azurermVirtualNetworkGatewayConnection
Manages a connection in an existing Virtual Network Gateway.
Example Usage
Site-to-Site connection
The following example shows a connection between an Azure virtual network and an on-premises VPN device and network.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West US",
name: "test",
}
);
const azurermVirtualNetworkExample = new azurerm.virtualNetwork.VirtualNetwork(
this,
"example_1",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupExample.location,
name: "test",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkExample.overrideLogicalId("example");
const azurermLocalNetworkGatewayOnpremise =
new azurerm.localNetworkGateway.LocalNetworkGateway(this, "onpremise", {
address_space: ["10.1.1.0/24"],
gateway_address: "168.62.225.23",
location: azurermResourceGroupExample.location,
name: "onpremise",
resource_group_name: azurermResourceGroupExample.name,
});
const azurermPublicIpExample = new azurerm.publicIp.PublicIp(
this,
"example_3",
{
allocation_method: "Dynamic",
location: azurermResourceGroupExample.location,
name: "test",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpExample.overrideLogicalId("example");
const azurermSubnetExample = new azurerm.subnet.Subnet(this, "example_4", {
address_prefixes: ["10.0.1.0/24"],
name: "GatewaySubnet",
resource_group_name: azurermResourceGroupExample.name,
virtual_network_name: azurermVirtualNetworkExample.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermSubnetExample.overrideLogicalId("example");
const azurermVirtualNetworkGatewayExample =
new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "example_5", {
active_active: false,
enable_bgp: false,
ip_configuration: [
{
private_ip_address_allocation: "Dynamic",
public_ip_address_id: azurermPublicIpExample.id,
subnet_id: azurermSubnetExample.id,
},
],
location: azurermResourceGroupExample.location,
name: "test",
resource_group_name: azurermResourceGroupExample.name,
sku: "Basic",
type: "Vpn",
vpn_type: "RouteBased",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayExample.overrideLogicalId("example");
const azurermVirtualNetworkGatewayConnectionOnpremise =
new azurerm.virtualNetworkGatewayConnection.VirtualNetworkGatewayConnection(
this,
"onpremise_6",
{
local_network_gateway_id: azurermLocalNetworkGatewayOnpremise.id,
location: azurermResourceGroupExample.location,
name: "onpremise",
resource_group_name: azurermResourceGroupExample.name,
shared_key: "4-v3ry-53cr37-1p53c-5h4r3d-k3y",
type: "IPsec",
virtual_network_gateway_id: azurermVirtualNetworkGatewayExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayConnectionOnpremise.overrideLogicalId("onpremise");
VNet-to-VNet connection
The following example shows a connection between two Azure virtual network in different locations/regions.
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupEurope = new azurerm.resourceGroup.ResourceGroup(
this,
"europe",
{
location: "West Europe",
name: "europe",
}
);
const azurermResourceGroupUs = new azurerm.resourceGroup.ResourceGroup(
this,
"us",
{
location: "East US",
name: "us",
}
);
const azurermVirtualNetworkEurope = new azurerm.virtualNetwork.VirtualNetwork(
this,
"europe_2",
{
address_space: ["10.1.0.0/16"],
location: azurermResourceGroupEurope.location,
name: "europe",
resource_group_name: azurermResourceGroupEurope.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkEurope.overrideLogicalId("europe");
const azurermVirtualNetworkUs = new azurerm.virtualNetwork.VirtualNetwork(
this,
"us_3",
{
address_space: ["10.0.0.0/16"],
location: azurermResourceGroupUs.location,
name: "us",
resource_group_name: azurermResourceGroupUs.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkUs.overrideLogicalId("us");
const azurermPublicIpEurope = new azurerm.publicIp.PublicIp(this, "europe_4", {
allocation_method: "Dynamic",
location: azurermResourceGroupEurope.location,
name: "europe",
resource_group_name: azurermResourceGroupEurope.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpEurope.overrideLogicalId("europe");
const azurermPublicIpUs = new azurerm.publicIp.PublicIp(this, "us_5", {
allocation_method: "Dynamic",
location: azurermResourceGroupUs.location,
name: "us",
resource_group_name: azurermResourceGroupUs.name,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermPublicIpUs.overrideLogicalId("us");
const azurermSubnetEuropeGateway = new azurerm.subnet.Subnet(
this,
"europe_gateway",
{
address_prefixes: ["10.1.1.0/24"],
name: "GatewaySubnet",
resource_group_name: azurermResourceGroupEurope.name,
virtual_network_name: azurermVirtualNetworkEurope.name,
}
);
const azurermSubnetUsGateway = new azurerm.subnet.Subnet(this, "us_gateway", {
address_prefixes: ["10.0.1.0/24"],
name: "GatewaySubnet",
resource_group_name: azurermResourceGroupUs.name,
virtual_network_name: azurermVirtualNetworkUs.name,
});
const azurermVirtualNetworkGatewayEurope =
new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "europe_8", {
ip_configuration: [
{
private_ip_address_allocation: "Dynamic",
public_ip_address_id: azurermPublicIpEurope.id,
subnet_id: azurermSubnetEuropeGateway.id,
},
],
location: azurermResourceGroupEurope.location,
name: "europe-gateway",
resource_group_name: azurermResourceGroupEurope.name,
sku: "Basic",
type: "Vpn",
vpn_type: "RouteBased",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayEurope.overrideLogicalId("europe");
const azurermVirtualNetworkGatewayUs =
new azurerm.virtualNetworkGateway.VirtualNetworkGateway(this, "us_9", {
ip_configuration: [
{
private_ip_address_allocation: "Dynamic",
public_ip_address_id: azurermPublicIpUs.id,
subnet_id: azurermSubnetUsGateway.id,
},
],
location: azurermResourceGroupUs.location,
name: "us-gateway",
resource_group_name: azurermResourceGroupUs.name,
sku: "Basic",
type: "Vpn",
vpn_type: "RouteBased",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualNetworkGatewayUs.overrideLogicalId("us");
new azurerm.virtualNetworkGatewayConnection.VirtualNetworkGatewayConnection(
this,
"europe_to_us",
{
location: azurermResourceGroupEurope.location,
name: "europe-to-us",
peer_virtual_network_gateway_id: azurermVirtualNetworkGatewayUs.id,
resource_group_name: azurermResourceGroupEurope.name,
shared_key: "4-v3ry-53cr37-1p53c-5h4r3d-k3y",
type: "Vnet2Vnet",
virtual_network_gateway_id: azurermVirtualNetworkGatewayEurope.id,
}
);
new azurerm.virtualNetworkGatewayConnection.VirtualNetworkGatewayConnection(
this,
"us_to_europe",
{
location: azurermResourceGroupUs.location,
name: "us-to-europe",
peer_virtual_network_gateway_id: azurermVirtualNetworkGatewayEurope.id,
resource_group_name: azurermResourceGroupUs.name,
shared_key: "4-v3ry-53cr37-1p53c-5h4r3d-k3y",
type: "Vnet2Vnet",
virtual_network_gateway_id: azurermVirtualNetworkGatewayUs.id,
}
);
Argument Reference
The following arguments are supported:
-
name
- (Required) The name of the connection. Changing the name forces a new resource to be created. -
resourceGroupName
- (Required) The name of the resource group in which to create the connection Changing this forces a new resource to be created. -
location
- (Required) The location/region where the connection is located. Changing this forces a new resource to be created. -
type
- (Required) The type of connection. Valid options areiPsec
(Site-to-Site),expressRoute
(ExpressRoute), andvnet2Vnet
(VNet-to-VNet). Each connection type requires different mandatory arguments (refer to the examples above). Changing this forces a new resource to be created. -
virtualNetworkGatewayId
- (Required) The ID of the Virtual Network Gateway in which the connection will be created. Changing this forces a new resource to be created. -
authorizationKey
- (Optional) The authorization key associated with the Express Route Circuit. This field is required only if the type is an ExpressRoute connection. -
dpdTimeoutSeconds
- (Optional) The dead peer detection timeout of this connection in seconds. Changing this forces a new resource to be created. -
expressRouteCircuitId
- (Optional) The ID of the Express Route Circuit when creating an ExpressRoute connection (i.e. whentype
isexpressRoute
). The Express Route Circuit can be in the same or in a different subscription. Changing this forces a new resource to be created. -
peerVirtualNetworkGatewayId
- (Optional) The ID of the peer virtual network gateway when creating a VNet-to-VNet connection (i.e. whentype
isvnet2Vnet
). The peer Virtual Network Gateway can be in the same or in a different subscription. Changing this forces a new resource to be created. -
localAzureIpAddressEnabled
- (Optional) Use private local Azure IP for the connection. Changing this forces a new resource to be created. -
localNetworkGatewayId
- (Optional) The ID of the local network gateway when creating Site-to-Site connection (i.e. whentype
isiPsec
). -
routingWeight
- (Optional) The routing weight. Defaults to10
. -
sharedKey
- (Optional) The shared IPSec key. A key could be provided if a Site-to-Site, VNet-to-VNet or ExpressRoute connection is created. -
connectionMode
- (Optional) Connection mode to use. Possible values aredefault
,initiatorOnly
andresponderOnly
. Defaults todefault
. Changing this value will force a resource to be created. -
connectionProtocol
- (Optional) The IKE protocol version to use. Possible values areikEv1
andikEv2
, values areikEv1
andikEv2
. Defaults toikEv2
. Changing this forces a new resource to be created. -> Note: Only valid foripSec
connections on virtual network gateways with SKUvpnGw1
,vpnGw2
,vpnGw3
,vpnGw1Az
,vpnGw2Az
orvpnGw3Az
. -
enableBgp
- (Optional) Iftrue
, BGP (Border Gateway Protocol) is enabled for this connection. Defaults tofalse
. -
customBgpAddresses
- (Optional) AcustomBgpAddresses
(Border Gateway Protocol custom IP Addresses) block which is documented below. The block can only be used onipSec
/activeactive
connections, For details about see the relevant section in the Azure documentation. -
expressRouteGatewayBypass
- (Optional) Iftrue
, data packets will bypass ExpressRoute Gateway for data forwarding This is only valid for ExpressRoute connections. -
egressNatRuleIds
- (Optional) A list of the egress NAT Rule Ids. -
ingressNatRuleIds
- (Optional) A list of the ingress NAT Rule Ids. -
usePolicyBasedTrafficSelectors
- (Optional) Iftrue
, policy-based traffic selectors are enabled for this connection. Enabling policy-based traffic selectors requires anipsecPolicy
block. Defaults tofalse
. -
ipsecPolicy
- (Optional) AipsecPolicy
block which is documented below. Only a single policy can be defined for a connection. For details on custom policies refer to the relevant section in the Azure documentation. -
trafficSelectorPolicy
- (Optional) One or moretrafficSelectorPolicy
blocks which are documented below. AtrafficSelectorPolicy
allows to specify a traffic selector policy proposal to be used in a virtual network gateway connection. For details about traffic selectors refer to the relevant section in the Azure documentation. -
tags
- (Optional) A mapping of tags to assign to the resource.
The customBgpAddresses
block supports:
primary
- (Required) single IP address that is part of theazurermVirtualNetworkGateway
ip_configuration (first one)secondary
- (Required) single IP address that is part of theazurermVirtualNetworkGateway
ip_configuration (second one)
The ipsecPolicy
block supports:
-
dhGroup
- (Required) The DH group used in IKE phase 1 for initial SA. Valid options aredhGroup1
,dhGroup14
,dhGroup2
,dhGroup2048
,dhGroup24
,ecp256
,ecp384
, ornone
. -
ikeEncryption
- (Required) The IKE encryption algorithm. Valid options areaes128
,aes192
,aes256
,des
,des3
,gcmaes128
, orgcmaes256
. -
ikeIntegrity
- (Required) The IKE integrity algorithm. Valid options aregcmaes128
,gcmaes256
,md5
,sha1
,sha256
, orsha384
. -
ipsecEncryption
- (Required) The IPSec encryption algorithm. Valid options areaes128
,aes192
,aes256
,des
,des3
,gcmaes128
,gcmaes192
,gcmaes256
, ornone
. -
ipsecIntegrity
- (Required) The IPSec integrity algorithm. Valid options aregcmaes128
,gcmaes192
,gcmaes256
,md5
,sha1
, orsha256
. -
pfsGroup
- (Required) The DH group used in IKE phase 2 for new child SA. Valid options areecp256
,ecp384
,pfs1
,pfs14
,pfs2
,pfs2048
,pfs24
,pfsmm
, ornone
. -
saDatasize
- (Optional) The IPSec SA payload size in KB. Must be at least1024
KB. Defaults to102400000
KB. -
saLifetime
- (Optional) The IPSec SA lifetime in seconds. Must be at least300
seconds. Defaults to27000
seconds.
The trafficSelectorPolicy
block supports:
-
localAddressCidrs
- (Required) List of local CIDRs. -
remoteAddressCidrs
- (Required) List of remote CIDRs.
Attributes Reference
The following attributes are exported:
id
- The ID of the Virtual Network Gateway Connection.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the Virtual Network Gateway Connection.update
- (Defaults to 30 minutes) Used when updating the Virtual Network Gateway Connection.read
- (Defaults to 5 minutes) Used when retrieving the Virtual Network Gateway Connection.delete
- (Defaults to 30 minutes) Used when deleting the Virtual Network Gateway Connection.
Import
Virtual Network Gateway Connections can be imported using their resourceId
, e.g.