![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(44.800000000000004, 62%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV0%3C/text%3E%3C/svg%3E)
Azure Virtual Network
An Azure networking service that is used to provision private networks and optionally to connect to on-premises datacenters.
Welcome to Microsoft Q&A
Hello @VishalKulkarni-0961 I hope you are doing well,
To answer your question directly: No, migrating the VPN Gateway Public IP from Basic to Standard SKU using the native migration process will not alter your Virtual Network (VNet) address space, nor will it affect the private IP addresses assigned to any resources within that VNet.
Here is the technical breakdown of what actually occurs during the migration:
VNet and Subnet Integrity: The migration operates strictly on the external networking edge (the Public IP and the VPN Gateway compute instances). Your internal VNet architecture, peering connections, and private IP allocations remain completely untouched.
Public IP Retention: If you use the official Migrate to Standard IP feature in the Azure Portal or via Azure PowerShell, your existing Public IP address is preserved. Even if your Basic IP was previously allocated dynamically, the migration process automatically locks it in as a Static assignment on the new Standard SKU without changing the actual IP address. This prevents you from having to update your on-premises firewall configurations.
Gateway SKU Upgrade: As part of the migration, the backend Azure compute instances hosting your VPN Gateway are upgraded to an Availability Zone (AZ) aware SKU (for example, VpnGw1 becomes VpnGw1AZ).
- Gateway Subnet Requirement: While the VNet is not negatively affected, you must ensure your GatewaySubnet has enough available IP addresses to facilitate the background instance swap. If your GatewaySubnet is /28 or smaller, you will need to add an additional prefix to it before the migration tool will allow you to proceed.
The only impact you will observe is a brief 5 to 10-minute tunnel disconnection during the Execute phase of the migration as the IPsec tunnels fail over to the new Standard SKU infrastructure. Key tecnical requirements and impacts https://learn.microsoft.com/en-us/azure/vpn-gateway/basic-public-ip-migrate-about
Key tecnical requirements and impacts
| Item | Impact / requirement |
|---|---|
| Must have ≥3 available IPs in the prefix for migration validation; if your GatewaySubnet is /28 or smaller, add a prefix or expand to /27 before migrating. | |
| -------- | -------- |
| Must have ≥3 available IPs in the prefix for migration validation; if your GatewaySubnet is /28 or smaller, add a prefix or expand to /27 before migrating. | |
| -------- | |
| GatewaySubnet size | Must have ≥3 available IPs in the prefix for migration validation; if your GatewaySubnet is /28 or smaller, add a prefix or expand to /27 before migrating. |
| Downtime | Short interruption during Execute step — typically 5–10 minutes while instances are swapped. Plan maintenance windows. |
| IP retention | Public IP value preserved; migration locks dynamic Basic IP into a static Standard IP. |
| Duration | Full migration (prepare → execute → commit) can take up to ~2 hours depending on environment; individual steps have typical durations (prepare ~40m, execute 5–10m, commit ~30m). |
Recommended pre‑migration checklist
- Verify GatewaySubnet free addresses: confirm at least three free IPs; if not, add an additional prefix or enlarge the subnet.
- Export current configuration: save gateway and public IP resource JSON and current VPN tunnel configs.
- Notify stakeholders: schedule a maintenance window for the 5–10 minute interruption.
- Run portal validation: use the VPN Gateway → Configuration → Migrate workflow; fix any prerequisites flagged by validation.
- Test post‑migration: validate tunnels, BGP (if used), and connectivity after Commit completes.
Risks, tradeoffs, and mitigation
- Risk: insufficient GatewaySubnet IPs will block migration validation. Mitigation: expand subnet or add prefix before starting.
- Risk: brief tunnel downtime may affect production traffic. Mitigation: schedule during low‑traffic window and have failover/backup plans.
- Tradeoff: migration may convert gateway to AZ SKU (improves availability) but may change underlying instance topology — validate any downstream automation that depends on exact SKU names.
If my answer helped you resolve your issue, please consider marking it as the correct answer. This helps others in the community find solutions more easily. Thanks!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 52%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.