How to Configure Multi-Pool Point-to-Site (P2S) VPN Using Azure Virtual WAN (vWAN)

Posted on March 25, 2026

Introduction

As organizations scale, remote users often need segmented access to different environments—such as production, development, and partner networks. A single Point-to-Site (P2S) VPN address pool can quickly become limiting. That’s where multi-pool P2S VPN in Azure Virtual WAN (vWAN) comes in.

This guide walks you through configuring multiple address pools for P2S VPN users in Azure vWAN, enabling better IP management, segmentation, and scalability.

What is Multi-Pool P2S VPN?

In a traditional P2S VPN setup, all connected clients receive IPs from a single address pool. With multi-pool support, you can:

  • Assign multiple IP ranges to P2S users
  • Segment users by department, geography, or function
  • Avoid IP exhaustion issues
  • Improve routing control and network design

Prerequisites

Before starting, ensure you have:

  • An active Azure subscription
  • Azure Virtual WAN deployed
  • A Virtual Hub created
  • Appropriate permissions (Network Contributor or higher)
  • VPN client device (Windows/macOS/Linux)

Architecture Overview

Typical setup:

  • Azure Virtual WAN (vWAN)
  • Virtual Hub
  • P2S VPN Gateway
  • Multiple client address pools
  • Connected VNets or on-prem networks

Step-by-Step Configuration

Step 1: Create Azure Virtual WAN

  1. Go to Azure Portal
  2. Search for Virtual WAN
  3. Click Create
  4. Fill in:
    • Subscription
    • Resource Group
    • Region
    • Type: Standard
  5. Click Review + Create

Step 2: Create a Virtual Hub

  1. Inside Virtual WAN → Click Hubs
  2. Click + New Hub
  3. Provide:
    • Hub name
    • Region
    • Address space (e.g., 10.0.0.0/16)
  4. Enable VPN Gateway
  5. Click Create

Step 3: Configure P2S VPN Gateway

  1. Navigate to the Virtual Hub
  2. Click User VPN (Point-to-Site)
  3. Click Configure User VPN

Step 4: Define Multiple Address Pools

Here’s the key part—adding multiple pools.

Under Address pool, add multiple CIDR ranges:

10.10.0.0/24
10.20.0.0/24
10.30.0.0/24

👉 These ranges will be assigned dynamically to VPN clients.

Best Practice:

  • Ensure pools do NOT overlap with:
    • VNet address spaces
    • On-prem networks
  • Keep pools logically grouped (e.g., per team)

Step 5: Configure Authentication

Choose one of the following:

Option A: Azure AD Authentication (Recommended)

  • Tenant: Your Azure AD tenant
  • Audience & Issuer values (auto-filled usually)

Option B: Certificate Authentication

  • Upload Root Certificate
  • Configure client certificates

Step 6: Configure Tunnel Type & Protocol

  • Tunnel Type:
    • OpenVPN (recommended for multi-platform support)
  • Authentication:
    • Azure AD / Certificate / RADIUS

Step 7: Enable Routing

  1. Configure routes to:
    • VNets connected to the hub
    • On-prem networks via Site-to-Site VPN or ExpressRoute
  2. Ensure:
    • Proper route propagation
    • No overlapping IP conflicts

Step 8: Download VPN Client Configuration

  1. After saving settings, click Download VPN client
  2. Install the client on user devices
  3. Import the configuration

Step 9: Test the Connection

  1. Connect using the VPN client
  2. Verify assigned IP:
    • It should come from one of the configured pools
  3. Test:
    • Access to Azure resources
    • Connectivity to internal services

How Multi-Pool Works (Important Insight)

Azure assigns IP addresses dynamically across the pools. It does not strictly map specific users to specific pools unless you implement advanced controls (like RADIUS or custom routing).

Advanced Use Cases

1. Segmentation by Department

  • HR → 10.10.0.0/24
  • IT → 10.20.0.0/24

2. Hybrid Connectivity

  • One pool for on-prem users
  • Another for cloud-only users

3. Scaling Large Workforce

  • Add new pools without redesigning VPN

Best Practices

  • Plan IP addressing carefully
  • Avoid overlapping CIDR ranges
  • Use Azure AD authentication for security
  • Monitor connections using Azure Monitor
  • Document pool usage and purpose

Common Issues & Troubleshooting

Issue: IP conflicts
→ Ensure pools don’t overlap with VNets or on-prem networks

Issue: Users can’t access resources
→ Check route tables and NSGs

Issue: VPN connects but no traffic
→ Verify DNS and routing configuration

Configuring multi-pool P2S VPN in Azure Virtual WAN is a powerful way to scale remote access while maintaining control and flexibility. It allows you to:

  • Expand VPN capacity
  • Organize users logically
  • Improve network design