[Network] CLI support for VPN Gateway Connection Certificate based authentication #32524

huiii99 · 2025-12-11T03:12:55Z

Related command

az network vnet-gateway create
az network vnet-gateway update

az network vpn-connection create
az network vpn-connection update

Description

Add managed identity support to network vnet-gateway create/update
Add authentication-type and certificate-based auth to network vpn-connection create/update

Resolve #32380
aaz Azure/aaz#912

Testing Guide

live test:
azdev test test_vnet_gateway_managed_identity --live --discover
azdev test test_vpn_connection_authentication --live --discover
playback test after recording:
azdev test test_vnet_gateway_managed_identity
azdev test test_vpn_connection_authentication

History Notes

This checklist is used to make sure that common guidelines for a pull request are followed.

The PR title and description has followed the guideline in Submitting Pull Requests.
I adhere to the Command Guidelines.
I adhere to the Error Handling Guidelines.

azure-client-tools-bot-prd · 2025-12-11T03:12:59Z

❌AzureCLI-FullTest

️✔️acr

️✔️latest

️✔️3.12

️✔️3.13

️✔️acs

️✔️latest

️✔️3.12

️✔️3.13

️✔️advisor

️✔️latest

️✔️3.12

️✔️3.13

️✔️ams

️✔️latest

️✔️3.12

️✔️3.13

️✔️apim

️✔️latest

️✔️3.12

️✔️3.13

️✔️appconfig

️✔️latest

️✔️3.12

️✔️3.13

️✔️appservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️aro

️✔️latest

️✔️3.12

️✔️3.13

️✔️backup

️✔️latest

️✔️3.12

️✔️3.13

️✔️batch

️✔️latest

️✔️3.12

️✔️3.13

️✔️batchai

️✔️latest

️✔️3.12

️✔️3.13

️✔️billing

️✔️latest

️✔️3.12

️✔️3.13

️✔️botservice

️✔️latest

️✔️3.12

️✔️3.13

️✔️cdn

️✔️latest

️✔️3.12

️✔️3.13

️✔️cloud

️✔️latest

️✔️3.12

️✔️3.13

️✔️cognitiveservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️compute_recommender

️✔️latest

️✔️3.12

️✔️3.13

️✔️computefleet

️✔️latest

️✔️3.12

️✔️3.13

️✔️config

️✔️latest

️✔️3.12

️✔️3.13

️✔️configure

️✔️latest

️✔️3.12

️✔️3.13

️✔️consumption

️✔️latest

️✔️3.12

️✔️3.13

️✔️container

️✔️latest

️✔️3.12

️✔️3.13

️✔️containerapp

️✔️latest

️✔️3.12

️✔️3.13

️✔️core

️✔️latest

️✔️3.12

️✔️3.13

️✔️cosmosdb

️✔️latest

️✔️3.12

️✔️3.13

️✔️databoxedge

️✔️latest

️✔️3.12

️✔️3.13

️✔️dls

️✔️latest

️✔️3.12

️✔️3.13

️✔️dms

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventgrid

️✔️latest

️✔️3.12

️✔️3.13

️✔️eventhubs

️✔️latest

️✔️3.12

️✔️3.13

️✔️feedback

️✔️latest

️✔️3.12

️✔️3.13

️✔️find

️✔️latest

️✔️3.12

️✔️3.13

️✔️hdinsight

️✔️latest

️✔️3.12

️✔️3.13

️✔️identity

️✔️latest

️✔️3.12

️✔️3.13

️✔️iot

️✔️latest

️✔️3.12

️✔️3.13

️✔️keyvault

️✔️latest

️✔️3.12

️✔️3.13

️✔️lab

️✔️latest

️✔️3.12

️✔️3.13

️✔️managedservices

️✔️latest

️✔️3.12

️✔️3.13

️✔️maps

️✔️latest

️✔️3.12

️✔️3.13

️✔️marketplaceordering

️✔️latest

️✔️3.12

️✔️3.13

️✔️monitor

️✔️latest

️✔️3.12

️✔️3.13

️✔️mysql

️✔️latest

️✔️3.12

️✔️3.13

️✔️netappfiles

️✔️latest

️✔️3.12

️✔️3.13

❌network

❌latest

❌3.12

Type Test Case Error Message Line

Failed test_vpn_connection_authentication self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f9715a1f2f0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f971cd3f050>
command = 'keyvault create -g test_vpn_connection_auth000001 -n kv-wvtsn9wl -l eastus --enabled-for-deployment true --enable-rbac-authorization false'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.12/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:133: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.12/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:669: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:737: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:706: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/keyvault/custom.py:441: in create_vault_or_hsm
    return create_vault(cmd=cmd,
src/azure-cli/azure/cli/command_modules/keyvault/custom.py:591: in create_vault
    vault = client.get(resource_group_name=resource_group_name, vault_name=vault_name)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/keyvault/operations/operations.py:1602: in get
    pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/policies/authentication.py:161: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send
    response = self.session.request(  # type: ignore
env/lib/python3.12/site-packages/requests/sessions.py:589: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/sessions.py:703: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.12/site-packages/requests/adapters.py:667: in send
    resp = conn.urlopen(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.12/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^


self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_vpn_connection_authentication.yaml(host='management.azure.com', port=443) at 0x7f97159e5e50>
= False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_vpn_connection_authentication.yaml') in your current record mode ('once').
E               No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl?api-version=2025-05-01>) was found.
E               Found 4 similar requests with 1 different matcher(s) :
E
E               1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E               2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E               3 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E               4 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba

env/lib/python3.12/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_network_commands.VpnConnectionAuthenticationScenarioTest testMethod=test_vpn_connection_authentication>
resource_group = 'test_vpn_connection_auth000001'

    @ResourceGroupPreparer(location='eastus', name_prefix='test_vpn_connection_auth')
    @AllowLargeResponse(size_kb=9999)
    def test_vpn_connection_authentication(self, resource_group):
        import random
        import string
        import json

        subscription_id = self.get_subscription_id()
        random_suffix = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))
        kv_name = f"kv-{random_suffix}"
        self.kwargs.update({
            'rg': resource_group,
            'location': 'eastus',
            'vnet_name': 'myVNet',
            'vnet_gateway_name': 'myVnetGateway',
            'local_gateway_name': 'myLocalGateway',
            'pip_name': 'myGatewayIP',
            'connection_name': 'myVpnConnection',
            'identity_name': 'myIdentity',
            'kv_name': kv_name,
            'cert_name': 'vpn-gateway-cert',
            'shared_key': 'Abc123',
            'subscription': subscription_id
        })

        outbound_cert_path = os.path.join(CERTS_DIR, 'VpnGatewayoutboundcert.pfx')
        inbound_cert1_path = os.path.join(CERTS_DIR, 'VpnGatewayInboundCert.cer')
        inbound_cert2_path = os.path.join(CERTS_DIR, 'VpnGatewayAuthCert.cer')

        # create managed identity
        identity_result = self.cmd('identity create -g {rg} -n {identity_name}', checks=[
            self.check('name', '{identity_name}'),
            self.exists('principalId')
        ]).get_output_in_json()
        self.kwargs['identity_id'] = identity_result['id']
        self.kwargs['principal_id'] = identity_result['principalId']

        # create kv
>       self.cmd('keyvault create -g {rg} -n {kv_name} -l {location} '
                '--enabled-for-deployment true '
                '--enable-rbac-authorization false', checks=[
            self.check('name', '{kv_name}'),
            self.check('properties.enabledForDeployment', True)
        ])

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:5968:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)


self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f9715a1f2f0>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f971cd3f050>
command = 'keyvault create -g test_vpn_connection_auth000001 -n kv-wvtsn9wl -l eastus --enabled-for-deployment true --enable-rbac-authorization false'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()

        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_vpn_connection_authentication.yaml') in your current record mode ('once').
E           No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl?api-version=2025-05-01>) was found.
E           Found 4 similar requests with 1 different matcher(s) :
E
E           1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E           2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E           3 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E           4 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-wvtsn9wl != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError azure/cli/command_modules/network/tests/latest/test_network_commands.py:5929

Failed test_network_vnet_gateway_migration The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6136

Failed test_network_active_active_cross_premise_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6674

Failed test_network_active_active_vnet_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6732

Failed test_network_vpn_gateway_package_capture The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7010

Failed test_network_vnet_gateway_local_gateway The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8162

Failed test_network_vnet_gateway_with_enable_private_ip_address The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8177

❌3.13

Type Test Case Error Message Line

Failed test_vpn_connection_authentication self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f68c55b6c40>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f68cbd97890>
command = 'keyvault create -g test_vpn_connection_auth000001 -n kv-75eo0wyt -l eastus --enabled-for-deployment true --enable-rbac-authorization false'
expect_failure = False

    def in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
>           self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
                             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

src/azure-cli-testsdk/azure/cli/testsdk/base.py:303:

env/lib/python3.13/site-packages/knack/cli.py:245: in invoke
    exit_code = self.exception_handler(ex)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/init.py:133: in exception_handler
    return handle_exception(ex)
           ^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/patches.py:33: in handle_main_exception
    raise ex
env/lib/python3.13/site-packages/knack/cli.py:233: in invoke
    cmd_result = self.invocation.execute(args)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:669: in execute
    raise ex
src/azure-cli-core/azure/cli/core/commands/init.py:737: in run_jobs_serially
    results.append(self.run_job(expanded_arg, cmd_copy))
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:706: in run_job
    result = cmd_copy(params)
             ^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/init.py:336: in call
    return self.handler(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-core/azure/cli/core/commands/command_operation.py:120: in handler
    return op(**command_args)
           ^^^^^^^^^^^^^^^^^^
src/azure-cli/azure/cli/command_modules/keyvault/custom.py:441: in create_vault_or_hsm
    return create_vault(cmd=cmd,
src/azure-cli/azure/cli/command_modules/keyvault/custom.py:591: in create_vault
    vault = client.get(resource_group_name=resource_group_name, vault_name=vault_name)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/tracing/decorator.py:119: in wrapper_use_tracer
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/keyvault/operations/operations.py:1602: in get
    pipeline_response: PipelineResponse = self.client.pipeline.run(  # pylint: disable=protected-access
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:242: in run
    return first_node.send(pipeline_request)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/mgmt/core/policies/base.py:95: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/redirect.py:205: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/retry.py:545: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/policies/authentication.py:161: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:98: in send
    response = self.next.send(request)
               ^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/base.py:130: in send
    self.sender.send(request.http_request, **request.context.options),
    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/azure/core/pipeline/transport/requests_basic.py:375: in send
    response = self.session.request(  # type: ignore
env/lib/python3.13/site-packages/requests/sessions.py:589: in request
    resp = self.send(prep, **send_kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/sessions.py:703: in send
    r = adapter.send(request, **kwargs)
        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
env/lib/python3.13/site-packages/requests/adapters.py:667: in send
    resp = conn.urlopen(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:787: in urlopen
    response = self.make_request(
env/lib/python3.13/site-packages/urllib3/connectionpool.py:534: in make_request
    response = conn.getresponse()
               ^^^^^^^^^^^^^^^^^^


self = <VCRRequestsHTTPSConnection/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_vpn_connection_authentication.yaml(host='management.azure.com', port=443) at 0x7f68c4d6c410>
= False, kwargs = {}

    def getresponse(self, =False, **kwargs):
        """Retrieve the response"""
        # Check to see if the cassette has a response for this request. If so,
        # then return it
        if self.cassette.can_play_response_for(self.vcr_request):
            log.info(f"Playing response for {self.vcr_request} from cassette")
            response = self.cassette.play_response(self.vcr_request)
            return VCRHTTPResponse(response)
        else:
            if self.cassette.write_protected and self.cassette.filter_request(self.vcr_request):
>               raise CannotOverwriteExistingCassetteException(
                    cassette=self.cassette,
                    failed_request=self.vcr_request,
                )
E               vcr.errors.CannotOverwriteExistingCassetteException: Can't overwrite existing cassette ('/mnt/vss/work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_vpn_connection_authentication.yaml') in your current record mode ('once').
E               No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt?api-version=2025-05-01>) was found.
E               Found 4 similar requests with 1 different matcher(s) :
E
E               1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E               2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E               3 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E               4 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E               Matchers succeeded : ['method', 'scheme', 'host', 'port', 'custom_request_query_matcher']
E               Matchers failed :
E               path - assertion failure :
E               /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba

env/lib/python3.13/site-packages/vcr/stubs/init.py:277: CannotOverwriteExistingCassetteException

During handling of the above exception, another exception occurred:

self = <azure.cli.command_modules.network.tests.latest.test_network_commands.VpnConnectionAuthenticationScenarioTest testMethod=test_vpn_connection_authentication>
resource_group = 'test_vpn_connection_auth000001'

    @ResourceGroupPreparer(location='eastus', name_prefix='test_vpn_connection_auth')
    @AllowLargeResponse(size_kb=9999)
    def test_vpn_connection_authentication(self, resource_group):
        import random
        import string
        import json

        subscription_id = self.get_subscription_id()
        random_suffix = ''.join(random.choices(string.ascii_lowercase + string.digits, k=8))
        kv_name = f"kv-{random_suffix}"
        self.kwargs.update({
            'rg': resource_group,
            'location': 'eastus',
            'vnet_name': 'myVNet',
            'vnet_gateway_name': 'myVnetGateway',
            'local_gateway_name': 'myLocalGateway',
            'pip_name': 'myGatewayIP',
            'connection_name': 'myVpnConnection',
            'identity_name': 'myIdentity',
            'kv_name': kv_name,
            'cert_name': 'vpn-gateway-cert',
            'shared_key': 'Abc123',
            'subscription': subscription_id
        })

        outbound_cert_path = os.path.join(CERTS_DIR, 'VpnGatewayoutboundcert.pfx')
        inbound_cert1_path = os.path.join(CERTS_DIR, 'VpnGatewayInboundCert.cer')
        inbound_cert2_path = os.path.join(CERTS_DIR, 'VpnGatewayAuthCert.cer')

        # create managed identity
        identity_result = self.cmd('identity create -g {rg} -n {identity_name}', checks=[
            self.check('name', '{identity_name}'),
            self.exists('principalId')
        ]).get_output_in_json()
        self.kwargs['identity_id'] = identity_result['id']
        self.kwargs['principal_id'] = identity_result['principalId']

        # create kv
>       self.cmd('keyvault create -g {rg} -n {kv_name} -l {location} '
                '--enabled-for-deployment true '
                '--enable-rbac-authorization false', checks=[
            self.check('name', '{kv_name}'),
            self.check('properties.enabledForDeployment', True)
        ])

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py:5968:

src/azure-cli-testsdk/azure/cli/testsdk/base.py:177: in cmd
    return execute(self.cli_ctx, command, expect_failure=expect_failure).assert_with_checks(checks)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
src/azure-cli-testsdk/azure/cli/testsdk/base.py:252: in init
    self.in_process_execute(cli_ctx, command, expect_failure=expect_failure)


self = <azure.cli.testsdk.base.ExecutionResult object at 0x7f68c55b6c40>
cli_ctx = <azure.cli.core.mock.DummyCli object at 0x7f68cbd97890>
command = 'keyvault create -g test_vpn_connection_auth000001 -n kv-75eo0wyt -l eastus --enabled-for-deployment true --enable-rbac-authorization false'
expect_failure = False

    def _in_process_execute(self, cli_ctx, command, expect_failure=False):
        from io import StringIO
        from vcr.errors import CannotOverwriteExistingCassetteException

        if command.startswith('az '):
            command = command[3:]

        stdout_buf = StringIO()
        logging_buf = StringIO()
        try:
            # issue: stderr cannot be redirect in this form, as a result some failure information
            # is lost when command fails.
            self.exit_code = cli_ctx.invoke(shlex.split(command), out_file=stdout_buf) or 0
            self.output = stdout_buf.getvalue()
            self.applog = logging_buf.getvalue()

        except CannotOverwriteExistingCassetteException as ex:
>           raise AssertionError(ex)
E           AssertionError: Can't overwrite existing cassette ('/mnt/vss/_work/1/s/src/azure-cli/azure/cli/command_modules/network/tests/latest/recordings/test_vpn_connection_authentication.yaml') in your current record mode ('once').
E           No match for the request (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt?api-version=2025-05-01>) was found.
E           Found 4 similar requests with 1 different matcher(s) :
E
E           1 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E           2 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E           3 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba
E
E           4 - (<Request (GET) https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba?api-version=2025-05-01>).
E           Matchers succeeded : ['method', 'scheme', 'host', 'port', '_custom_request_query_matcher']
E           Matchers failed :
E           path - assertion failure :
E           /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-75eo0wyt != /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/test_vpn_connection_auth000001/providers/Microsoft.KeyVault/vaults/kv-04okz7ba

src/azure-cli-testsdk/azure/cli/testsdk/base.py:308: AssertionError azure/cli/command_modules/network/tests/latest/test_network_commands.py:5929

Failed test_network_vnet_gateway_migration The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6136

Failed test_network_active_active_cross_premise_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6674

Failed test_network_active_active_vnet_connection The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:6732

Failed test_network_vpn_gateway_package_capture The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:7010

Failed test_network_vnet_gateway_local_gateway The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8162

Failed test_network_vnet_gateway_with_enable_private_ip_address The error message is too long, please check the pipeline log for details. azure/cli/command_modules/network/tests/latest/test_network_commands.py:8177

️✔️policyinsights

️✔️latest

️✔️3.12

️✔️3.13

️✔️privatedns

️✔️latest

️✔️3.12

️✔️3.13

️✔️profile

️✔️latest

️✔️3.12

️✔️3.13

️✔️rdbms

️✔️latest

️✔️3.12

️✔️3.13

️✔️redis

️✔️latest

️✔️3.12

️✔️3.13

️✔️relay

️✔️latest

️✔️3.12

️✔️3.13

️✔️resource

️✔️latest

️✔️3.12

️✔️3.13

️✔️role

️✔️latest

️✔️3.12

️✔️3.13

️✔️search

️✔️latest

️✔️3.12

️✔️3.13

️✔️security

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicebus

️✔️latest

️✔️3.12

️✔️3.13

️✔️serviceconnector

️✔️latest

️✔️3.12

️✔️3.13

️✔️servicefabric

️✔️latest

️✔️3.12

️✔️3.13

️✔️signalr

️✔️latest

️✔️3.12

️✔️3.13

️✔️sql

️✔️latest

️✔️3.12

️✔️3.13

️✔️sqlvm

️✔️latest

️✔️3.12

️✔️3.13

️✔️storage

️✔️latest

️✔️3.12

️✔️3.13

️✔️synapse

️✔️latest

️✔️3.12

️✔️3.13

️✔️telemetry

️✔️latest

️✔️3.12

️✔️3.13

️✔️util

️✔️latest

️✔️3.12

️✔️3.13

️✔️vm

️✔️latest

️✔️3.12

️✔️3.13

azure-client-tools-bot-prd · 2025-12-11T03:13:02Z

⚠️AzureCLI-BreakingChangeTest

⚠️network

rule cmd_name rule_message suggest_message

⚠️ 1006 - ParaAdd network vnet-gateway create cmd network vnet-gateway create added parameter mi_system_assigned

⚠️ 1006 - ParaAdd network vnet-gateway create cmd network vnet-gateway create added parameter mi_user_assigned

⚠️ 1011 - SubgroupAdd network vnet-gateway identity sub group network vnet-gateway identity added

⚠️ 1006 - ParaAdd network vpn-connection create cmd network vpn-connection create added parameter auth_type

⚠️ 1006 - ParaAdd network vpn-connection create cmd network vpn-connection create added parameter cert_auth

⚠️ 1006 - ParaAdd network vpn-connection update cmd network vpn-connection update added parameter authentication_type

⚠️ 1006 - ParaAdd network vpn-connection update cmd network vpn-connection update added parameter certificate_authentication

yonzhan · 2025-12-11T03:13:05Z

Thank you for your contribution! We will review the pull request and get back to you soon.

github-actions · 2025-12-11T03:13:08Z

The git hooks are available for azure-cli and azure-cli-extensions repos. They could help you run required checks before creating the PR.

Please sync the latest code with latest dev branch (for azure-cli) or main branch (for azure-cli-extensions).
After that please run the following commands to enable git hooks:

pip install azdev --upgrade
azdev setup -c <your azure-cli repo path> -r <your azure-cli-extensions repo path>

Copilot

Pull request overview

This PR adds support for VPN Gateway Connection Certificate-based authentication and managed identity support for VNet gateways. The changes include:

Adding managed identity (user-assigned) support to VNet gateway create/update operations
Adding certificate-based authentication type to VPN connection create/update commands
Updating the Network API version from 2024-07-01 to 2025-01-01
Adding new identity management commands for VNet gateways

Reviewed changes

Copilot reviewed 25 out of 28 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
test_network_commands.py	Adds two comprehensive test classes covering managed identity and certificate authentication scenarios
VpnGatewayoutboundcert.pfx, VpnGatewayInboundCert.cer, VpnGatewayAuthCert.cer	Test certificate files for authentication scenarios
custom.py	Uncomments managed identity parameters and adds auth parameters to vpn-connection create
vpn_connection/*.py	AAZ-generated files updated with API version, authentication fields, and secret flags
vnet_gateway/*.py	AAZ-generated files updated with API version and identity support
vnet_gateway/identity/*.py	New identity management commands (assign/remove/show/wait)
_validators.py	Adds validation logic to clear shared keys when using certificate authentication
_template_builder.py	Updates API version and adds certificate auth parameters to template
_params.py	Adds auth_type and cert_auth parameters with JSON parsing support
_help.py	Adds documentation and examples for certificate authentication

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

src/azure-cli/azure/cli/command_modules/network/_help.py

src/azure-cli/azure/cli/command_modules/network/custom.py

src/azure-cli/azure/cli/command_modules/network/tests/latest/certs/VpnGatewayAuthCert.cer

src/azure-cli/azure/cli/command_modules/network/tests/latest/test_network_commands.py

necusjz · 2025-12-16T02:23:26Z

identity-related interfaces must strictly follow
https://github.com/Azure/azure-cli/blob/20ffb2d35d59a104641d75aeb76b6f31885e26aa/doc/managed_identity_command_guideline.md

i.e., let's remove the parameters in the update command (subcommands are designed for that):

necusjz · 2026-01-04T23:28:28Z

/azp run

azure-pipelines · 2026-01-04T23:28:45Z

Azure Pipelines successfully started running 3 pipeline(s).

…onnection feat: add vpn connection authentication test fix: cli linter error fix: ci error fix: add cli example fix: dev fix: fix review

azure-client-tools-bot-prd bot added this to the January 2026 (2026-01-13) milestone Dec 11, 2025

microsoft-github-policy-service bot requested review from jsntcy, kairu-ms and yonzhan December 11, 2025 03:13

microsoft-github-policy-service bot added the Auto-Assign Auto assign by bot label Dec 11, 2025

yonzhan assigned necusjz Dec 11, 2025

huiii99 force-pushed the network-mi-vpn-cert branch from d0edfa6 to ea0d042 Compare December 12, 2025 02:38

huiii99 marked this pull request as ready for review December 12, 2025 03:16

huiii99 requested review from necusjz and wangzelin007 as code owners December 12, 2025 03:16

Copilot AI review requested due to automatic review settings December 12, 2025 03:16

Copilot started reviewing on behalf of huiii99 December 12, 2025 03:17 View session

Copilot AI reviewed Dec 12, 2025

View reviewed changes

huiii99 force-pushed the network-mi-vpn-cert branch from fc1bd7f to e2df42e Compare December 12, 2025 05:29