Merge pull request #312508 from raboilla/patch-47

Revise migration guide for Basic SKU to Standard SKU to include LegacyDNS and A-A

Author: prmerger-automator[bot]

articles/vpn-gateway/basic-public-ip-migrate-howto.md

@@ -12,10 +12,10 @@ ms.author: cherylmc
 
 # How to migrate a Basic SKU public IP address to Standard SKU for VPN Gateway 
 
-This article helps you migrate a Basic SKU public IP address to a Standard SKU for VPN Gateway deployments that use gateway SKUs VpnGw 1-5 for active-passive gateways (not active-active). For more information about Basic SKU migration, see [About migrating a Basic SKU public IP address to Standard SKU for VPN Gateway](basic-public-ip-migrate-about.md).
+This article helps you migrate a Basic SKU public IP address to a Standard SKU for VPN Gateway deployments that use gateway SKUs VpnGw 1-5. For more information about Basic SKU migration, see [About migrating a Basic SKU public IP address to Standard SKU for VPN Gateway](basic-public-ip-migrate-about.md).
 
 > [!IMPORTANT]
-> Basic SKU public IP address migration for VPN Gateway is currently Generally Available for Active-Passive with some limitations (see known issues). 
+> Basic SKU public IP address migration for VPN Gateway is currently Generally Available for Active-Passive with some limitations (see known issues). <br> For Active-Active Gateways this is in Preview.
 
 During the public IP address SKU migration process, your Basic SKU public IP address resource is migrated to a Standard SKU public IP address resource. The IP address assigned to your gateway doesn't change.
 
@@ -140,23 +140,11 @@ Invoke-AzVirtualNetworkGatewayAbortMigration -InputObject $gateway
 
 ## Known Issues
 
-### Point-to-Site VPN Gateways using legacy DNS limitation
+### Guided migration for Point-to-Site VPN Gateways using legacy DNS (cloudapp.net)
 
-Point-to-Site VPN Gateways that were originally deployed using legacy cloudapp.NET DNS infrastructure have specific limitations that prevent them from using the standard migration process described in this article. This section helps you identify if your gateway has this limitation and provides guidance on next steps.
+Some Point-to-Site (P2S) VPN Gateways were originally deployed using legacy cloudapp.net DNS. These gateways cannot use the standard public IP migration process.
+Azure now provides a guided migration experience in the Azure portal that enables eligible legacy DNS P2S gateways to migrate from a Basic SKU public IP address to a Standard SKU, without requiring customers to manually reconfigure DNS or Point-to-Site settings.
 
-### Impact and timeline
-
-VPN Gateways with legacy cloudapp.NET DNS configurations cannot be migrated using the current migration tools. These gateways require a specialized migration approach that is currently under development. 
-
-A guided migration experience for legacy DNS gateways is planned for release, with the timeline to be announced by the end of February 2026. Until this specialized migration becomes available, these gateways will continue to function normally but cannot be upgraded to Standard SKU public IP addresses.
-
-### Important considerations
-
-> [!IMPORTANT]
-> If your gateway uses legacy DNS, follow these critical guidelines:
-> - **Do NOT** remove your existing Point-to-Site configuration to attempt this migration.
-> - **Do NOT** add new Point-to-Site configurations to existing gateways without Point-to-Site until the legacy DNS migration capability is released.
-> - Continue using your current gateway configuration until the specialized migration tools become available.
 
 ### Check if your gateway uses legacy DNS
 
@@ -191,10 +179,47 @@ Follow these steps to determine if your VPN Gateway uses legacy cloudapp.NET DNS
 
 For the latest updates on legacy DNS gateway migration availability, see the [VPN Gateway - What's New](whats-new.md) article.
 
+## Migration
+
+Follow these migration steps if your VPN Gateway uses legacy cloudapp.NET DNS
+
+1. Prepare for migration: The preparation steps are the same as those in [How to migrate Basic SKU public IP address to Standard](basic-public-ip-migrate-howto.md?tabs=portal).
+
+1. After the preparation step completes successfully, select Download VPN Client to download the updated VPN client profile (ZIP). Then, use the downloaded profile to reconnect and validate Point-to-Site (P2S) connectivity.
+
+1. After that, the Migrate and Commit steps are the same as mentioned in [How to migrate Basic SKU public IP address to Standard](basic-public-ip-migrate-howto.md?tabs=portal)
+
+
 ## Known Issues continuation
 
 * For VpnGw1 CSES to Virtual Machine Scale Sets migration, we are seeing higher CPU utilization due to .NET core optimization. This is a known issue and we recommend to either wait for 10 minutes after prepare stage or upgrade to a higher gateway SKU during the migration process.
 
+## What is the known Traffic selector behavior during Active-Active VPN Gateway migration?
+
+When migrating an Active Active Azure VPN Gateway that has BGP enabled, IPsec tunnels may go down after migration if Narrow Traffic Selectors are both configured. 
+This behavior can cause site to site connectivity loss immediately after migration.
+ 
+* Which configurations are impacted?
+  
+This behavior applies only to the following scenario: <br>
+•	Active Active VPN Gateway <br>
+•	BGP enabled <br>
+•	Narrow (custom) traffic selectors on Azure or on the on prem device
+
+* Which configurations are not impacted?
+  
+This behavior does not apply to: <br>
+•	Gateways that accept or negotiate wildcard (0.0.0.0/0) traffic selectors <br>
+•	Gateways without BGP enabled
+
+* How can customers avoid this issue before migration?
+  
+To avoid connectivity loss during migration, customers who use Narrow Traffic Selectors should: <br>
+•	Change traffic selectors to wildcard (0.0.0.0/0) on the on premises VPN device before initiating migration, or <br>
+•	Ensure the on premises device can accept wildcard traffic selectors during IPsec negotiation <br>
+Making this change prior to migration allows tunnels to renegotiate successfully after the gateway upgrade.
+
+
 
 ## Next steps