Update SKU info

cherylmc · cherylmc · commit 7dfadee6d57a · 2023-09-27T13:47:14.000-04:00
diff --git a/articles/vpn-gateway/ikev2-openvpn-from-sstp.md b/articles/vpn-gateway/ikev2-openvpn-from-sstp.md
@@ -5,7 +5,7 @@ description: Learn how to transition to OpenVPN protocol or IKEv2 from SSTP to o
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: how-to
-ms.date: 09/15/2023
+ms.date: 09/26/2023
 ms.author: cherylmc
 
 ---
@@ -80,12 +80,12 @@ The zip file also provides the values of some of the important settings on the A
 
 ### <a name="gwsku"></a>Which gateway SKUs support P2S VPN?
 
-[!INCLUDE [aggregate throughput sku](../../includes/vpn-gateway-table-gwtype-aggtput-include.md)]
+The following table shows gateway SKUs by tunnel, connection, and throughput. For additional tables and more information regarding this table, see the Gateway SKUs section of the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article.
 
-* For gateway SKU recommendations, see [About VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku).
+[!INCLUDE [aggregate throughput sku](../../includes/vpn-gateway-table-gwtype-aggtput-include.md)]
 
->[!NOTE]
->The Basic SKU does not support IKEv2 or RADIUS authentication.
+> [!NOTE]
+> The Basic SKU has limitations and does not support IKEv2, or RADIUS authentication. See the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article for more information.
 >
 
 ### <a name="IKE/IPsec policies"></a>What IKE/IPsec policies are configured on VPN gateways for P2S?
diff --git a/articles/vpn-gateway/point-to-site-about.md b/articles/vpn-gateway/point-to-site-about.md
@@ -5,7 +5,7 @@ description: Learn about Point-to-Site VPN.
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 08/11/2023
+ms.date: 09/26/2023
 ms.author: cherylmc
 
 ---
@@ -23,9 +23,8 @@ Point-to-site VPN can use one of the following protocols:
 
 * **IKEv2 VPN**, a standards-based IPsec VPN solution. IKEv2 VPN can be used to connect from Mac devices (macOS versions 10.11 and above).
 
-
->[!NOTE]
->IKEv2 and OpenVPN for P2S are available for the [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md) only. They aren't available for the classic deployment model.
+> [!NOTE]
+> IKEv2 and OpenVPN for P2S are available for the [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md) only. They aren't available for the classic deployment model.
 >
 
 ## <a name="authentication"></a>How are P2S VPN clients authenticated?
@@ -78,12 +77,12 @@ The client configuration requirements vary, based on the VPN client that you use
 
 ## <a name="gwsku"></a>Which gateway SKUs support P2S VPN?
 
-[!INCLUDE [aggregate throughput sku](../../includes/vpn-gateway-table-gwtype-aggtput-include.md)]
+The following table shows gateway SKUs by tunnel, connection, and throughput. For additional tables and more information regarding this table, see the Gateway SKUs section of the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article.
 
-* For Gateway SKU recommendations, see [About VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku).
+[!INCLUDE [aggregate throughput sku](../../includes/vpn-gateway-table-gwtype-aggtput-include.md)]
 
->[!NOTE]
->The Basic SKU does not support IKEv2 or RADIUS authentication.
+> [!NOTE]
+> The Basic SKU has limitations and does not support IKEv2, IPv6, or RADIUS authentication. See the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article for more information.
 >
 
 ## <a name="IKE/IPsec policies"></a>What IKE/IPsec policies are configured on VPN gateways for P2S?
diff --git a/articles/vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md b/articles/vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md
@@ -4,7 +4,7 @@ description: Learn about VPN Gateway resources and configuration settings.
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 08/10/2023
+ms.date: 09/26/2023
 ms.author: cherylmc 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
@@ -14,7 +14,7 @@ ms.devlang: azurecli
 
 A VPN gateway is a type of virtual network gateway that sends encrypted traffic between your virtual network and your on-premises location across a public connection. You can also use a VPN gateway to send traffic between virtual networks across the Azure backbone.
 
-A VPN gateway connection relies on the configuration of multiple resources, each of which contains configurable settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual network created in [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md). You can find descriptions and topology diagrams for each connection solution in the [About VPN Gateway](vpn-gateway-about-vpngateways.md) article.
+VPN gateway connections rely on the configuration of multiple resources, each of which contains configurable settings. The sections in this article discuss the resources and settings that relate to a VPN gateway for a virtual network created in [Resource Manager deployment model](../azure-resource-manager/management/deployment-models.md). You can find descriptions and topology diagrams for each connection solution in the [VPN Gateway design](design.md) article.
 
 The values in this article apply VPN gateways (virtual network gateways that use the -GatewayType Vpn). Additionally, this article covers many, but not all, gateway types and SKUs. See the following articles for information regarding gateways that use these specified settings:
 
@@ -76,8 +76,8 @@ az network vnet-gateway create --name VNet1GW --public-ip-address VNet1GWPIP --r
 If you have a VPN gateway and you want to use a different gateway SKU, your options are to either resize your gateway SKU, or to change to another SKU. When you change to another gateway SKU, you delete the existing gateway entirely and build a new one. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU. In comparison, when you resize a gateway SKU, there isn't much downtime because you don't have to delete and rebuild the gateway. While it's faster to resize your gateway SKU, there are rules regarding resizing:
 
 1. Except for the Basic SKU, you can resize a VPN gateway SKU to another VPN gateway SKU within the same generation (Generation1 or Generation2) and SKU family (VpnGwx or VpnGwxAZ).
-   *  Example: VpnGw1 of Generation1 can be resized to VpnGw2 of Generation1, but can't be resized to VpnGw2 of Generation2. The gateway must instead be changed (deleted and rebuilt).
-   *  Example: VpnGw2 of Generation2 can't be resized to VpnGw2AZ of either Generation1 or Generation2 because the "AZ" gateways are [zone redundant](about-zone-redundant-vnet-gateways.md). To change to an AZ SKU, delete the gateway and rebuild it using the desired AZ SKU.
+   * Example: VpnGw1 of Generation1 can be resized to VpnGw2 of Generation1, but can't be resized to VpnGw2 of Generation2. The gateway must instead be changed (deleted and rebuilt).
+   * Example: VpnGw2 of Generation2 can't be resized to VpnGw2AZ of either Generation1 or Generation2 because the "AZ" gateways are [zone redundant](about-zone-redundant-vnet-gateways.md). To change to an AZ SKU, delete the gateway and rebuild it using the desired AZ SKU.
 1. When working with older legacy SKUs:
    * You can resize between Standard and HighPerformance SKUs.
    * You **cannot** resize from Basic/Standard/HighPerformance SKUs to VpnGw SKUs. You must instead, [change](#change) to the new SKUs.
@@ -141,10 +141,6 @@ New-AzVirtualNetworkGateway -Name vnetgw1 -ResourceGroupName testrg `
 
 Before you create a VPN gateway, you must create a gateway subnet. The gateway subnet contains the IP addresses that the virtual network gateway VMs and services use. When you create your virtual network gateway, gateway VMs are deployed to the gateway subnet and configured with the required VPN gateway settings. Never deploy anything else (for example, additional VMs) to the gateway subnet. The gateway subnet must be named 'GatewaySubnet' to work properly. Naming the gateway subnet 'GatewaySubnet' lets Azure know that this is the subnet to which it should deploy the virtual network gateway VMs and services.
 
->[!NOTE]
->[!INCLUDE [vpn-gateway-gwudr-warning.md](../../includes/vpn-gateway-gwudr-warning.md)]
->
-
 When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP addresses than others.
 
 When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all other SKUs require a gateway subnet of size /27 or larger (/27, /26, /25 etc.). You may want to create a gateway subnet larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.
@@ -155,7 +151,11 @@ The following Resource Manager PowerShell example shows a gateway subnet named G
 Add-AzVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix 10.0.3.0/27
 ```
 
-[!INCLUDE [vpn-gateway-no-nsg](../../includes/vpn-gateway-no-nsg-include.md)]
+Considerations:
+
+[!INCLUDE [vpn-gateway-gwudr-warning.md](../../includes/vpn-gateway-gwudr-warning.md)]
+
+* When working with gateway subnets, avoid associating a network security group (NSG) to the gateway subnet. Associating a network security group to this subnet may cause your virtual network gateway (VPN and Express Route gateways) to stop functioning as expected. For more information about network security groups, see [What is a network security group?](../virtual-network/network-security-groups-overview.md).
 
 ## <a name="lng"></a>Local network gateways
 
diff --git a/articles/vpn-gateway/vpn-gateway-about-vpngateways.md b/articles/vpn-gateway/vpn-gateway-about-vpngateways.md
@@ -5,7 +5,7 @@ author: cherylmc
 # Customer intent: As someone with a basic network background, but is new to Azure, I want to understand the capabilities of Azure VPN Gateway so that I can securely connect to my Azure virtual networks.
 ms.service: vpn-gateway
 ms.topic: overview
-ms.date: 09/15/2023
+ms.date: 09/26/2023
 ms.author: cherylmc
 ms.custom: contperf-fy21q1, e2e-hybrid
 ---
@@ -50,13 +50,9 @@ You can start out creating and configuring resources using one configuration too
 
 ## <a name="gwsku"></a>Gateway SKUs
 
-When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs.
+When you create a virtual network gateway, you specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughputs, features, and SLAs. For more information about gateway SKUs, including supported features, performance, production and dev-test, and configuration steps, see the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article.
 
-* For more information about gateway SKUs, including supported features, production and dev-test, and configuration steps, see the [VPN Gateway Settings - Gateway SKUs](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article.
-* For Legacy SKU information, see [Working with Legacy SKUs](vpn-gateway-about-skus-legacy.md).
-* The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI.
-
-### <a name="benchmark"></a>Gateway SKUs by tunnel, connection, and throughput
+The following table shows gateway SKUs by tunnel, connection, and throughput. For additional tables and more information regarding this table, see the Gateway SKUs section of the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) article.
 
 [!INCLUDE [Aggregated throughput by SKU](../../includes/vpn-gateway-table-gwtype-aggtput-include.md)]
 
diff --git a/articles/vpn-gateway/vpn-gateway-highlyavailable.md b/articles/vpn-gateway/vpn-gateway-highlyavailable.md
@@ -40,7 +40,7 @@ This configuration provides multiple active tunnels from the same Azure VPN gate
 1. BGP is required for this configuration. Each local network gateway representing a VPN device must have a unique BGP peer IP address specified in the "BgpPeerIpAddress" property.
 1. You should use BGP to advertise the same prefixes of the same on-premises network prefixes to your Azure VPN gateway, and the traffic will be forwarded through these tunnels simultaneously.
 1. You must use Equal-cost multi-path routing (ECMP).
-1. Each connection is counted against the maximum number of tunnels for your Azure VPN gateway. See the [Overview](vpn-gateway-about-vpngateways.md#benchmark) page for the latest information about tunnels, connections, and throughput.
+1. Each connection is counted against the maximum number of tunnels for your Azure VPN gateway. See the [VPN Gateway settings](vpn-gateway-about-vpn-gateway-settings.md#gwsku) page for the latest information about tunnels, connections, and throughput.
 
 In this configuration, the Azure VPN gateway is still in active-standby mode, so the same failover behavior and brief interruption will still happen as described [above](#activestandby). But this setup guards against failures or interruptions on your on-premises network and VPN devices.
 
diff --git a/includes/vpn-gateway-faq-point-to-site-classic-include.md b/includes/vpn-gateway-faq-point-to-site-classic-include.md
@@ -2,7 +2,7 @@
  title: include file
  author: cherylmc
  ms.service: vpn-gateway
- ms.date: 05/25/2022
+ ms.date: 09/26/2023
  ms.author: cherylmc
 ---
 This FAQ applies to P2S connections that use the classic deployment model.
diff --git a/includes/vpn-gateway-gwsku-include.md b/includes/vpn-gateway-gwsku-include.md
@@ -6,21 +6,43 @@ ms.service: vpn-gateway
 ms.topic: include
 ---
 
-When you create a virtual network gateway, you need to specify the gateway SKU that you want to use. Select the SKU that satisfies your requirements based on the types of workloads, throughput, features, and SLAs. For virtual network gateway SKUs in Azure Availability Zones (*AZ SKUs), see [Zone-redundant gateway SKUs](../articles/vpn-gateway/about-zone-redundant-vnet-gateways.md).
+When you create a virtual network gateway, you specify the gateway SKU that you want to use. This section describes the factors that you should take into consideration when selecting a gateway SKU for the current deployment model (Resource Manager).
 
-###  <a name="benchmark"></a>Gateway SKUs by tunnel, connection, and throughput
+If you're looking for SKU information about legacy SKUs, ExpressRoute gateway SKUs, or more information about Availability Zone SKUs, see the following articles:
+
+* For information about working with the legacy gateway SKUs (Basic, Standard, and HighPerformance), see [Working with VPN gateway SKUs (legacy SKUs)](../articles/vpn-gateway/vpn-gateway-about-skus-legacy.md).
+* For ExpressRoute gateway SKUs, see [Virtual Network gateways for ExpressRoute](../articles/expressroute/expressroute-about-virtual-network-gateways.md).
+* For more information about Availability Zone SKU (*AZ SKUs), see [About Zone redundant gateway SKUs](../articles/vpn-gateway/about-zone-redundant-vnet-gateways.md).
+
+When selecting a virtual network gateway SKU, select the SKU that satisfies your requirements based on the types of workloads, throughput, features, and SLAs. The following sections show the relevant information that you should use when deciding.
+
+### <a name="benchmark"></a>Gateway SKUs by tunnel, connection, and throughput
 
 [!INCLUDE [Aggregated throughput by SKU](./vpn-gateway-table-gwtype-aggtput-include.md)]
 
-> [!NOTE]
-> * For information about working with the legacy gateway SKUs (Basic, Standard, and HighPerformance), see [Working with VPN gateway SKUs (legacy SKUs)](../articles/vpn-gateway/vpn-gateway-about-skus-legacy.md).
-> * For ExpressRoute gateway SKUs, see [Virtual Network Gateways for ExpressRoute](../articles/expressroute/expressroute-about-virtual-network-gateways.md).
-> * For Availability Zone SKUs (*AZ SKUs), see [About Zone redundant gateway SKUs](../articles/vpn-gateway/about-zone-redundant-vnet-gateways.md).
->
+**Additional information**
+
+* You can resize a gateway SKU as long as it is in the same generation, except for the Basic SKU. The Basic SKU is a legacy SKU and has feature limitations. To change from the Basic SKU to another SKU, you first delete the Basic SKU VPN gateway, then create a new gateway with the desired generation and SKU size combination. See [Working with Legacy SKUs](../articles/vpn-gateway/vpn-gateway-about-skus-legacy.md).
+
+* The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
+
+* These connection limits are separate. For example, you can have 128 SSTP connections and also 250 IKEv2 connections on a VpnGw1 SKU.
+
+* If you have numerous P2S connections, it can negatively impact your S2S connections. The Aggregate Throughput Benchmarks were tested by maximizing a combination of S2S and P2S connections. A single P2S or S2S connection can have a much lower throughput.
+
+* See the [Pricing](https://azure.microsoft.com/pricing/details/vpn-gateway) page for pricing information.
+
+* See the [SLA](https://azure.microsoft.com/support/legal/sla/vpn-gateway/) page for SLA (Service Level Agreement) information.
+
+* All benchmarks aren't guaranteed due to Internet traffic conditions and your application behaviors.
+
+### Gateway SKU by performance
+
+[!INCLUDE [SKU by performance](./vpn-gateway-performance-include.md)]
 
-###  <a name="feature"></a>Gateway SKUs by feature set
+### <a name="feature"></a>Gateway SKUs by feature set
 
-The new VPN gateway SKUs streamline the feature sets offered on the gateways:
+The new VPN Gateway SKUs streamline the feature sets offered on the gateways:
 
 | **SKU**| **Features**|
 | ---    | ---         |
@@ -30,7 +52,7 @@ The new VPN gateway SKUs streamline the feature sets offered on the gateways:
 
 (*) You can configure "PolicyBasedTrafficSelectors" to connect a route-based VPN gateway to multiple on-premises policy-based firewall devices. Refer to [Connect VPN gateways to multiple on-premises policy-based VPN devices using PowerShell](../articles/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps.md) for details.
 
-(\*\*) The Basic SKU is considered a legacy SKU. The Basic SKU has certain feature limitations. You can't resize a gateway that uses a Basic SKU to another SKU, you must instead change to a new SKU, which involves deleting and recreating your VPN gateway. You can't deploy a Basic SKU to a VNet that uses IPv6 address space. The Basic SKU can only be configured using PowerShell or Azure CLI.
+(\*\*) The Basic SKU is considered a legacy SKU. The Basic SKU has certain feature limitations. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
 
 ###  <a name="workloads"></a>Gateway SKUs - Production vs. Dev-Test Workloads
 
@@ -42,6 +64,6 @@ Due to the differences in SLAs and feature sets, we recommend the following SKUs
 | **Dev-test or proof of concept**   | Basic (**)                 |
 |                                    |                        |
 
-(\*\*) The Basic SKU is considered a legacy SKU and has feature limitations. Verify that the feature that you need is supported before you use the Basic SKU. Additionally, the Basic SKU can only be configured using Azure CLI or PowerShell.
+(\*\*) The Basic SKU is considered a legacy SKU. The Basic SKU has certain feature limitations. Verify that the feature that you need is supported before you use the Basic SKU. The Basic SKU doesn't support IPv6 and can only be configured using PowerShell or Azure CLI. Additionally, the Basic SKU doesn't support RADIUS authentication.
 
-If you are using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance. For information and instructions for old SKUs, see [Gateway SKUs (legacy)](../articles/vpn-gateway/vpn-gateway-about-skus-legacy.md).
+If you're using the old SKUs (legacy), the production SKU recommendations are Standard and HighPerformance. For information and instructions for old SKUs, see [Gateway SKUs (legacy)](../articles/vpn-gateway/vpn-gateway-about-skus-legacy.md).
diff --git a/includes/vpn-gateway-gwudr-warning.md b/includes/vpn-gateway-gwudr-warning.md
@@ -5,7 +5,7 @@
  author: cherylmc
  ms.service: vpn-gateway
  ms.topic: include
- ms.date: 04/07/2023
+ ms.date: 09/26/2023
  ms.author: cherylmc
  ms.custom: include file
 ---
diff --git a/includes/vpn-gateway-performance-include.md b/includes/vpn-gateway-performance-include.md
diff --git a/includes/vpn-gateway-table-gwtype-aggtput-include.md b/includes/vpn-gateway-table-gwtype-aggtput-include.md
