azurermVirtualNetworkGateway
Manages a Virtual Network Gateway to establish secure, cross-premises connectivity.
-> Note: Please be aware that provisioning a Virtual Network Gateway takes a long time (between 30 minutes and 1 hour)
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "test",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "test",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
this,
"example_2",
{
allocation_method: "Dynamic",
location: azurermResourceGroupExample.location,
name: "test",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_3", {
address_prefixes: ["10.0.1.0/24"],
name: "GatewaySubnet",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermVirtualNetworkGatewayExample =
new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "example_4", {
active_active: false,
enable_bgp: false,
ip_configuration: [
{
name: "vnetGatewayConfig",
private_ip_address_allocation: "Dynamic",
public_ip_address_id: azurermPublicIpExample.id,
subnet_id: azurermSubnetExample.id,
},
],
location: azurermResourceGroupExample.location,
name: "test",
resource_group_name: azurermResourceGroupExample.name,
sku: "Basic",
type: "Vpn",
vpn_client_configuration: [
{
address_space: ["10.2.0.0/24"],
revoked_certificate: [
{
name: "Verizon-Global-Root-CA",
thumbprint: "912198EEF23DCAC40939312FEE97DD560BAE49B1",
},
],
root_certificate: [
{
name: "DigiCert-Federated-ID-Root-CA",
public_cert_data:
"MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn\nMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3\nd3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg\nUm9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV\nBAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp\nY2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j\nQPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8\nzAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf\nGTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d\nGTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8\nDk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2\nDwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV\nHQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW\njKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP\n9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR\nQELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL\nuGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn\nWsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq\nM/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=\n",
},
],
},
],
vpn_type: "RouteBased",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayExample.overrideLogicalId("example");
Argument Reference
The following arguments are supported:
-
ipConfiguration
- (Required) One, two or threeipConfiguration
blocks documented below. An active-standby gateway requires exactly oneipConfiguration
block, an active-active gateway requires exactly twoipConfiguration
blocks whereas an active-active zone redundant gateway with P2S configuration requires exactly threeipConfiguration
blocks. -
location
- (Required) The location/region where the Virtual Network Gateway is located. Changing this forces a new resource to be created. -
name
- (Required) The name of the Virtual Network Gateway. Changing this forces a new resource to be created. -
resourceGroupName
- (Required) The name of the resource group in which to create the Virtual Network Gateway. Changing this forces a new resource to be created. -
sku
- (Required) Configuration of the size and capacity of the virtual network gateway. Valid options arebasic
,standard
,highPerformance
,ultraPerformance
,erGw1Az
,erGw2Az
,erGw3Az
,vpnGw1
,vpnGw2
,vpnGw3
,vpnGw4
,vpnGw5
,vpnGw1Az
,vpnGw2Az
,vpnGw3Az
,vpnGw4Az
andvpnGw5Az
and depend on thetype
,vpnType
andgeneration
arguments. ApolicyBased
gateway only supports thebasic
SKU. Further, theultraPerformance
SKU is only supported by anexpressRoute
gateway.
\~> NOTE: To build a UltraPerformance ExpressRoute Virtual Network gateway, the associated Public IP needs to be SKU "Basic" not "Standard"
\~> NOTE: Not all SKUs (e.g. erGw1Az
) are available in all regions. If you see statusCode=400OriginalError:Code="invalidGatewaySkuSpecifiedForGatewayDeploymentType"
please try another region.
type
- (Required) The type of the Virtual Network Gateway. Valid options arevpn
orexpressRoute
. Changing the type forces a new resource to be created.
-
activeActive
- (Optional) Iftrue
, an active-active Virtual Network Gateway will be created. An active-active gateway requires ahighPerformance
or anultraPerformance
SKU. Iffalse
, an active-standby gateway will be created. Defaults tofalse
. -
defaultLocalNetworkGatewayId
- (Optional) The ID of the local network gateway through which outbound Internet traffic from the virtual network in which the gateway is created will be routed (forced tunnelling). Refer to the Azure documentation on forced tunnelling. If not specified, forced tunnelling is disabled. -
edgeZone
- (Optional) Specifies the Edge Zone within the Azure Region where this Virtual Network Gateway should exist. Changing this forces a new Virtual Network Gateway to be created. -
enableBgp
- (Optional) Iftrue
, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults tofalse
. -
bgpSettings
- (Optional) AbgpSettings
block which is documented below. In this block the BGP specific settings can be defined. -
customRoute
- (Optional) AcustomRoute
block as defined below. Specifies a custom routes address space for a virtual network gateway and a VpnClient. -
generation
- (Optional) The Generation of the Virtual Network gateway. Possible values includegeneration1
,generation2
ornone
. Changing this forces a new resource to be created.
-> NOTE: The available values depend on the type
and sku
arguments - where generation2
is only value for a sku
larger than vpnGw2
or vpnGw2Az
.
-
privateIpAddressEnabled
- (Optional) Should private IP be enabled on this gateway for connections? Changing this forces a new resource to be created. -
tags
- (Optional) A mapping of tags to assign to the resource. -
vpnClientConfiguration
- (Optional) AvpnClientConfiguration
block which is documented below. In this block the Virtual Network Gateway can be configured to accept IPSec point-to-site connections. -
vpnType
- (Optional) The routing type of the Virtual Network Gateway. Valid options arerouteBased
orpolicyBased
. Defaults torouteBased
. Changing this forces a new resource to be created.
The ipConfiguration
block supports:
-
name
- (Optional) A user-defined name of the IP configuration. Defaults tovnetGatewayConfig
. -
privateIpAddressAllocation
- (Optional) Defines how the private IP address of the gateways virtual interface is assigned. Valid options arestatic
ordynamic
. Defaults todynamic
. -
subnetId
- (Required) The ID of the gateway subnet of a virtual network in which the virtual network gateway will be created. It is mandatory that the associated subnet is namedgatewaySubnet
. Therefore, each virtual network can contain at most a single Virtual Network Gateway. -
publicIpAddressId
- (Required) The ID of the public IP address to associate with the Virtual Network Gateway.
The vpnClientConfiguration
block supports:
-
addressSpace
- (Required) The address space out of which IP addresses for vpn clients will be taken. You can provide more than one address space, e.g. in CIDR notation. -
aadTenant
- (Optional) AzureAD Tenant URL -
aadAudience
- (Optional) The client id of the Azure VPN application. See Create an Active Directory (AD) tenant for P2S OpenVPN protocol connections for values -
aadIssuer
- (Optional) The STS url for your tenant -
rootCertificate
- (Optional) One or morerootCertificate
blocks which are defined below. These root certificates are used to sign the client certificate used by the VPN clients to connect to the gateway. -
revokedCertificate
- (Optional) One or morerevokedCertificate
blocks which are defined below. -
radiusServerAddress
- (Optional) The address of the Radius server. -
radiusServerSecret
- (Optional) The secret used by the Radius server. -
vpnClientProtocols
- (Optional) List of the protocols supported by the vpn client. The supported values aresstp
,ikeV2
andopenVpn
. Valuessstp
andikeV2
are incompatible with the use ofaadTenant
,aadAudience
andaadIssuer
. -
vpnAuthTypes
- (Optional) List of the vpn authentication types for the virtual network gateway. The supported values areaad
,radius
andcertificate
.
-> NOTE: vpnAuthTypes
must be set when using multiple vpn authentication types.
The bgpSettings
block supports:
-
asn
- (Optional) The Autonomous System Number (ASN) to use as part of the BGP. -
peeringAddresses
- (Optional) A list ofpeeringAddresses
as defined below. Only onepeeringAddresses
block can be specified except whenactiveActive
of this Virtual Network Gateway istrue
. -
peerWeight
- (Optional) The weight added to routes which have been learned through BGP peering. Valid values can be between0
and100
.
A customRoute
block supports the following:
addressPrefixes
- (Optional) A list of address blocks reserved for this virtual network in CIDR notation as defined below.
A peeringAddresses
block supports the following:
-
ipConfigurationName
- (Optional) The name of the IP configuration of this Virtual Network Gateway. In case there are multipleipConfiguration
blocks defined, this property is required to specify. -
apipaAddresses
- (Optional) A list of Azure custom APIPA addresses assigned to the BGP peer of the Virtual Network Gateway.
\~> Note: The valid range for the reserved APIPA address in Azure Public is from 169254210
to 16925422255
.
The rootCertificate
block supports:
-
name
- (Required) A user-defined name of the root certificate. -
publicCertData
- (Required) The public certificate of the root certificate authority. The certificate must be provided in Base-64 encoded X.509 format (PEM). In particular, this argument must not include thebeginCertificate
orendCertificate
markers.
The revokedCertificate
block supports:
-
name
- (Required) Specifies the name of the certificate resource. -
thumbprint
- (Required) Specifies the public data of the certificate.
Attributes Reference
The following attributes are exported:
-
id
- The ID of the Virtual Network Gateway. -
bgpSettings
- (Optional) A block ofbgpSettings
.
The bgpSettings
block supports:
peeringAddresses
- A list ofpeeringAddresses
as defined below.
The peeringAddresses
block supports:
-
defaultAddresses
- A list of peering address assigned to the BGP peer of the Virtual Network Gateway. -
tunnelIpAddresses
- A list of tunnel IP addresses assigned to the BGP peer of the Virtual Network Gateway.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 60 minutes) Used when creating the Virtual Network Gateway.update
- (Defaults to 60 minutes) Used when updating the Virtual Network Gateway.read
- (Defaults to 5 minutes) Used when retrieving the Virtual Network Gateway.delete
- (Defaults to 60 minutes) Used when deleting the Virtual Network Gateway.
Import
Virtual Network Gateways can be imported using the resourceId
, e.g.