VPN Gateway Slow Connection Troubleshooting
⚠️ DEPRECATED (2025-10-24): VPN Gateway has been replaced by Azure Bastion (ADR-050). This troubleshooting guide is for historical reference only.
→ See Bastion Dev Access for current approach.
Problem (Historical)
After connecting to Azure VPN Gateway, the connection becomes very slow and internet connectivity seems to be dying, even though both the gateway and client are in East US region.
Root Cause Analysis
1. Missing Route Advertisement
Your VPN client configuration shows:
This means no routes are configured, so the VPN client doesn't know which traffic should go through the VPN tunnel vs your regular internet connection. This causes all traffic to attempt routing incorrectly, leading to slowdowns and connectivity issues.
2. Low Gateway SKU
Your VPN Gateway is using VpnGw1 SKU which provides: - Maximum throughput: 650 Mbps (theoretical) - Real-world performance: Often 200-400 Mbps due to encryption overhead - Concurrent connections: Up to 250
3. Restrictive NSG Rules
The Container Apps subnet NSG has a blanket "DenyAllOutbound" rule that was blocking necessary internet access for VPN clients to establish proper connectivity.
Why Routes Are Missing
Azure VPN Gateway automatically advertises VNet routes to P2S clients, but routes may not populate if:
-
Configuration downloaded too early: VPN Gateway takes 30-45 minutes to fully provision. If you downloaded the client config before provisioning completed, routes won't be included.
-
Gateway not fully configured: The gateway may still be in setup phase.
-
Need to regenerate configuration: Sometimes the gateway needs a configuration refresh to properly advertise routes.
Solution
Quick Fix (Recommended)
Run the automated fix script:
This script will: 1. ✅ Upgrade VPN Gateway from VpnGw1 → VpnGw2 (650 Mbps → 1 Gbps) 2. ✅ Deploy updated NSG rules allowing internet access 3. ✅ Regenerate VPN client configuration with proper routes 4. ✅ Provide download link for new configuration
Time required: 15-20 minutes for gateway upgrade
Manual Steps
If you prefer to do it manually:
Step 1: Verify Gateway Status
az network vnet-gateway show \
--resource-group rg-loan-defenders-dev \
--name vpn-gateway-dev \
--query "provisioningState"
Should return "Succeeded". If not, wait for provisioning to complete.
Step 2: Upgrade Gateway SKU (Optional but Recommended)
az network vnet-gateway update \
--resource-group rg-loan-defenders-dev \
--name vpn-gateway-dev \
--sku VpnGw2
Cost impact: +$216/month ($360 vs $144)
Performance gain: 650 Mbps → 1 Gbps throughput
Step 3: Deploy Updated Infrastructure
# Update VPN Gateway SKU in parameter file first
# Edit infrastructure/bicep/environments/dev.parameters.json
# Set: "vpnGatewaySku": { "value": "VpnGw2" }
# Redeploy Layer 1
./infrastructure/scripts/deploy-layer1.sh dev
# Or use Azure CLI directly
cd infrastructure/bicep
az deployment group create \
--resource-group rg-loan-defenders-dev \
--template-file layer1-foundation.bicep \
--parameters environments/dev.parameters.json
This updates NSG rules to allow: - Internet access (HTTP/HTTPS) for VPN clients - DNS resolution (UDP/53)
Step 4: Regenerate VPN Client Configuration
az network vnet-gateway vpn-client generate \
--resource-group rg-loan-defenders-dev \
--name vpn-gateway-dev \
--authentication-method EAPTLS
This returns a URL to download the new configuration package.
Step 5: Update Azure VPN Client
- Download the new configuration from the URL
- Extract the ZIP file
- Open Azure VPN Client
- Remove the old connection profile
- Import the new
azurevpnconfig.xml - Connect using Azure AD authentication
Step 6: Verify Routes
After importing the new configuration, check the XML file. You should now see:
<includeroutes>
<IncludeRouteEntry>
<address>10.0.0.0</address>
<mask>255.255.0.0</mask>
</IncludeRouteEntry>
</includeroutes>
This ensures only VNet traffic (10.0.0.0/16) goes through the VPN tunnel, while internet traffic uses your regular connection.
Diagnostic Script
To diagnose VPN issues:
This will check: - Gateway provisioning status - Current SKU and capacity - VPN client configuration - NSG rules - Active connections
Expected Behavior After Fix
Routing
- VNet traffic (10.0.0.0/16) → Routes through VPN tunnel
- Internet traffic → Uses your regular internet connection
- DNS queries → Uses Azure DNS (168.63.129.16) for private DNS resolution
Performance
- VpnGw2 SKU: Up to 1 Gbps throughput
- Low latency: Same region (East US) provides <10ms latency
- No internet slowdown: Internet traffic doesn't go through VPN
Connectivity
- ✅ Access private Container Apps endpoints
- ✅ Access Azure services via private endpoints
- ✅ Resolve private DNS zones (.privatelink.)
- ✅ Normal internet browsing (not through VPN)
Testing Connectivity
After applying the fix and reconnecting:
1. Test VPN Tunnel
# Should resolve to private IP (10.0.x.x)
nslookup <container-app-name>.azurecontainerapps.io
# Should be able to ping Azure DNS
ping 168.63.129.16
2. Test Internet (Not Through VPN)
3. Test Azure Services
- Navigate to https://ai.azure.com
- Should be able to access AI Foundry portal
- Private resources should be accessible
Cost Comparison
| Component | VpnGw1 | VpnGw2 | Difference |
|---|---|---|---|
| Monthly cost | ~$144 | ~$360 | +$216 |
| Throughput | 650 Mbps | 1 Gbps | +54% |
| Connections | 250 | 500 | +100% |
Recommendation: - Development: VpnGw1 sufficient for small team (already deployed) - Production: Use Azure Bastion instead of VPN Gateway - If experiencing slowdowns: Upgrade to VpnGw2
Prevention
To avoid this issue in the future:
- Wait for full provisioning: Don't download VPN client config until gateway shows "Succeeded" status
- Monitor gateway health: Use Azure Monitor to track gateway metrics
- Test after deployment: Verify routes are present in azurevpnconfig.xml before distributing to team
- Document: Keep VPN setup instructions up to date
Additional Resources
- Azure VPN Gateway Documentation
- VPN Gateway SKU Comparison
- Point-to-Site Configuration
- Azure VPN Client