| title | Configure a virtual network gateway for ExpressRoute using PowerShell |
|---|---|
| description | Learn how to add, resize, and remove a virtual network gateway for ExpressRoute using Azure PowerShell. This guide covers gateway creation, SKU selection, and configuration steps. |
| services | expressroute |
| author | duongau |
| ms.service | azure-expressroute |
| ms.topic | how-to |
| ms.date | 11/06/2025 |
| ms.author | duau |
| ms.custom | devx-track-azurepowershell |
[!div class="op_single_selector"]
This article shows you how to add, resize, and remove a virtual network gateway for a preexisting virtual network using PowerShell. The steps apply to virtual networks created with the Resource Manager deployment model for ExpressRoute. For more information, see About ExpressRoute virtual network gateways.
:::image type="content" source="./media/expressroute-howto-add-gateway-portal-resource-manager/gateway-circuit.png" alt-text="Diagram showing an ExpressRoute gateway connected to the ExpressRoute circuit." lightbox="./media/expressroute-howto-add-gateway-portal-resource-manager/gateway-circuit.png":::
Before you begin, make sure you have:
- An Azure account with an active subscription.
- An existing virtual network where you want to create the gateway. For more information, see Create a virtual network using PowerShell.
- Azure PowerShell installed. For more information, see Install Azure PowerShell.
- Sufficient address space in your virtual network for a gateway subnet (/27 or larger).
The following table shows example values used in this article. You can use these values to create a test environment or refer to them to better understand the examples:
| Setting | Value |
|---|---|
| Virtual Network Name | TestVNet |
| Virtual Network address space | 192.168.0.0/16 |
| Resource Group | TestRG |
| Subnet1 Name | FrontEnd |
| Subnet1 address space | 192.168.1.0/24 |
| Subnet1 Name | FrontEnd |
| Gateway Subnet name | GatewaySubnet |
| Gateway Subnet address space | 192.168.200.0/26 |
| Region | West US |
| Gateway Name | GW |
| Gateway IP Name | GWIP |
| Gateway IP configuration Name | gwipconf |
| Type | ExpressRoute |
Important
If you plan to use IPv6-based private peering over ExpressRoute, select an availability zone-enabled SKU (ErGw1Az, ErGw2Az, ErGw3Az) for -GatewaySku, or use a non-availability zone SKU (Standard, HighPerformance, UltraPerformance) with Standard and Static Public IP.
-
Connect to your Azure account.
Connect-AzAccount -
Declare your variables for this article. Edit the sample values to reflect your configuration:
$RG = "TestRG" $Location = "West US" $GWName = "GW" $GWIPName = "GWIP" $GWIPconfName = "gwipconf" $VNetName = "TestVNet"If you want to create the gateway in an Azure Extended Zone, add the $ExtendedLocation variable:
$RG = "TestRG" $Location = "West US" $ExtendedLocation = "losangeles" $GWName = "GW" $GWIPName = "GWIP" $GWIPconfName = "gwipconf" $VNetName = "TestVNet" -
Store the virtual network object as a variable:
$vnet = Get-AzVirtualNetwork -Name $VNetName -ResourceGroupName $RG -
Add a gateway subnet to your virtual network. The gateway subnet must be named GatewaySubnet. The gateway subnet must be /27 or larger (/26, /25, and so on). If you plan to connect 16 ExpressRoute circuits to your gateway, you must create a gateway subnet of /26 or larger:
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix 192.168.200.0/26If you're using a dual stack virtual network and plan to use IPv6-based private peering over ExpressRoute, create a dual stack gateway subnet instead:
Add-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet -AddressPrefix "10.0.0.0/26","ace:daa:daaa:deaa::/64" -
Set the configuration:
$vnet = Set-AzVirtualNetwork -VirtualNetwork $vnet -
Store the gateway subnet as a variable:
$subnet = Get-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet -
(Optional) Request a public IP address for Extended Zone gateways.
Public IP addresses are no longer required for ExpressRoute gateways, except for Extended Zone gateways. If you want to create the gateway in an Azure Extended Zone, request a public IP address using the -ExtendedLocation parameter:
$pip = New-AzPublicIpAddress -Name $GWIPName -ResourceGroupName $RG -Location $Location -ExtendedLocation $ExtendedLocation -AllocationMethod Static -SKU Standard[!NOTE]
- Basic SKU public IP isn't supported with ExpressRoute virtual network gateways.
- Creating a public IP is no longer required. Microsoft creates and manages your public IP, which means all ExpressRoute virtual network gateways are created as zone-redundant.
-
Create the IP configuration for your gateway.
The gateway configuration defines the subnet to use. In this step, you specify the configuration that's used when you create the gateway.
For standard gateways:
$ipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnetFor Extended Zone gateways:
$ipconf = New-AzVirtualNetworkGatewayIpConfig -Name $GWIPconfName -Subnet $subnet -PublicIpAddressId $pip.Id -
Create the gateway.
The -GatewayType parameter must be set to ExpressRoute. The -GatewaySku parameter determines the gateway's performance and features. Gateway creation can take 45 minutes or more to complete.
Choose the appropriate command based on your gateway SKU:
For flexible, scalable gateways, use the ErGwScale SKU with the -MinScaleUnit and -MaxScaleUnit parameters.
Fixed scaling (recommended for predictable workloads):
When you set the minimum and maximum scale units to the same value, the gateway maintains a fixed bandwidth:
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku ErGwScale -MinScaleUnit 2 -MaxScaleUnit 2Autoscaling (recommended for variable workloads):
When you set different minimum and maximum values, the gateway automatically scales based on traffic:
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku ErGwScale -MinScaleUnit 2 -MaxScaleUnit 10[!IMPORTANT]
- When you set the maximum scale unit to 1, the minimum scale unit must also be 1.
- Scale units range from 1 to 40.
- Each scale unit provides 1 Gbps of bandwidth.
For more information, see About ExpressRoute scalable gateway.
For fixed-performance gateways, use one of the traditional SKUs:
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku StandardAvailable SKUs: Standard, HighPerformance, UltraPerformance, ErGw1Az, ErGw2Az, ErGw3Az
For more information about gateway SKUs, see About ExpressRoute virtual network gateways.
If you want to create the gateway in an Azure Extended Zone, add the -ExtendedLocation parameter:
New-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG -Location $Location -ExtendedLocation $ExtendedLocation -IpConfigurations $ipconf -GatewayType Expressroute -GatewaySku Standard[!NOTE] To create the gateway in an Azure Extended Zone, you must first request access to the Extended Zone. Once you have access, you can create the gateway.
The following considerations apply when creating a virtual network gateway in an Extended Zone:
- Availability Zones aren't supported in Azure Extended Zones.
- The following SKUs are currently supported in Azure Extended Zones: Standard, HighPerformance, UltraPerformance.
- Local SKU circuit isn't supported with gateways in Azure Extended Zone.
Use the following commands to verify that the gateway has been created:
Get-AzVirtualNetworkGateway -ResourceGroupName $RG
You can change the gateway SKU to scale up or down the gateway's performance. Use the appropriate command based on your gateway type:
For scalable gateways (ErGwScale SKU), use the Set-AzVirtualNetworkGateway command with the -MinScaleUnit and -MaxScaleUnit parameters:
$vng = Get-AzVirtualNetworkGateway -Name <GatewayName> -ResourceGroupName <ResourceGroupName>
Set-AzVirtualNetworkGateway -VirtualNetworkGateway $vng -MinScaleUnit 2 -MaxScaleUnit 10 -GatewaySku ErGwScale
You can adjust the scale units to change the gateway's bandwidth and performance. Scale changes can take up to 30 minutes to complete.
For traditional gateway SKUs (Standard, HighPerformance, UltraPerformance, ErGw1Az, ErGw2Az, ErGw3Az), use the Resize-AzVirtualNetworkGateway command:
$gw = Get-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG
Resize-AzVirtualNetworkGateway -VirtualNetworkGateway $gw -GatewaySku HighPerformance
Note
You can only upgrade within the same SKU family (non-availability zone or availability zone-enabled). For more information, see Upgrade a gateway SKU.
If you no longer need the gateway, use the following command to remove it:
Remove-AzVirtualNetworkGateway -Name $GWName -ResourceGroupName $RG
After you create the virtual network gateway, you can link your virtual network to an ExpressRoute circuit:
[!div class="nextstepaction"] Link a virtual network to an ExpressRoute circuit
For more information about ExpressRoute gateways: