Skip to content

azurermVirtualNetworkGateway

Manages a Virtual Network Gateway to establish secure, cross-premises connectivity.

-> Note: Please be aware that provisioning a Virtual Network Gateway takes a long time (between 30 minutes and 1 hour)

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "test",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "test",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
  this,
  "example_2",
  {
    allocation_method: "Dynamic",
    location: azurermResourceGroupExample.location,
    name: "test",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_3", {
  address_prefixes: ["10.0.1.0/24"],
  name: "GatewaySubnet",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermVirtualNetworkGatewayExample =
  new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "example_4", {
    active_active: false,
    enable_bgp: false,
    ip_configuration: [
      {
        name: "vnetGatewayConfig",
        private_ip_address_allocation: "Dynamic",
        public_ip_address_id: azurermPublicIpExample.id,
        subnet_id: azurermSubnetExample.id,
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "test",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "Basic",
    type: "Vpn",
    vpn_client_configuration: [
      {
        address_space: ["10.2.0.0/24"],
        revoked_certificate: [
          {
            name: "Verizon-Global-Root-CA",
            thumbprint: "912198EEF23DCAC40939312FEE97DD560BAE49B1",
          },
        ],
        root_certificate: [
          {
            name: "DigiCert-Federated-ID-Root-CA",
            public_cert_data:
              "MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg\nUm9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV\nBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp\nY2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j\nQPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8\nzAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf\nGTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d\nGTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8\nDk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2\nDwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV\nHQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW\njKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP\n9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR\nQELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL\nuGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn\nWsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq\nM/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=\n",
          },
        ],
      },
    ],
    vpn_type: "RouteBased",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • ipConfiguration - (Required) One, two or three ipConfiguration blocks documented below. An active-standby gateway requires exactly one ipConfiguration block, an active-active gateway requires exactly two ipConfiguration blocks whereas an active-active zone redundant gateway with P2S configuration requires exactly three ipConfiguration blocks.

  • location - (Required) The location/region where the Virtual Network Gateway is located. Changing this forces a new resource to be created.

  • name - (Required) The name of the Virtual Network Gateway. Changing this forces a new resource to be created.

  • resourceGroupName - (Required) The name of the resource group in which to create the Virtual Network Gateway. Changing this forces a new resource to be created.

  • sku - (Required) Configuration of the size and capacity of the virtual network gateway. Valid options are basic, standard, highPerformance, ultraPerformance, erGw1Az, erGw2Az, erGw3Az, vpnGw1, vpnGw2, vpnGw3, vpnGw4,vpnGw5, vpnGw1Az, vpnGw2Az, vpnGw3Az,vpnGw4Az and vpnGw5Az and depend on the type, vpnType and generation arguments. A policyBased gateway only supports the basic SKU. Further, the ultraPerformance SKU is only supported by an expressRoute gateway.

\~> NOTE: To build a UltraPerformance ExpressRoute Virtual Network gateway, the associated Public IP needs to be SKU "Basic" not "Standard"

\~> NOTE: Not all SKUs (e.g. erGw1Az) are available in all regions. If you see statusCode=400OriginalError:Code="invalidGatewaySkuSpecifiedForGatewayDeploymentType" please try another region.

  • type - (Required) The type of the Virtual Network Gateway. Valid options are vpn or expressRoute. Changing the type forces a new resource to be created.

  • activeActive - (Optional) If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a highPerformance or an ultraPerformance SKU. If false, an active-standby gateway will be created. Defaults to false.

  • defaultLocalNetworkGatewayId - (Optional) The ID of the local network gateway through which outbound Internet traffic from the virtual network in which the gateway is created will be routed (forced tunnelling). Refer to the Azure documentation on forced tunnelling. If not specified, forced tunnelling is disabled.

  • edgeZone - (Optional) Specifies the Edge Zone within the Azure Region where this Virtual Network Gateway should exist. Changing this forces a new Virtual Network Gateway to be created.

  • enableBgp - (Optional) If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.

  • bgpSettings - (Optional) A bgpSettings block which is documented below. In this block the BGP specific settings can be defined.

  • customRoute - (Optional) A customRoute block as defined below. Specifies a custom routes address space for a virtual network gateway and a VpnClient.

  • generation - (Optional) The Generation of the Virtual Network gateway. Possible values include generation1, generation2 or none. Changing this forces a new resource to be created.

-> NOTE: The available values depend on the type and sku arguments - where generation2 is only value for a sku larger than vpnGw2 or vpnGw2Az.

  • privateIpAddressEnabled - (Optional) Should private IP be enabled on this gateway for connections? Changing this forces a new resource to be created.

  • tags - (Optional) A mapping of tags to assign to the resource.

  • vpnClientConfiguration - (Optional) A vpnClientConfiguration block which is documented below. In this block the Virtual Network Gateway can be configured to accept IPSec point-to-site connections.

  • vpnType - (Optional) The routing type of the Virtual Network Gateway. Valid options are routeBased or policyBased. Defaults to routeBased. Changing this forces a new resource to be created.

The ipConfiguration block supports:

  • name - (Optional) A user-defined name of the IP configuration. Defaults to vnetGatewayConfig.

  • privateIpAddressAllocation - (Optional) Defines how the private IP address of the gateways virtual interface is assigned. Valid options are static or dynamic. Defaults to dynamic.

  • subnetId - (Required) The ID of the gateway subnet of a virtual network in which the virtual network gateway will be created. It is mandatory that the associated subnet is named gatewaySubnet. Therefore, each virtual network can contain at most a single Virtual Network Gateway.

  • publicIpAddressId - (Required) The ID of the public IP address to associate with the Virtual Network Gateway.

The vpnClientConfiguration block supports:

  • addressSpace - (Required) The address space out of which IP addresses for vpn clients will be taken. You can provide more than one address space, e.g. in CIDR notation.

  • aadTenant - (Optional) AzureAD Tenant URL

  • aadAudience - (Optional) The client id of the Azure VPN application. See Create an Active Directory (AD) tenant for P2S OpenVPN protocol connections for values

  • aadIssuer - (Optional) The STS url for your tenant

  • rootCertificate - (Optional) One or more rootCertificate blocks which are defined below. These root certificates are used to sign the client certificate used by the VPN clients to connect to the gateway.

  • revokedCertificate - (Optional) One or more revokedCertificate blocks which are defined below.

  • radiusServerAddress - (Optional) The address of the Radius server.

  • radiusServerSecret - (Optional) The secret used by the Radius server.

  • vpnClientProtocols - (Optional) List of the protocols supported by the vpn client. The supported values are sstp, ikeV2 and openVpn. Values sstp and ikeV2 are incompatible with the use of aadTenant, aadAudience and aadIssuer.

  • vpnAuthTypes - (Optional) List of the vpn authentication types for the virtual network gateway. The supported values are aad, radius and certificate.

-> NOTE: vpnAuthTypes must be set when using multiple vpn authentication types.

The bgpSettings block supports:

  • asn - (Optional) The Autonomous System Number (ASN) to use as part of the BGP.

  • peeringAddresses - (Optional) A list of peeringAddresses as defined below. Only one peeringAddresses block can be specified except when activeActive of this Virtual Network Gateway is true.

  • peerWeight - (Optional) The weight added to routes which have been learned through BGP peering. Valid values can be between 0 and 100.

A customRoute block supports the following:

  • addressPrefixes - (Optional) A list of address blocks reserved for this virtual network in CIDR notation as defined below.

A peeringAddresses block supports the following:

  • ipConfigurationName - (Optional) The name of the IP configuration of this Virtual Network Gateway. In case there are multiple ipConfiguration blocks defined, this property is required to specify.

  • apipaAddresses - (Optional) A list of Azure custom APIPA addresses assigned to the BGP peer of the Virtual Network Gateway.

\~> Note: The valid range for the reserved APIPA address in Azure Public is from 169254210 to 16925422255.

The rootCertificate block supports:

  • name - (Required) A user-defined name of the root certificate.

  • publicCertData - (Required) The public certificate of the root certificate authority. The certificate must be provided in Base-64 encoded X.509 format (PEM). In particular, this argument must not include the beginCertificate or endCertificate markers.

The revokedCertificate block supports:

  • name - (Required) Specifies the name of the certificate resource.

  • thumbprint - (Required) Specifies the public data of the certificate.

Attributes Reference

The following attributes are exported:

  • id - The ID of the Virtual Network Gateway.

  • bgpSettings - (Optional) A block of bgpSettings.

The bgpSettings block supports:

  • peeringAddresses - A list of peeringAddresses as defined below.

The peeringAddresses block supports:

  • defaultAddresses - A list of peering address assigned to the BGP peer of the Virtual Network Gateway.

  • tunnelIpAddresses - A list of tunnel IP addresses assigned to the BGP peer of the Virtual Network Gateway.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 60 minutes) Used when creating the Virtual Network Gateway.
  • update - (Defaults to 60 minutes) Used when updating the Virtual Network Gateway.
  • read - (Defaults to 5 minutes) Used when retrieving the Virtual Network Gateway.
  • delete - (Defaults to 60 minutes) Used when deleting the Virtual Network Gateway.

Import

Virtual Network Gateways can be imported using the resourceId, e.g.

terraform import azurerm_virtual_network_gateway.exampleGateway /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup1/providers/Microsoft.Network/virtualNetworkGateways/myGateway1