Merge pull request #247967 from cherylmc/connection-modes

update connection mode

Author: v-regandowner

articles/vpn-gateway/tutorial-site-to-site-portal.md

@@ -6,7 +6,7 @@ author: cherylmc
 ms.author: cherylmc
 ms.service: vpn-gateway
 ms.topic: tutorial
-ms.date: 06/23/2023
+ms.date: 08/10/2023
 
 ---
 

articles/vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md

@@ -4,7 +4,7 @@ description: Learn about VPN Gateway resources and configuration settings.
 author: cherylmc
 ms.service: vpn-gateway
 ms.topic: conceptual
-ms.date: 06/27/2023
+ms.date: 08/10/2023
 ms.author: cherylmc 
 ms.custom: devx-track-azurepowershell, devx-track-azurecli 
 ms.devlang: azurecli
@@ -113,6 +113,10 @@ New-AzVirtualNetworkGatewayConnection -Name localtovon -ResourceGroupName testrg
 -ConnectionType IPsec -SharedKey 'abc123'
 ```
 
+## <a name="connectionmode"></a>Connection modes
+
+[!INCLUDE [Connection modes](../../includes/vpn-gateway-connection-mode-include.md)]
+
 ## <a name="vpntype"></a>VPN types
 
 When you create the virtual network gateway for a VPN gateway configuration, you must specify a *VPN type*. The VPN type that you choose depends on the connection topology that you want to create. For example, a P2S connection requires a RouteBased VPN type. A VPN type can also depend on the hardware that you're using. S2S configurations require a VPN device. Some VPN devices only support a certain VPN type.
@@ -143,7 +147,7 @@ Before you create a VPN gateway, you must create a gateway subnet. The gateway s
 
 When you create the gateway subnet, you specify the number of IP addresses that the subnet contains. The IP addresses in the gateway subnet are allocated to the gateway VMs and gateway services. Some configurations require more IP addresses than others.
 
-When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all other SKUs require a gateway subnet of size /27 or larger ( /27, /26, /25 etc.). You may want to create a gateway subnet larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.
+When you're planning your gateway subnet size, refer to the documentation for the configuration that you're planning to create. For example, the ExpressRoute/VPN Gateway coexist configuration requires a larger gateway subnet than most other configurations. While it's possible to create a gateway subnet as small as /29 (applicable to the Basic SKU only), all other SKUs require a gateway subnet of size /27 or larger (/27, /26, /25 etc.). You may want to create a gateway subnet larger than /27 so that the subnet has enough IP addresses to accommodate possible future configurations.
 
 The following Resource Manager PowerShell example shows a gateway subnet named GatewaySubnet. You can see the CIDR notation specifies a /27, which allows for enough IP addresses for most configurations that currently exist.
 

articles/vpn-gateway/vpn-gateway-howto-aws-bgp.md

@@ -6,7 +6,7 @@ author: cherylmc
 ms.author: cherylmc
 ms.service: vpn-gateway
 ms.topic: tutorial
-ms.date: 08/01/2023
+ms.date: 08/10/2023
 
 ---
 
@@ -271,7 +271,8 @@ Repeat these steps to create each of the required connections.
    * **IPsec / IKE policy**: Default
    * **Use policy based traffic selector**: Disable
    * **DPD timeout in seconds**: leave the default
-   * **Connection Mode**: You can select any of the available options (Default, Initiator Only, Responder Only) for **Connection Mode**, then select **Save**.
+   * **Connection Mode**: You can select any of the available options (Default, Initiator Only, Responder Only). For more information, see [VPN Gateway settings - connection modes](vpn-gateway-about-vpn-gateway-settings.md#connectionmode).
+1. Select **Save**.
 1. **Review + create** to create the connection.
 1. Repeat these steps to create additional connections.
 1. Before continuing to the next section, verify that you have a **local network gateway** and **connection** for **each of your four AWS tunnels**.

includes/vpn-gateway-add-site-to-site-connection-portal-include.md

@@ -2,7 +2,7 @@
  author: cherylmc
  ms.service: vpn-gateway
  ms.topic: include
- ms.date: 06/26/2023
+ ms.date: 08/10/2023
  ms.author: cherylmc
 ---
 1. Go to your virtual network. On your VNet page, select **Connected devices** on the left. Locate your VPN gateway and click to open it.
@@ -31,7 +31,7 @@
    * **IPse/IKE policy:** Default.
    * **Use policy based traffic selector:** Disable.
    * **DPD timeout in seconds:** 45
-   * **Connection Mode:** leave as Default.
+   * **Connection Mode:** leave as Default. This setting is used to specify which gateway can initiate the connection. For more information, see [VPN Gateway settings - connection modes](../articles/vpn-gateway/vpn-gateway-about-vpn-gateway-settings.md#connectionmode).
 1. For **NAT Rules Associations**, leave both Ingress and Egress as **0 selected**.
 1. Select **Review + create** to validate your connection settings.
 1. Select **Create** to create the connection.

includes/vpn-gateway-connection-mode-include.md

@@ -0,0 +1,9 @@
+---
+author: cherylmc
+ms.author: cherylmc
+ms.date: 08/10/2023
+ms.service: vpn-gateway
+ms.topic: include
+---
+
+The Connection Mode property only applies to route-based VPN gateways that use IKEv2 connections. Connection modes define the connection initiation direction and apply only to the initial IKE connection establishment. Any party can initiate rekeys and further messages. **InitiatorOnly** means the connection needs to be initiated by Azure. **ResponderOnly** means the connection needs to be initiated by the on-premises device. The **Default** behavior is to accept and dial whichever connects first.