Add help documentation examples for certificate-based authentication feature

brandonv191 · brandonv191 · commit 010bd2bc2abb · 2025-10-05T22:43:30.000-07:00
diff --git a/src/Network/Network/help/New-AzVirtualNetworkGatewayCertificateAuthentication.md b/src/Network/Network/help/New-AzVirtualNetworkGatewayCertificateAuthentication.md
@@ -1,14 +1,14 @@
 ---
 external help file: Microsoft.Azure.PowerShell.Cmdlets.Network.dll-Help.xml
 Module Name: Az.Network
-online version: https://docs.microsoft.com/en-us/powershell/module/az.network/new-azvirtualnetworkgatewaycertificateauthentication
+online version: https://learn.microsoft.com/powershell/module/az.network/update-aznetworksecurityperimeterloggingconfiguration
 schema: 2.0.0
 ---
 
 # New-AzVirtualNetworkGatewayCertificateAuthentication
 
 ## SYNOPSIS
-Creates a certificate authentication object for VPN gateway connections.
+Creates a certificate authentication configuration object for VPN gateway connections.
 
 ## SYNTAX
 
@@ -19,32 +19,33 @@ New-AzVirtualNetworkGatewayCertificateAuthentication [-OutboundAuthCertificate <
 ```
 
 ## DESCRIPTION
-The New-AzVirtualNetworkGatewayCertificateAuthentication cmdlet creates a certificate authentication object that can be used with New-AzVirtualNetworkGatewayConnection to configure certificate-based authentication for VPN gateway connections. This enables secure authentication using certificates instead of pre-shared keys.
+Creates a certificate authentication configuration object that can be used when creating or updating a VPN gateway connection with certificate-based authentication.
 
 ## EXAMPLES
 
-### Example 1: Create a certificate authentication object with outbound certificate
+### Example 1: Create a certificate authentication object
 ```powershell
-PS C:\> $certAuth = New-AzVirtualNetworkGatewayCertificateAuthentication -OutboundAuthCertificate "https://myvault.vault.azure.net/secrets/client-cert"
+# Create certificate chain array with base64-encoded certificates (without BEGIN/END CERTIFICATE headers)
+$certChain = @(
+    "MIIDfzCCAmegAwIBAgIQIFxjNWTuGjYGa8zJVnpfnDANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1DZXJ0QmFzZWRBdXRoMB4XDTI0MTIxODA1MjkzOVoXDTI1MTIxODA2MDk...",
+    "MIIDezCCAmOgAwIBAgIQQIpJdJF8D8JwkqF6fJ6zGDANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDDA1DZXJ0QmFzZWRBdXRoMB4XDTI0MTIxODA1MjkzOVoXDTI1MTIxODA2MDk..."
+)
+
+$certAuth = New-AzVirtualNetworkGatewayCertificateAuthentication `
+    -OutboundAuthCertificate "https://myvault.vault.azure.net/certificates/mycert/abc123" `
+    -InboundAuthCertificateSubjectName "MyCertSubject" `
+    -InboundAuthCertificateChain $certChain
 ```
 
-Creates a certificate authentication object with only an outbound authentication certificate from Azure Key Vault.
-
-### Example 2: Create a complete certificate authentication object
-```powershell
-PS C:\> $certChain = @("-----BEGIN CERTIFICATE-----`nMIIC...`n-----END CERTIFICATE-----")
-PS C:\> $certAuth = New-AzVirtualNetworkGatewayCertificateAuthentication -OutboundAuthCertificate "https://myvault.vault.azure.net/secrets/client-cert" -InboundAuthCertificateSubjectName "CN=MyRootCA,O=MyOrg,C=US" -InboundAuthCertificateChain $certChain
-```
-
-Creates a complete certificate authentication object with outbound certificate, inbound certificate subject name, and certificate chain.
+This example creates a certificate authentication object with a Key Vault certificate URL for outbound authentication, a certificate subject name for inbound authentication, and a certificate chain. This object can then be used with New-AzVirtualNetworkGatewayConnection or Set-AzVirtualNetworkGatewayConnection.
 
 ## PARAMETERS
 
 ### -DefaultProfile
 The credentials, account, tenant, and subscription used for communication with Azure.
 
 ```yaml
-Type: Microsoft.Azure.Commands.Common.Authentication.Abstractions.Core.IAzureContextContainer
+Type: IAzureContextContainer
 Parameter Sets: (All)
 Aliases: AzContext, AzureRmContext, AzureCredential
 
@@ -59,7 +60,7 @@ Accept wildcard characters: False
 Inbound authentication certificate public keys.
 
 ```yaml
-Type: System.String[]
+Type: String[]
 Parameter Sets: (All)
 Aliases:
 
@@ -74,7 +75,7 @@ Accept wildcard characters: False
 Inbound authentication certificate subject name.
 
 ```yaml
-Type: System.String
+Type: String
 Parameter Sets: (All)
 Aliases:
 
@@ -89,7 +90,7 @@ Accept wildcard characters: False
 Keyvault secret ID for outbound authentication certificate.
 
 ```yaml
-Type: System.String
+Type: String
 Parameter Sets: (All)
 Aliases:
 
@@ -104,7 +105,7 @@ Accept wildcard characters: False
 {{ Fill ProgressAction Description }}
 
 ```yaml
-Type: System.Management.Automation.ActionPreference
+Type: ActionPreference
 Parameter Sets: (All)
 Aliases: proga
 
diff --git a/src/Network/Network/help/New-AzVirtualNetworkGatewayConnection.md b/src/Network/Network/help/New-AzVirtualNetworkGatewayConnection.md
@@ -71,21 +71,7 @@ The first command gets a virtual network gateway natRule named natRule1 that's t
 The second command gets a virtual network gateway natRule named natRule2 that's type is EgressSnat.
 The third command creates this new virtual Network gateway connection with Ingress and Egress NatRules.
 
-### Example 3 Create VPN connection with certificate authentication
-```powershell
-$vnetgw1 = Get-AzVirtualNetworkGateway -ResourceGroupName "Rg1" -Name "gw1"
-$localnetgw = Get-AzLocalNetworkGateway -ResourceGroupName "Rg1" -name "localgw1"
-$certAuth = New-AzVirtualNetworkGatewayCertificateAuthentication -OutboundAuthCertificate "MIICmjCCAYIGCSqGSIb3DQEJEjEOMAwGCisGAQQBgjcCAQwwHAYJKoZIhvcNAQkFMQ8XDTEzMDEwMzEyNTk1OVowLwYJKoZIhvcNAQkEMSIEII8Xqf/JHKJzaOPoCdQf2c7jZwYmK1hc8LTfBrMJuXzi"
-
-New-AzVirtualNetworkGatewayConnection -Name conn-cert-1 -ResourceGroupName "Rg1" -Location "eastus" -VirtualNetworkGateway1 $vnetgw1 -LocalNetworkGateway2 $localnetgw -ConnectionType IPsec -AuthenticationType Certificate -CertificateAuthentication $certAuth
-```
-
-The first command gets a virtual network gateway.
-The second command gets a local network gateway.
-The third command creates a certificate authentication object.
-The fourth command creates a new VPN connection using certificate authentication.
-
-### Example 4 Add GatewayCustomBgpIpAddress to virtual network gateway connection
+### Example 3 Add GatewayCustomBgpIpAddress to virtual network gateway connection
 ```powershell
 $LocalnetGateway = Get-AzLocalNetworkGateway -ResourceGroupName "PS_testing" -name "testLng"
 $gateway = Get-AzVirtualNetworkGateway -ResourceGroupName PS_testing -ResourceName testGw
@@ -98,6 +84,32 @@ The two command gets a local network gateway and virtual network gateway.
 The third command creates a AzGatewayCustomBgpIpConfigurationObject.
 The third command creates this new virtual Network gateway connection with GatewayCustomBgpIpAddress.
 
+### Example 4 Create a new virtual network gateway connection with certificate-based authentication
+```powershell
+$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName "myResourceGroup" -Name "myVnetGateway"
+$localGateway = Get-AzLocalNetworkGateway -ResourceGroupName "myResourceGroup" -Name "myLocalGateway"
+
+# Create certificate chain array with base64-encoded certificates (without headers/footers)
+$certChain = @(
+    "MIIDfzCCAmegA...",
+    "MIIDezCCAmOgA..."
+)
+
+$certAuth = New-AzVirtualNetworkGatewayCertificateAuthentication `
+    -OutboundAuthCertificate "https://myvault.vault.azure.net/certificates/mycert/abc123" `
+    -InboundAuthCertificateSubjectName "CN=MyCertSubject" `
+    -InboundAuthCertificateChain $certChain
+
+New-AzVirtualNetworkGatewayConnection -Name "myCertConnection" -ResourceGroupName "myResourceGroup" -Location "eastus" `
+    -VirtualNetworkGateway1 $gateway -LocalNetworkGateway2 $localGateway -ConnectionType IPsec `
+    -AuthenticationType "Certificate" -CertificateAuthentication $certAuth
+```
+
+This example creates a new virtual network gateway connection with certificate-based authentication. 
+The first two commands get the virtual network gateway and local network gateway.
+The New-AzVirtualNetworkGatewayCertificateAuthentication cmdlet creates the certificate authentication configuration with the Key Vault certificate URL for outbound authentication, the certificate subject name for inbound authentication, and the certificate chain.
+The final command creates the new connection with certificate-based authentication instead of a pre-shared key.
+
 ## PARAMETERS
 
 ### -AsJob
diff --git a/src/Network/Network/help/Set-AzVirtualNetworkGateway.md b/src/Network/Network/help/Set-AzVirtualNetworkGateway.md
@@ -28,8 +28,9 @@ Set-AzVirtualNetworkGateway -VirtualNetworkGateway <PSVirtualNetworkGateway> [-G
  [-NatRule <PSVirtualNetworkGatewayNatRule[]>] [-BgpRouteTranslationForNat <Boolean>] [-MinScaleUnit <Int32>]
  [-MaxScaleUnit <Int32>] [-VirtualNetworkGatewayPolicyGroup <PSVirtualNetworkGatewayPolicyGroup[]>]
  [-ClientConnectionConfiguration <PSClientConnectionConfiguration[]>] [-AdminState <String>]
- [-AllowRemoteVnetTraffic <Boolean>] [-ResiliencyModel <String>] [-AllowVirtualWanTraffic <Boolean>] [-AsJob]
- [-DefaultProfile <IAzureContextContainer>] [-WhatIf] [-Confirm]
+ [-AllowRemoteVnetTraffic <Boolean>] [-ResiliencyModel <String>] [-AllowVirtualWanTraffic <Boolean>]
+ [-UserAssignedIdentityId <String>] [-Identity <PSManagedServiceIdentity>] [-AsJob]
+ [-DefaultProfile <IAzureContextContainer>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
  [<CommonParameters>]
 ```
 
@@ -49,8 +50,9 @@ Set-AzVirtualNetworkGateway -VirtualNetworkGateway <PSVirtualNetworkGateway> [-G
  [-MaxScaleUnit <Int32>] [-VirtualNetworkGatewayPolicyGroup <PSVirtualNetworkGatewayPolicyGroup[]>]
  [-ClientConnectionConfiguration <PSClientConnectionConfiguration[]>] [-AdminState <String>]
  [-AllowRemoteVnetTraffic <Boolean>] [-ResiliencyModel <String>] [-AllowVirtualWanTraffic <Boolean>]
- -Tag <Hashtable> [-AsJob] [-DefaultProfile <IAzureContextContainer>]
- [-WhatIf] [-Confirm] [<CommonParameters>]
+ [-UserAssignedIdentityId <String>] [-Identity <PSManagedServiceIdentity>] -Tag <Hashtable> [-AsJob]
+ [-DefaultProfile <IAzureContextContainer>] [-ProgressAction <ActionPreference>] [-WhatIf] [-Confirm]
+ [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -522,6 +524,22 @@ Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -AllowRemoteVnetTraf
 
 In both cases, the first command retrieves the gateway. You may then either modify the property directly on the object and persist it, or you may use the switch on the Set-AzVirtualNetworkGateway cmdlet.
 
+### Example 13: Configure a virtual network gateway with a user-assigned managed identity
+
+```powershell
+# Create or retrieve the user-assigned managed identity
+$identity = Get-AzUserAssignedIdentity -ResourceGroupName "resourceGroup001" -Name "myIdentity001"
+
+# Get the virtual network gateway
+$gateway = Get-AzVirtualNetworkGateway -ResourceGroupName "resourceGroup001" -Name "gateway001"
+
+# Set the identity using the UserAssignedIdentityId parameter
+Set-AzVirtualNetworkGateway -VirtualNetworkGateway $gateway -UserAssignedIdentityId $identity.Id
+
+```
+
+This example demonstrates how to configure a virtual network gateway with a user-assigned managed identity. This uses the UserAssignedIdentityId parameter to create the managed identity object. User-assigned identities are useful for accessing Azure Key Vault certificates for gateway authentication.
+
 ## PARAMETERS
 
 ### -AadAudienceId
@@ -781,6 +799,21 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -Identity
+The managed identity configuration for the virtual network gateway.
+
+```yaml
+Type: Microsoft.Azure.Commands.Network.Models.PSManagedServiceIdentity
+Parameter Sets: (All)
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
 ### -IpConfigurationBgpPeeringAddresses
 The BgpPeeringAddresses for Virtual network gateway bgpsettings.
 
@@ -856,6 +889,21 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -ProgressAction
+{{ Fill ProgressAction Description }}
+
+```yaml
+Type: System.Management.Automation.ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -RadiusServerAddress
 P2S External Radius server address.
 
@@ -946,6 +994,21 @@ Accept pipeline input: False
 Accept wildcard characters: False
 ```
 
+### -UserAssignedIdentityId
+ResourceId of the user assigned identity to be assigned to virtual network gateway.
+
+```yaml
+Type: System.String
+Parameter Sets: (All)
+Aliases: UserAssignedIdentity
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
 ### -VirtualNetworkGateway
 The virtual network gateway object to base modifications off of.
 This can be retrieved using Get-AzVirtualNetworkGateway
