[Reference feedback]: Inconsistency of Az CLI to create Azure VPN Gateway with Point-to-Site connections

[fabferri]

Type of issue

Code doesn't work

Reference command name

az network vnet-gateway create
az network vnet-gateway update

Feedback

To create a P2S connection with digital certificate the following command is required:

Create a VPN gateway

az network vnet-gateway create --name vng1 --resource-group myRG --location westus2 --public-ip-addresses vng1-P2S-pip
--vnet vnet1 --gateway-type Vpn --vpn-type RouteBased --sku VpnGw2AZ
--vpn-gateway-generation Generation2 --address-prefixes 192.168.1.0/24 --client-protocol IkeV2
--vpn-auth-type Certificate --root-cert-name PS2Root --root-cert-data "P2SRoot.cer"

As reported in the documentation:
az network vnet-gateway create
az network vnet-gateway update

the parameter:
--root-cert-data Base64 contents of the root certificate file or file path.

This means that the AZ CLI grabs a root certificate file and apply to all file a base64 encoding, then set the content in Azure VPN Gateway.

This is not follow the logic we have with Azure management portal and powershell:

1. The --root-cert-data should accept in input the public part of the root certificate as string without applying any manipulation or encoding.
2. the root certificate collects the public part of the root certificate without header and trailer. Header and trailer needs to be excluded in the --root-cert-data:
   header of public part of the root certificate (.cer file): -----BEGIN CERTIFICATE-----
   trailer of the public part of the root certificate (.cer file): -----END CERTIFICATE-----

Page URL

https://learn.microsoft.com/cli/azure/network/vnet-gateway?view=azure-cli-latest#az-network-vnet-gateway-create

Content source URL

No response

Author

No response

Document Id

No response

[yonzhan]

Thank you for opening this issue, we will look into it.