stack gateway subnet instead:
```
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix "10.0.0.0/26","ace:daa:daaa:deaa::/64"
```

Set the configuration:

$vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet

Store the gateway subnet as a variable:
```
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
```
Public IP addresses are no longer required for ExpressRoute gateways.
```
$pip = New-AzPublicIpAddress -Name $GWIPName  -ResourceGroupName $RG -Location $Location -AllocationMethod Static -SKU Standard
```
Note
- Basic SKU public IP isn't supported with ExpressRoute virtual network gateways.
- Creating a public IP is no longer required. Microsoft creates and manages your public IP, which means all ExpressRoute virtual network gateways are created as zone-redundant.
Create the IP configuration for your gateway.

The gateway configuration defines the subnet to use. In this step, you specify the configuration that's used when you create the gateway.

For standard gateways:
```
$ipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet 
```
Create the gateway.

The -GatewayType parameter must be set to ExpressRoute. The -GatewaySku parameter determines the gateway's performance and features. Gateway creation can take 45 minutes or more to complete.

Choose the appropriate command based on your gateway SKU:
- ErGwScale SKU (Scalable Gateway)
- Traditional SKUs
For flexible, scalable gateways, use the ErGwScale SKU with the -MinScaleUnit and -MaxScaleUnit parameters.

Fixed scaling (recommended for predictable workloads):

When you set the minimum and maximum scale units to the same value, the gateway maintains a fixed bandwidth:
```
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku ErGwScale -MinScaleUnit 2 -MaxScaleUnit 2
```
Autoscaling (recommended for variable workloads):

When you set different minimum and maximum values, the gateway automatically scales based on traffic:
```
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku ErGwScale -MinScaleUnit 2 -MaxScaleUnit 10
```
Important
- When you set the maximum scale unit to 1, the minimum scale unit must also be 1.
- Scale units range from 1 to 40.
- Each scale unit provides 1 Gbps of bandwidth.
For more information, see About ExpressRoute scalable gateway.
For fixed-performance gateways, use one of the traditional SKUs:
```
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku Standard
```
Available SKUs: Standard, HighPerformance, UltraPerformance, ErGw1Az, ErGw2Az, ErGw3Az

For more information about gateway SKUs, see About ExpressRoute virtual network gateways.

Verify the gateway was created

Use the following commands to verify that the gateway has been created:

Get-AzVirtualNetworkGateway -ResourceGroupName $RG

Resize a gateway

You can change the gateway SKU to scale up or down the gateway's performance. Use the appropriate command based on your gateway type:

ErGwScale SKU
Traditional SKUs

For scalable gateways (ErGwScale SKU), use the Set-AzVirtualNetworkGateway command with the -MinScaleUnit and -MaxScaleUnit parameters:

$vng = Get-AzVirtualNetworkGateway -Name <GatewayName> -ResourceGroupName <ResourceGroupName>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vng -MinScaleUnit 2 -MaxScaleUnit 10 -GatewaySku ErGwScale

You can adjust the scale units to change the gateway's bandwidth and performance. Scale changes can take up to 30 minutes to complete.

For traditional gateway SKUs (Standard, HighPerformance, UltraPerformance, ErGw1Az, ErGw2Az, ErGw3Az), use the Resize-AzVirtualNetworkGateway command:

$gw = Get-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku HighPerformance

Note

You can only upgrade within the same SKU family (non-availability zone or availability zone-enabled). For more information, see Upgrade a gateway SKU.

Clean up resources

If you no longer need the gateway, use the following command to remove it:

Remove-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG

Next steps

After you create the virtual network gateway, you can link your virtual network to an ExpressRoute circuit:

Link a virtual network to an ExpressRoute circuit

For more information about ExpressRoute gateways:

Last updated on 2025-11-25