|
| 1 | +--- |
| 2 | +title: About custom traffic selectors |
| 3 | +description: Learn about custom traffic selectors for VPN Gateway. |
| 4 | +titleSuffix: Azure VPN Gateway |
| 5 | +author: cherylmc |
| 6 | +ms.service: azure-vpn-gateway |
| 7 | +ms.topic: how-to |
| 8 | +ms.date: 06/25/2025 |
| 9 | +ms.author: cherylmc |
| 10 | +--- |
| 11 | +# Custom traffic selectors for VPN Gateway |
| 12 | + |
| 13 | +There are certain scenarios where you might not want to allow the entire virtual network address space or local network address space to negotiate traffic for a specific VPN Gateway connection. You can use custom traffic selectors to specify the address spaces that are allowed. |
| 14 | + |
| 15 | +Custom traffic selectors are supported for both policy-based and route-based VPN gateways. The custom-configured traffic selectors are proposed only when a VPN gateway initiates the connection. A VPN gateway accepts any traffic selectors proposed by a remote gateway (on-premises VPN device). This behavior is consistent among all connection modes (`Default`, `InitiatorOnly`, and `ResponderOnly`). |
| 16 | + |
| 17 | +## Portal |
| 18 | + |
| 19 | +You can define traffic selectors in the Azure portal. You can either create a new connection with the required settings, or update an existing connection. In the following steps, we update an existing connection with the required settings. |
| 20 | + |
| 21 | +1. In the Azure portal, navigate to **Virtual network gateways** and select the gateway you want to configure. |
| 22 | +1. In the **Settings** section, select **Connections**. |
| 23 | +1. Select the connection you want to configure. |
| 24 | +1. Select **Configuration**. |
| 25 | +1. On the Configuration page, Enable **Use policy based traffic selector**. |
| 26 | +1. Select the **Connection Mode** you want to use. The options are **Default**, **InitiatorOnly**, and **ResponderOnly**. The default is **Default**. |
| 27 | +1. Enable **Use custom traffic selectors**. |
| 28 | +1. For **Local address range**, enter the address ranges that you want to use. The address ranges must be in CIDR notation. You can specify multiple address ranges by separating them with commas, or create separate lines for each address range. |
| 29 | +1. For **Remote address range**, enter the address ranges that you want to use. The address ranges must be in CIDR notation. You can specify multiple address ranges by separating them with commas, or use multiple lines. The behavior is different depending on whether you use a single line or multiple lines. This behavior is described in the next sections. |
| 30 | +1. **Save** the changes. |
| 31 | + |
| 32 | +### Addresses on a single line |
| 33 | + |
| 34 | +In the following example, a single QMSA with 3 TSi to 3 TSr is specified. |
| 35 | + |
| 36 | +:::image type="content" source="./media/custom-traffic-selectors/same-line.png" alt-text="Screenshot showing custom traffic selector addresses using the same line." lightbox ="./media/custom-traffic-selectors/same-line.png"::: |
| 37 | + |
| 38 | +When you specify addresses on a single line, the behavior is as follows: |
| 39 | + |
| 40 | +* When the addresses are specified on a single line, the tunnel comes up and creates a QMSA for the local range and remote range pairs. |
| 41 | +* The QMSA is created for the entire range of addresses specified. |
| 42 | + |
| 43 | +### Addresses on multiple lines |
| 44 | + |
| 45 | +In the following example, addresses are specified on separate lines. When you specify addresses on separate lines, the behavior is different than when you specify addresses all on the same line. |
| 46 | + |
| 47 | +:::image type="content" source="./media/custom-traffic-selectors/separate-lines.png" alt-text="Screenshot showing custom traffic selector addresses using multiple lines." lightbox ="./media/custom-traffic-selectors/separate-lines.png"::: |
| 48 | + |
| 49 | +When you specify addresses on separate lines, the behavior is as follows: |
| 50 | + |
| 51 | +* When the tunnel comes up, it creates a QMSA for only the 1st line. |
| 52 | +* The rest of the local range and remote range pairs aren't created until traffic is attempted. When traffic is attempted, it triggers to create a QMSA for that traffic. |
| 53 | +* For QMSAs that aren't yet created, when packets are sent, the first few packets are unsuccessful until there's a QMSA for the traffic. |
| 54 | + |
| 55 | +## PowerShell |
| 56 | + |
| 57 | +You can define traffic selectors by using the `trafficSelectorPolicies` attribute on a connection via the [New-AzIpsecTrafficSelectorPolicy](/powershell/module/az.network/new-azipsectrafficselectorpolicy) Azure PowerShell command. For the specified traffic selector to take effect, be sure to [enable policy-based traffic selectors](vpn-gateway-connect-multiple-policybased-rm-ps.md#enablepolicybased). |
| 58 | + |
| 59 | +1. Declare the variables. The following example shows how to declare the variables. You can use the same variables in the next steps. |
| 60 | + |
| 61 | + ```azurepowershell-interactive |
| 62 | + Select-AzSubscription -SubscriptionId "UPDATE THESUBSCRIPTION ID" |
| 63 | + $rgname = "UPDATE THE RESOURCE GROUP NAME" |
| 64 | + $location = "UPDATE THE REGION NAME" |
| 65 | + $vnetGateway = Get-AzVirtualNetworkGateway -ResourceGroupName $rgname -Name "UPDATE THE VNET GATEWAY NAME" |
| 66 | + $localnetGateway = Get-AzLocalNetworkGateway -ResourceGroupName $rgname -Name "UPDATE THE VNET GATEWAY NAME" |
| 67 | + $sharedKey = "******" |
| 68 | + $vnetConnectionName = "UPDATE THE CONNECTION NAME" |
| 69 | + ``` |
| 70 | + |
| 71 | +1. Create the traffic selector policy. The following example shows how to create a traffic selector policy with a single line. To specify multiple address ranges, separate them with commas. |
| 72 | + |
| 73 | + ```azurepowershell-interactive |
| 74 | + $trafficSelectorPolicy = New-AzIpsecTrafficSelectorPolicy -LocalAddressRange ("10.30.0.4/32") -RemoteAddressRange ("10.50.0.0/24") |
| 75 | + New-AzVirtualNetworkGatewayConnection -ResourceGroupName $rgname -name $vnetConnectionName -location $location -VirtualNetworkGateway1 $vnetGateway -LocalNetworkGateway2 $localnetGateway -ConnectionType IPsec -RoutingWeight 3 -SharedKey $sharedKey -UsePolicyBasedTrafficSelectors $true -TrafficSelectorPolicy ($trafficSelectorPolicy) |
| 76 | + ``` |
| 77 | + |
| 78 | +1. Once the connection object is created, you can pull the Get-Gateway / refresh ASC and pull the RAW DATA URI (Get-Gateway output) to see the changes. |
| 79 | + |
| 80 | +## Next steps |
| 81 | + |
| 82 | +For more information about VPN Gateway, see the [VPN Gateway FAQ](vpn-gateway-vpn-faq.md). |
0 commit comments