Thank you for creating these procedures.      I have a question specific to the IPSec VPN client and the Scale Set's.    Is there a way to gracefully bring down one of the VM's created in the Scale Set without impacting connected VPN clients?       If you spin up a new vm in the scale set and manually configure it. It will immediately start accepting VPN client connections.    But if we wanted to scale one of the VM's down(or say wanted to apply a hotfix)?  Is there a way to preventing the gateway  from accepting any new connections so that it could be patched or  removed from the scale set when the vpn client connections get down to 0.    We did some initial tests and the VPN client connections do not appear to be state-full across the load balancer.  So when the gateway I was connected to was taken out of service, my vpn connection was dropped.        

Thankyou @ChristianCastil for the very informative video. Can I please ask few questions:

Is Azure traffic manager required to achieve GEO load balancing. I see the option of dns_based under mep, as we want the option of EMEA users logging to EMEA region and US users to US region. In the endpoint client we have both the regional scalesets (total 4 VMs). Does this mean the client will resolve to the scaleset based on the proximity and connect. 

Is it possible to have a larger office mode networks than the default /24 to /16 etc. 

Is it possible to use IP pool NAT in Azure instead of just hiding all traffic behind eth1 of the gateway. If so how to register the IP's in Azure env. If not I am worried about NAT port exhaustion given 1000's of users accessing same internal website etc.