azurermVirtualNetworkGatewayConnection

Manages a connection in an existing Virtual Network Gateway.

Example Usage

Site-to-Site connection

The following example shows a connection between an Azure virtual network and an on-premises VPN device and network.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West US",
    name: "test",
  }
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "example_1",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupExample.location,
    name: "test",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermLocalNetworkGatewayOnpremise =
  new azurerm.localNetworkGateway.LocalNetworkGateway(this, "onpremise", {
    address_space: ["10.1.1.0/24"],
    gateway_address: "168.62.225.23",
    location: azurermResourceGroupExample.location,
    name: "onpremise",
    resource_group_name: azurermResourceGroupExample.name,
  });
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
  this,
  "example_3",
  {
    allocation_method: "Dynamic",
    location: azurermResourceGroupExample.location,
    name: "test",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_4", {
  address_prefixes: ["10.0.1.0/24"],
  name: "GatewaySubnet",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermVirtualNetworkGatewayExample =
  new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "example_5", {
    active_active: false,
    enable_bgp: false,
    ip_configuration: [
      {
        private_ip_address_allocation: "Dynamic",
        public_ip_address_id: azurermPublicIpExample.id,
        subnet_id: azurermSubnetExample.id,
      },
    ],
    location: azurermResourceGroupExample.location,
    name: "test",
    resource_group_name: azurermResourceGroupExample.name,
    sku: "Basic",
    type: "Vpn",
    vpn_type: "RouteBased",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayExample.overrideLogicalId("example");
const azurermVirtualNetworkGatewayConnectionOnpremise =
  new azurerm.virtualNetworkGatewayConnection.VirtualNetworkGatewayConnection(
    this,
    "onpremise_6",
    {
      local_network_gateway_id: azurermLocalNetworkGatewayOnpremise.id,
      location: azurermResourceGroupExample.location,
      name: "onpremise",
      resource_group_name: azurermResourceGroupExample.name,
      shared_key: "4-v3ry-53cr37-1p53c-5h4r3d-k3y",
      type: "IPsec",
      virtual_network_gateway_id: azurermVirtualNetworkGatewayExample.id,
    }
  );
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayConnectionOnpremise.overrideLogicalId("onpremise");

VNet-to-VNet connection

The following example shows a connection between two Azure virtual network in different locations/regions.

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupEurope = new azurerm.resourceGroup.ResourceGroup(
  this,
  "europe",
  {
    location: "West Europe",
    name: "europe",
  }
);
const azurermResourceGroupUs = new azurerm.resourceGroup.ResourceGroup(
  this,
  "us",
  {
    location: "East US",
    name: "us",
  }
);
const azurermVirtualNetworkEurope = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "europe_2",
  {
    address_space: ["10.1.0.0/16"],
    location: azurermResourceGroupEurope.location,
    name: "europe",
    resource_group_name: azurermResourceGroupEurope.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkEurope.overrideLogicalId("europe");
const azurermVirtualNetworkUs = new azurerm.virtualNetwork.VirtualNetwork(
  this,
  "us_3",
  {
    address_space: ["10.0.0.0/16"],
    location: azurermResourceGroupUs.location,
    name: "us",
    resource_group_name: azurermResourceGroupUs.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkUs.overrideLogicalId("us");
const azurermPublicIpEurope = new azurerm.publicIp.PublicIp(this, "europe_4", {
  allocation_method: "Dynamic",
  location: azurermResourceGroupEurope.location,
  name: "europe",
  resource_group_name: azurermResourceGroupEurope.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpEurope.overrideLogicalId("europe");
const azurermPublicIpUs = new azurerm.publicIp.PublicIp(this, "us_5", {
  allocation_method: "Dynamic",
  location: azurermResourceGroupUs.location,
  name: "us",
  resource_group_name: azurermResourceGroupUs.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpUs.overrideLogicalId("us");
const azurermSubnetEuropeGateway = new azurerm.subnet.Subnet(
  this,
  "europe_gateway",
  {
    address_prefixes: ["10.1.1.0/24"],
    name: "GatewaySubnet",
    resource_group_name: azurermResourceGroupEurope.name,
    virtual_network_name: azurermVirtualNetworkEurope.name,
  }
);
const azurermSubnetUsGateway = new azurerm.subnet.Subnet(this, "us_gateway", {
  address_prefixes: ["10.0.1.0/24"],
  name: "GatewaySubnet",
  resource_group_name: azurermResourceGroupUs.name,
  virtual_network_name: azurermVirtualNetworkUs.name,
});
const azurermVirtualNetworkGatewayEurope =
  new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "europe_8", {
    ip_configuration: [
      {
        private_ip_address_allocation: "Dynamic",
        public_ip_address_id: azurermPublicIpEurope.id,
        subnet_id: azurermSubnetEuropeGateway.id,
      },
    ],
    location: azurermResourceGroupEurope.location,
    name: "europe-gateway",
    resource_group_name: azurermResourceGroupEurope.name,
    sku: "Basic",
    type: "Vpn",
    vpn_type: "RouteBased",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayEurope.overrideLogicalId("europe");
const azurermVirtualNetworkGatewayUs =
  new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "us_9", {
    ip_configuration: [
      {
        private_ip_address_allocation: "Dynamic",
        public_ip_address_id: azurermPublicIpUs.id,
        subnet_id: azurermSubnetUsGateway.id,
      },
    ],
    location: azurermResourceGroupUs.location,
    name: "us-gateway",
    resource_group_name: azurermResourceGroupUs.name,
    sku: "Basic",
    type: "Vpn",
    vpn_type: "RouteBased",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayUs.overrideLogicalId("us");
new azurerm.virtualNetworkGatewayConnection.VirtualNetworkGatewayConnection(
  this,
  "europe_to_us",
  {
    location: azurermResourceGroupEurope.location,
    name: "europe-to-us",
    peer_virtual_network_gateway_id: azurermVirtualNetworkGatewayUs.id,
    resource_group_name: azurermResourceGroupEurope.name,
    shared_key: "4-v3ry-53cr37-1p53c-5h4r3d-k3y",
    type: "Vnet2Vnet",
    virtual_network_gateway_id: azurermVirtualNetworkGatewayEurope.id,
  }
);
new azurerm.virtualNetworkGatewayConnection.VirtualNetworkGatewayConnection(
  this,
  "us_to_europe",
  {
    location: azurermResourceGroupUs.location,
    name: "us-to-europe",
    peer_virtual_network_gateway_id: azurermVirtualNetworkGatewayEurope.id,
    resource_group_name: azurermResourceGroupUs.name,
    shared_key: "4-v3ry-53cr37-1p53c-5h4r3d-k3y",
    type: "Vnet2Vnet",
    virtual_network_gateway_id: azurermVirtualNetworkGatewayUs.id,
  }
);

Argument Reference

The following arguments are supported:

name - (Required) The name of the connection. Changing the name forces a new resource to be created.
resourceGroupName - (Required) The name of the resource group in which to create the connection Changing this forces a new resource to be created.
location - (Required) The location/region where the connection is located. Changing this forces a new resource to be created.
type - (Required) The type of connection. Valid options are iPsec (Site-to-Site), expressRoute (ExpressRoute), and vnet2Vnet (VNet-to-VNet). Each connection type requires different mandatory arguments (refer to the examples above). Changing this forces a new resource to be created.
virtualNetworkGatewayId - (Required) The ID of the Virtual Network Gateway in which the connection will be created. Changing this forces a new resource to be created.
authorizationKey - (Optional) The authorization key associated with the Express Route Circuit. This field is required only if the type is an ExpressRoute connection.
dpdTimeoutSeconds - (Optional) The dead peer detection timeout of this connection in seconds. Changing this forces a new resource to be created.
expressRouteCircuitId - (Optional) The ID of the Express Route Circuit when creating an ExpressRoute connection (i.e. when type is expressRoute). The Express Route Circuit can be in the same or in a different subscription. Changing this forces a new resource to be created.
peerVirtualNetworkGatewayId - (Optional) The ID of the peer virtual network gateway when creating a VNet-to-VNet connection (i.e. when type is vnet2Vnet). The peer Virtual Network Gateway can be in the same or in a different subscription. Changing this forces a new resource to be created.
localAzureIpAddressEnabled - (Optional) Use private local Azure IP for the connection. Changing this forces a new resource to be created.
localNetworkGatewayId - (Optional) The ID of the local network gateway when creating Site-to-Site connection (i.e. when type is iPsec).
routingWeight - (Optional) The routing weight. Defaults to 10.
sharedKey - (Optional) The shared IPSec key. A key could be provided if a Site-to-Site, VNet-to-VNet or ExpressRoute connection is created.
connectionMode - (Optional) Connection mode to use. Possible values are default, initiatorOnly and responderOnly. Defaults to default. Changing this value will force a resource to be created.
connectionProtocol - (Optional) The IKE protocol version to use. Possible values are ikEv1 and ikEv2, values are ikEv1 and ikEv2. Defaults to ikEv2. Changing this forces a new resource to be created. -> Note: Only valid for ipSec connections on virtual network gateways with SKU vpnGw1, vpnGw2, vpnGw3, vpnGw1Az, vpnGw2Az or vpnGw3Az.
enableBgp - (Optional) If true, BGP (Border Gateway Protocol) is enabled for this connection. Defaults to false.
customBgpAddresses - (Optional) A customBgpAddresses (Border Gateway Protocol custom IP Addresses) block which is documented below. The block can only be used on ipSec / activeactive connections, For details about see the relevant section in the Azure documentation.
expressRouteGatewayBypass - (Optional) If true, data packets will bypass ExpressRoute Gateway for data forwarding This is only valid for ExpressRoute connections.
egressNatRuleIds - (Optional) A list of the egress NAT Rule Ids.
ingressNatRuleIds - (Optional) A list of the ingress NAT Rule Ids.
usePolicyBasedTrafficSelectors - (Optional) If true, policy-based traffic selectors are enabled for this connection. Enabling policy-based traffic selectors requires an ipsecPolicy block. Defaults to false.
ipsecPolicy - (Optional) A ipsecPolicy block which is documented below. Only a single policy can be defined for a connection. For details on custom policies refer to the relevant section in the Azure documentation.
trafficSelectorPolicy - (Optional) One or more trafficSelectorPolicy blocks which are documented below. A trafficSelectorPolicy allows to specify a traffic selector policy proposal to be used in a virtual network gateway connection. For details about traffic selectors refer to the relevant section in the Azure documentation.
tags - (Optional) A mapping of tags to assign to the resource.

The customBgpAddresses block supports:

primary - (Required) single IP address that is part of the azurermVirtualNetworkGateway ip_configuration (first one)
secondary - (Required) single IP address that is part of the azurermVirtualNetworkGateway ip_configuration (second one)

The ipsecPolicy block supports:

dhGroup - (Required) The DH group used in IKE phase 1 for initial SA. Valid options are dhGroup1, dhGroup14, dhGroup2, dhGroup2048, dhGroup24, ecp256, ecp384, or none.
ikeEncryption - (Required) The IKE encryption algorithm. Valid options are aes128, aes192, aes256, des, des3, gcmaes128, or gcmaes256.
ikeIntegrity - (Required) The IKE integrity algorithm. Valid options are gcmaes128, gcmaes256, md5, sha1, sha256, or sha384.
ipsecEncryption - (Required) The IPSec encryption algorithm. Valid options are aes128, aes192, aes256, des, des3, gcmaes128, gcmaes192, gcmaes256, or none.
ipsecIntegrity - (Required) The IPSec integrity algorithm. Valid options are gcmaes128, gcmaes192, gcmaes256, md5, sha1, or sha256.
pfsGroup - (Required) The DH group used in IKE phase 2 for new child SA. Valid options are ecp256, ecp384, pfs1, pfs14, pfs2, pfs2048, pfs24, pfsmm, or none.
saDatasize - (Optional) The IPSec SA payload size in KB. Must be at least 1024 KB. Defaults to 102400000 KB.
saLifetime - (Optional) The IPSec SA lifetime in seconds. Must be at least 300 seconds. Defaults to 27000 seconds.

The trafficSelectorPolicy block supports:

localAddressCidrs - (Required) List of local CIDRs.
remoteAddressCidrs - (Required) List of remote CIDRs.

Attributes Reference

The following attributes are exported:

id - The ID of the Virtual Network Gateway Connection.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

create - (Defaults to 30 minutes) Used when creating the Virtual Network Gateway Connection.
update - (Defaults to 30 minutes) Used when updating the Virtual Network Gateway Connection.
read - (Defaults to 5 minutes) Used when retrieving the Virtual Network Gateway Connection.
delete - (Defaults to 30 minutes) Used when deleting the Virtual Network Gateway Connection.

Import

Virtual Network Gateway Connections can be imported using their resourceId, e.g.

terraform import azurerm_virtual_network_gateway_connection.exampleConnection /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup1/providers/Microsoft.Network/connections/myConnection1