After nearly half a year of waiting, postponing, refreshing Microsoft Learn pages, and wondering when the promised tools would finally arrive, I can finally close a long and sometimes frustrating chapter: the migration of a Basic SKU public IP address, which is still tied to a Basic VPN Gateway. What should have been a simple housekeeping task turned into a saga spanning multiple Microsoft timeline changes. Today, the story finally has a proper ending.
Story Behind My Struggles With The Basic VPN Gateway
Last year, I attempted to migrate two VPN gateways on the same day. One was a VPNGW1 using a Standard public IP. The other was a Basic VPN Gateway still attached to a Basic SKU public IP address. The VPNGW1 migration went smoothly (even at the same time to an AZ version of the VPN Gateway). The Basic VPN Gateway, however, was a completely different story.
The Azure Portal did not show the migration wizard. At first, I thought something was wrong with the resource, but after digging deeper and checking Microsoft Learn, I discovered that the migration process for Basic SKU public IPs used with Basic VPN Gateways had recently changed. The official guidance now stated that customers could no longer migrate these public IPs themselves and that Microsoft would eventually provide a tool to handle the process automatically.
That meant postponing the migration for weeks or even months. There was simply no supported way forward.
Update From November 2025
After a few months, I revisited the Microsoft Learn article, expecting the promised automated migration capability. Microsoft had originally stated that this tool would be available at the end of October 2025. To my surprise, nothing had changed. The documentation still showed the same content, and there was no tool available in the Azure Portal.
The timeline and the Microsoft Learn article had been updated throughout November 2025. Now, Microsoft expected the tool to be available by mid‑February 2026. So I postponed the migration yet again.
Update From February 2026
In mid-February, I checked once more. Still no updates to the Learn page. Still no tool in the portal. Then, at the end of February, the official Microsoft Learn article was finally updated. Once again, the timeline shifted. This time, Microsoft delayed the automated capability to March 2026. And the overall deprecation timeline for Basic public IPs on Basic VPN Gateways moved from March 2026 to the end of June 2026.
This entire experience was becoming a continuous loop. Refresh the Learn article, see no changes, wait longer, repeat. But finally, after all these delays, the capability became available (mid) March.
The Good News: Microsoft Finally Delivered
According to the Microsoft Learn documentation, Microsoft internally migrated all Basic VPN Gateways away from Basic SKU public IPs. This means:
- Microsoft already moved the actual IP address to a Standard SKU public IP resource internally.
- The IP address itself does not change.
- Customers do not experience downtime or connection drops.
- The only remaining task is to remove the old Basic public IP resource reference from the gateway.
- The internal Standard public IP is not visible as a resource in Azure or manageable by customers.
- The public IP can be seen on the VPN Gateway properties page.
- The Basic public IP resource still exists in your subscription but is no longer needed.
Microsoft notes that customers should delete the old Basic public IP resource after the reference is removed, as Azure will not clean it up automatically and billing will continue until it is deleted. This clean-up step must be done by customers before the deprecation deadline at the end of June 2026, or the VPN gateway will continue to run in an unsupported state.
How To Remove the Basic Public IP Reference In Azure
After waiting for months, the final step turned out to be incredibly simple. Here is what I did:
- Step 1:
Open the Virtual Network Gateway in the Azure Portal and go to the Configuration page. - Step 2:
Select the tab Delete Basic Public IP Reference. If the gateway has already been fully migrated internally or no basic public IP reference exists, Azure will display a message that no migration is necessary.
- Step 3:
Azure performs a validation check. All components must show Succeeded, including:- The gateway
- The public IP
- All gateway connections
- The gateway subnet
- Step 4:
If everything is green, the button Delete Basic Public IP Reference becomes available. Click the button. Azure begins a short update (5 minutes) deployment.
- Step 5:
Delete the old Basic public IP resource. It is no longer used, and keeping it will continue billing.
What Happens Afterwards
After completing the clean-up, the actual public IP address of the gateway remains unchanged. There is no downtime during the process and no impact on either site‑to‑site or point‑to‑site VPN connections. In some cases, the Azure Portal may still display the IP address as Basic or even show it as blank, but this is only a known UI inconsistency and does not reflect the actual state of the gateway. Internally, the VPN gateway now uses a Standard SKU public IP address managed by Azure, which is not visible in the subscription. With the Basic public IP reference removed, the gateway is fully transitioned to the new model and finally back in a supported condition.
Why This Took So Long
Microsoft explains that Basic VPN Gateways are developer‑grade SKUs with more rigid designs, fewer capabilities, and no SLA. To modernize them and retire Basic SKU public IPs, Microsoft internally moved them to Standard public IP constructs. But unlike VPN Gateway SKUs 1–5, the Basic SKU does not support customer-managed public IP resources, so the process had to be handled by Azure directly.
Conclusion
What started as a simple migration task turned into a long-running saga full of delays, uncertainty, and shifting Microsoft timelines. My original plan was to complete the migration in 2025. Instead, I spent months checking for updates, revisiting Microsoft Learn, and waiting for Microsoft to release the necessary capability.
But finally, the process is complete. No downtime, no IP change, and a surprisingly painless end to a very long story.
If you are in the same situation: now is the time to remove your Basic public IP references before the June 2026 deadline. At last, there is a clean and fully supported way to do it. Or better, use VPN Gateway SKUs 1 – 5 😀 .