[Network] CLI support for VPN Gateway Connection Certificate based authentication #32524

huiii99 · 2025-12-11T03:12:55Z

Related command

az network vnet-gateway create
az network vnet-gateway update

az network vpn-connection create
az network vpn-connection update

Description

Add managed identity support to network vnet-gateway create/update
Add authentication-type and certificate-based auth to network vpn-connection create/update

Resolve #32380
aaz Azure/aaz#912

Testing Guide

live test:
azdev test test_vnet_gateway_managed_identity --live --discover
azdev test test_vpn_connection_authentication --live --discover
playback test after recording:
azdev test test_vnet_gateway_managed_identity
azdev test test_vpn_connection_authentication

History Notes

This checklist is used to make sure that common guidelines for a pull request are followed.

The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.

azure-client-tools-bot-prd · 2025-12-11T03:12:59Z

❌AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.13

️✔️acs

️✔️latest

️✔️3.12

️✔️3.13

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.13

️✔️ams

️✔️latest

️✔️3.12

️✔️3.13

️✔️apim

️✔️latest

️✔️3.12

️✔️3.13

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.13

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️aro

️✔️latest

️✔️3.12

️✔️3.13

️✔️backup

️✔️latest

️✔️3.12

️✔️3.13

️✔️batch

️✔️latest

️✔️3.12

️✔️3.13

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.13

️✔️billing

️✔️latest

️✔️3.12

️✔️3.13

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.13

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.13

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.13

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.13

️✔️config

️✔️latest

️✔️3.12

️✔️3.13

️✔️configure

️✔️latest

️✔️3.12

️✔️3.13

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.13

️✔️container

️✔️latest

️✔️3.12

️✔️3.13

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.13

️✔️core

️✔️latest

️✔️3.12

️✔️3.13

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.13

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.13

️✔️dls

️✔️latest

️✔️3.12

️✔️3.13

️✔️dms

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.13

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.13

️✔️find

️✔️latest

️✔️3.12

️✔️3.13

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.13

️✔️identity

️✔️latest

️✔️3.12

️✔️3.13

️✔️iot

️✔️latest

️✔️3.12

️✔️3.13

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.13

️✔️lab

️✔️latest

️✔️3.12

️✔️3.13

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️maps

️✔️latest

️✔️3.12

️✔️3.13

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.13

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.13

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.13

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.13

❌network

❌latest

❌3.12

Type Test Case Error Message Line

Failed test_network_vnet_peering self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f1d63793bf0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f1d6b76bda0>
command = 'network vnet-gateway create -g cli_test_vnet_peering000001 -n gateway1 --public-ip-address /subscriptions/00000000-00...sourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworks/vnet2 --tags foo=doo --sku VpnGw1'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:133: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:666: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:734: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:714: in run_job
    result = LongRunningOperation(cmd_copy.cli_ctx, 'Starting {}'.format(cmd_copy.name))(result)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:1072: in call
    result = poller.result()
             ^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/poller.py:108: in result
    self.wait(timeout)
env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/poller.py:130: in wait
    raise self.exception
src/azure-cli-core/azure/cli/core/aaz/poller.py:83: in start
    for polling_method in self.polling_generator:
                          ^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/vnet_gateway/__cmds.py:5139: in execute_operations
    yield self.VirtualNetworkGatewaysCreateOrUpdate(ctx=self.ctx)()
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/vnet_gateway/__cmds.py:5159: in call
    session = self.client.send_request(request=request, stream=False, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/client.py:108: in send_request
    session = self.pipeline.run(request, stream=stream, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/http_policy.py:112: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/transport/requests_basic.py:365: in send
    response = self.session.request(  # type: ignore
env/lib/python3.12/site-packages/requests/sessions.py:589: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/sessions.py:703: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/adapters.py:667: in send
    resp = conn.urlopen(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^


self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_vnet_peering.yaml(host='management.azure.com', port=443) at 0x7f1d63417050>
= False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_vnet_peering.yaml') in your current record mode ('once').
E               No match for the request (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2025-01-01>) was found.
E               Found 1 similar requests with 1 different matcher(s) :
E
E               1 - (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2024-07-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path']
E               Matchers failed :
E               custom_request_query_matcher - assertion failure :
E               None

env/lib/python3.12/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_network_commands.NetworkVNetPeeringScenarioTest testMethod=test_network_vnet_peering>
resource_group = 'cli_test_vnet_peering000001'

    @ResourceGroupPreparer(name_prefix='cli_test_vnet_peering')
    def test_network_vnet_peering(self, resource_group):

        # create two vnets with non-overlapping prefixes
        self.cmd('network vnet create -g {rg} -n vnet1')
        self.cmd('network vnet create -g {rg} -n vnet2 --subnet-name GatewaySubnet --address-prefix 11.0.0.0/16 --subnet-prefix 11.0.0.0/24')
        # create supporting resources for gateway
        self.cmd('network public-ip create -g {rg} -n ip1')
        ip_id = self.cmd('network public-ip show -g {rg} -n ip1 --query id').get_output_in_json()
        vnet_id = self.cmd('network vnet show -g {rg} -n vnet2 --query id').get_output_in_json()

        self.kwargs.update({
            'ip_id': ip_id,
            'vnet_id': vnet_id
        })
        # create the gateway on vnet2
>       self.cmd('network vnet-gateway create -g {rg} -n gateway1 --public-ip-address {ip_id} --vnet {vnet_id} --tags foo=doo --sku VpnGw1')

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:5514:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
                                       _

self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f1d63793bf0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f1d6b76bda0>
command = 'network vnet-gateway create -g cli_test_vnet_peering000001 -n gateway1 --public-ip-address /subscriptions/00000000-00...sourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworks/vnet2 --tags foo=doo --sku VpnGw1'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()

        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_vnet_peering.yaml') in your current record mode ('once').
E           No match for the request (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2025-01-01>) was found.
E           Found 1 similar requests with 1 different matcher(s) :
E
E           1 - (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2024-07-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path']
E           Matchers failed :
E           _custom_request_query_matcher - assertion failure :
E           None

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError azure/cli/command_modules/network/tests/latest/test_network_commands.py:5497

Failed test_network_vnet_peering_sync The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:5551

Failed test_network_vpn_connection_ipsec The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:5678

Failed test_network_vpn_connection_nat_rule The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:5731

Failed test_network_vnet_gateway_ipsec The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6095

Failed test_network_vnet_gateway_migration The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6129

Failed test_network_vnet_gateway_allow_traffic The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6218

Failed test_network_vnet_gateway_multi_auth The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6170

Failed test_network_vnet_gateway_multi_auth1 The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6193

Failed test_network_vnet_gateway_expressroute_with_public_ip The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6262

Failed test_network_vnet_gateway_expressroute_without_public_ip The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6241

Failed test_network_active_active_cross_premise_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6667

Failed test_network_active_active_vnet_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6728

Failed test_network_vpn_gateway The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6802

Failed test_network_vpn_gateway_aad The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6921

Failed test_network_vpn_gateway_disconnect_connects The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6967

Failed test_network_vpn_gateway_package_capture The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7002

Failed test_network_vpn_gateway_sku The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6892

Failed test_vpn_client_package The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7036

Failed test_network_watcher_troubleshooting The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7313

Failed test_network_vnet_gateway_nat_rule The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7420

Failed test_network_vnet_gateway_nat_rule_sub_cmd The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7454

Failed test_network_vnet_gateway_edge_zone The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8139

Failed test_network_vnet_gateway_local_gateway The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8154

Failed test_network_vnet_gateway_with_enable_private_ip_address The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8169

❌3.13

Type Test Case Error Message Line

Failed test_network_vnet_peering self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f0ba8b0a8b0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f0bb0bf6350>
command = 'network vnet-gateway create -g cli_test_vnet_peering000001 -n gateway1 --public-ip-address /subscriptions/00000000-00...sourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworks/vnet2 --tags foo=doo --sku VpnGw1'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:133: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:666: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:734: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:714: in run_job
    result = LongRunningOperation(cmd_copy.cli_ctx, 'Starting {}'.format(cmd_copy.name))(result)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:1072: in call
    result = poller.result()
             ^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/poller.py:108: in result
    self.wait(timeout)
env/lib/python3.13/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/poller.py:130: in wait
    raise self.exception
src/azure-cli-core/azure/cli/core/aaz/poller.py:83: in start
    for polling_method in self.polling_generator:
                          ^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/vnet_gateway/__cmds.py:4423: in execute_operations
    yield self.VirtualNetworkGatewaysCreateOrUpdate(ctx=self.ctx)()
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/network/aaz/latest/network/vnet_gateway/__cmds.py:4443: in call
    session = self.client.send_request(request=request, stream=False, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/client.py:108: in send_request
    session = self.pipeline.run(request, stream=stream, **kwargs)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/aaz/http_policy.py:112: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/transport/requests_basic.py:365: in send
    response = self.session.request(  # type: ignore
env/lib/python3.13/site-packages/requests/sessions.py:589: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/sessions.py:703: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/adapters.py:667: in send
    resp = conn.urlopen(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^


self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_vnet_peering.yaml(host='management.azure.com', port=443) at 0x7f0ba8c8b1d0>
= False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_vnet_peering.yaml') in your current record mode ('once').
E               No match for the request (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2025-01-01>) was found.
E               Found 1 similar requests with 1 different matcher(s) :
E
E               1 - (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2024-07-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path']
E               Matchers failed :
E               custom_request_query_matcher - assertion failure :
E               None

env/lib/python3.13/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_network_commands.NetworkVNetPeeringScenarioTest testMethod=test_network_vnet_peering>
resource_group = 'cli_test_vnet_peering000001'

    @ResourceGroupPreparer(name_prefix='cli_test_vnet_peering')
    def test_network_vnet_peering(self, resource_group):

        # create two vnets with non-overlapping prefixes
        self.cmd('network vnet create -g {rg} -n vnet1')
        self.cmd('network vnet create -g {rg} -n vnet2 --subnet-name GatewaySubnet --address-prefix 11.0.0.0/16 --subnet-prefix 11.0.0.0/24')
        # create supporting resources for gateway
        self.cmd('network public-ip create -g {rg} -n ip1')
        ip_id = self.cmd('network public-ip show -g {rg} -n ip1 --query id').get_output_in_json()
        vnet_id = self.cmd('network vnet show -g {rg} -n vnet2 --query id').get_output_in_json()

        self.kwargs.update({
            'ip_id': ip_id,
            'vnet_id': vnet_id
        })
        # create the gateway on vnet2
>       self.cmd('network vnet-gateway create -g {rg} -n gateway1 --public-ip-address {ip_id} --vnet {vnet_id} --tags foo=doo --sku VpnGw1')

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:5514:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)
                                       _

self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f0ba8b0a8b0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f0bb0bf6350>
command = 'network vnet-gateway create -g cli_test_vnet_peering000001 -n gateway1 --public-ip-address /subscriptions/00000000-00...sourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworks/vnet2 --tags foo=doo --sku VpnGw1'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()

        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_network_vnet_peering.yaml') in your current record mode ('once').
E           No match for the request (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2025-01-01>) was found.
E           Found 1 similar requests with 1 different matcher(s) :
E
E           1 - (<Request (PUT) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/cli_test_vnet_peering000001/providers/Microsoft.Network/virtualNetworkGateways/gateway1?api-version=2024-07-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', 'path']
E           Matchers failed :
E           _custom_request_query_matcher - assertion failure :
E           None

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError azure/cli/command_modules/network/tests/latest/test_network_commands.py:5497

Failed test_network_vnet_peering_sync The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:5551

Failed test_network_vpn_connection_ipsec The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:5678

Failed test_network_vpn_connection_nat_rule The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:5731

Failed test_network_vnet_gateway_ipsec The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6095

Failed test_network_vnet_gateway_migration The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6129

Failed test_network_vnet_gateway_allow_traffic The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6218

Failed test_network_vnet_gateway_multi_auth The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6170

Failed test_network_vnet_gateway_multi_auth1 The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6193

Failed test_network_vnet_gateway_expressroute_with_public_ip The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6262

Failed test_network_vnet_gateway_expressroute_without_public_ip The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6241

Failed test_network_active_active_cross_premise_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6667

Failed test_network_active_active_vnet_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6728

Failed test_network_vpn_gateway The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6802

Failed test_network_vpn_gateway_aad The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6921

Failed test_network_vpn_gateway_disconnect_connects The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6967

Failed test_network_vpn_gateway_package_capture The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7002

Failed test_network_vpn_gateway_sku The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6892

Failed test_vpn_client_package The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7036

Failed test_network_watcher_troubleshooting The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7313

Failed test_network_vnet_gateway_nat_rule The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7420

Failed test_network_vnet_gateway_nat_rule_sub_cmd The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7454

Failed test_network_vnet_gateway_edge_zone The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8139

Failed test_network_vnet_gateway_local_gateway The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8154

Failed test_network_vnet_gateway_with_enable_private_ip_address The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8169

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.13

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.13

️✔️profile

️✔️latest

️✔️3.12

️✔️3.13

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.13

️✔️redis

️✔️latest

️✔️3.12

️✔️3.13

️✔️relay

️✔️latest

️✔️3.12

️✔️3.13

️✔️resource

️✔️latest

️✔️3.12

️✔️3.13

️✔️role

️✔️latest

️✔️3.12

️✔️3.13

️✔️search

️✔️latest

️✔️3.12

️✔️3.13

️✔️security

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.13

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.13

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.13

️✔️sql

️✔️latest

️✔️3.12

️✔️3.13

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.13

️✔️storage

️✔️latest

️✔️3.12

️✔️3.13

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.13

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.13

️✔️util

️✔️latest

️✔️3.12

️✔️3.13

️✔️vm

️✔️latest

️✔️3.12

️✔️3.13

azure-client-tools-bot-prd · 2025-12-11T03:13:02Z

⚠️AzureCLI-BreakingChangeTest

⚠️network

rule cmd_name rule_message suggest_message

⚠️ 1006 - ParaAdd network vnet-gateway create cmd network vnet-gateway create added parameter mi_system_assigned

⚠️ 1006 - ParaAdd network vnet-gateway create cmd network vnet-gateway create added parameter mi_user_assigned

⚠️ 1011 - SubgroupAdd network vnet-gateway identity sub group network vnet-gateway identity added

⚠️ 1006 - ParaAdd network vnet-gateway update cmd network vnet-gateway update added parameter type

⚠️ 1006 - ParaAdd network vnet-gateway update cmd network vnet-gateway update added parameter user_assigned_identities

⚠️ 1006 - ParaAdd network vpn-connection create cmd network vpn-connection create added parameter auth_type

⚠️ 1006 - ParaAdd network vpn-connection create cmd network vpn-connection create added parameter cert_auth

⚠️ 1006 - ParaAdd network vpn-connection update cmd network vpn-connection update added parameter authentication_type

⚠️ 1006 - ParaAdd network vpn-connection update cmd network vpn-connection update added parameter certificate_authentication

yonzhan · 2025-12-11T03:13:05Z

Thank you for your contribution! We will review the pull request and get back to you soon.

github-actions · 2025-12-11T03:13:08Z

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

Copilot

Pull request overview

This PR adds support for VPN Gateway Connection Certificate-based authentication and managed identity support for VNet gateways. The changes include:

Adding managed identity (user-assigned) support to VNet gateway create/update operations
Adding certificate-based authentication type to VPN connection create/update commands
Updating the Network API version from 2024-07-01 to 2025-01-01
Adding new identity management commands for VNet gateways

Reviewed changes

Copilot reviewed 25 out of 28 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
test_network_commands.py	Adds two comprehensive test classes covering managed identity and certificate authentication scenarios
VpnGatewayoutboundcert.pfx, VpnGatewayInboundCert.cer, VpnGatewayAuthCert.cer	Test certificate files for authentication scenarios
custom.py	Uncomments managed identity parameters and adds auth parameters to vpn-connection create
vpn_connection/*.py	AAZ-generated files updated with API version, authentication fields, and secret flags
vnet_gateway/*.py	AAZ-generated files updated with API version and identity support
vnet_gateway/identity/*.py	New identity management commands (assign/remove/show/wait)
_validators.py	Adds validation logic to clear shared keys when using certificate authentication
_template_builder.py	Updates API version and adds certificate auth parameters to template
_params.py	Adds auth_type and cert_auth parameters with JSON parsing support
_help.py	Adds documentation and examples for certificate authentication

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

…onnection feat: add vpn connection authentication test fix: cli linter error fix: ci error fix: add cli example fix: dev

src/azure-cli/azure/cli/command_modules/network/_help.py

src/azure-cli/azure/cli/command_modules/network/custom.py

src/azure-cli/azure/cli/command_modules/network/tests/latest/VpnGatewayAuthCert.cer

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py

azure-client-tools-bot-prd bot added this to the January 2026 (2026-01-13) milestone Dec 11, 2025

microsoft-github-policy-service bot requested review from jsntcy, kairu-ms and yonzhan December 11, 2025 03:13

microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Dec 11, 2025

yonzhan assigned necusjz Dec 11, 2025

huiii99 force-pushed the network-mi-vpn-cert branch from d0edfa6 to ea0d042 Compare December 12, 2025 02:38

huiii99 marked this pull request as ready for review December 12, 2025 03:16

huiii99 requested review from necusjz and wangzelin007 as code owners December 12, 2025 03:16

Copilot AI review requested due to automatic review settings December 12, 2025 03:16

Copilot started reviewing on behalf of huiii99 December 12, 2025 03:17 View session

Copilot AI reviewed Dec 12, 2025

View reviewed changes

feat: support managed identity on vnet-gateway and cert auth on vpn-c…

e2df42e

…onnection feat: add vpn connection authentication test fix: cli linter error fix: ci error fix: add cli example fix: dev

huiii99 force-pushed the network-mi-vpn-cert branch from fc1bd7f to e2df42e Compare December 12, 2025 05:29