azurermVpnGatewayConnection
Manages a VPN Gateway Connection.
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
this,
"example",
{
location: "West Europe",
name: "example-resources",
}
);
const azurermVirtualWanExample = new azurerm.virtualWan.VirtualWan(
this,
"example_1",
{
location: azurermResourceGroupExample.location,
name: "example-vwan",
resource_group_name: azurermResourceGroupExample.name,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualWanExample.overrideLogicalId("example");
const azurermVpnSiteExample = new azurerm.vpnSite.VpnSite(this, "example_2", {
link: [
{
ip_address: "10.1.0.0",
name: "link1",
},
{
ip_address: "10.2.0.0",
name: "link2",
},
],
location: azurermResourceGroupExample.location,
name: "example-vpn-site",
resource_group_name: azurermResourceGroupExample.name,
virtual_wan_id: azurermVirtualWanExample.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVpnSiteExample.overrideLogicalId("example");
const azurermVirtualHubExample = new azurerm.virtualHub.VirtualHub(
this,
"example_3",
{
address_prefix: "10.0.0.0/24",
location: azurermResourceGroupExample.location,
name: "example-hub",
resource_group_name: azurermResourceGroupExample.name,
virtual_wan_id: azurermVirtualWanExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualHubExample.overrideLogicalId("example");
const azurermVpnGatewayExample = new azurerm.vpnGateway.VpnGateway(
this,
"example_4",
{
location: azurermResourceGroupExample.location,
name: "example-vpng",
resource_group_name: azurermResourceGroupExample.name,
virtual_hub_id: azurermVirtualHubExample.id,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVpnGatewayExample.overrideLogicalId("example");
const azurermVpnGatewayConnectionExample =
new azurerm.vpnGatewayConnection.VpnGatewayConnection(this, "example_5", {
name: "example",
remote_vpn_site_id: azurermVpnSiteExample.id,
vpn_gateway_id: azurermVpnGatewayExample.id,
vpn_link: [
{
name: "link1",
vpn_site_link_id: `\${${azurermVpnSiteExample.link.fqn}[0].id}`,
},
{
name: "link2",
vpn_site_link_id: `\${${azurermVpnSiteExample.link.fqn}[1].id}`,
},
],
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVpnGatewayConnectionExample.overrideLogicalId("example");
Arguments Reference
The following arguments are supported:
-
name
- (Required) The name which should be used for this VPN Gateway Connection. Changing this forces a new VPN Gateway Connection to be created. -
remoteVpnSiteId
- (Required) The ID of the remote VPN Site, which will connect to the VPN Gateway. Changing this forces a new VPN Gateway Connection to be created. -
vpnGatewayId
- (Required) The ID of the VPN Gateway that this VPN Gateway Connection belongs to. Changing this forces a new VPN Gateway Connection to be created. -
vpnLink
- (Required) One or morevpnLink
blocks as defined below. -
internetSecurityEnabled
- (Optional) Whether Internet Security is enabled for this VPN Connection. Defaults tofalse
. -
routing
- (Optional) Arouting
block as defined below. If this is not specified, there will be a default route table created implicitly. -
trafficSelectorPolicy
- (Optional) One or moretrafficSelectorPolicy
blocks as defined below.
A ipsecPolicy
block supports the following:
-
dhGroup
- (Required) The DH Group used in IKE Phase 1 for initial SA. Possible values arenone
,dhGroup1
,dhGroup2
,dhGroup14
,dhGroup24
,dhGroup2048
,ecp256
,ecp384
. -
ikeEncryptionAlgorithm
- (Required) The IKE encryption algorithm (IKE phase 2). Possible values aredes
,des3
,aes128
,aes192
,aes256
,gcmaes128
,gcmaes256
. -
ikeIntegrityAlgorithm
- (Required) The IKE integrity algorithm (IKE phase 2). Possible values aremd5
,sha1
,sha256
,sha384
,gcmaes128
,gcmaes256
. -
encryptionAlgorithm
- (Required) The IPSec encryption algorithm (IKE phase 1). Possible values areaes128
,aes192
,aes256
,des
,des3
,gcmaes128
,gcmaes192
,gcmaes256
,none
. -
integrityAlgorithm
- (Required) The IPSec integrity algorithm (IKE phase 1). Possible values aremd5
,sha1
,sha256
,gcmaes128
,gcmaes192
,gcmaes256
. -
pfsGroup
- (Required) The Pfs Group used in IKE Phase 2 for the new child SA. Possible values arenone
,pfs1
,pfs2
,pfs14
,pfs24
,pfs2048
,pfsmm
,ecp256
,ecp384
. -
saDataSizeKb
- (Required) The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for the site to site VPN tunnel. -
saLifetimeSec
- (Required) The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for the site to site VPN tunnel.
A vpnLink
block supports the following:
-
name
- (Required) The name which should be used for this VPN Link Connection. -
egressNatRuleIds
- (Optional) A list of the egress NAT Rule Ids. -
ingressNatRuleIds
- (Optional) A list of the ingress NAT Rule Ids. -
vpnSiteLinkId
- (Required) The ID of the connected VPN Site Link. Changing this forces a new VPN Gateway Connection to be created. -
bandwidthMbps
- (Optional) The expected connection bandwidth in MBPS. Defaults to10
. -
bgpEnabled
- (Optional) Should the BGP be enabled? Defaults tofalse
. Changing this forces a new VPN Gateway Connection to be created. -
connectionMode
- (Optional) The connection mode of this VPN Link. Possible values aredefault
,initiatorOnly
andresponderOnly
. Defaults todefault
. -
ipsecPolicy
- (Optional) One or moreipsecPolicy
blocks as defined above. -
protocol
- (Optional) The protocol used for this VPN Link Connection. Possible values areikEv1
andikEv2
. Defaults toikEv2
. -
ratelimitEnabled
- (Optional) Should the rate limit be enabled? Defaults tofalse
. -
routeWeight
- (Optional) Routing weight for this VPN Link Connection. Defaults to0
. -
sharedKey
- (Optional) SharedKey for this VPN Link Connection. -
localAzureIpAddressEnabled
- (Optional) Whether to use local Azure IP to initiate connection? Defaults tofalse
. -
policyBasedTrafficSelectorEnabled
- (Optional) Whether to enable policy-based traffic selectors? Defaults tofalse
. -
customBgpAddress
- (Optional) One or morecustomBgpAddress
blocks as defined below.
A routing
block supports the following:
-
associatedRouteTable
- (Required) The ID of the Route Table associated with this VPN Connection. -
propagatedRouteTable
- (Optional) ApropagatedRouteTable
block as defined below. -
inboundRouteMapId
- (Optional) The resource ID of the Route Map associated with this Routing Configuration for inbound learned routes. -
outboundRouteMapId
- (Optional) The resource ID of the Route Map associated with this Routing Configuration for outbound advertised routes.
A trafficSelectorPolicy
block supports the following:
-
localAddressRanges
- (Required) A list of local address spaces in CIDR format for this VPN Gateway Connection. -
remoteAddressRanges
- (Required) A list of remote address spaces in CIDR format for this VPN Gateway Connection.
A propagatedRouteTable
block supports the following:
-
routeTableIds
- (Required) A list of Route Table IDs to associated with this VPN Gateway Connection. -
labels
- (Optional) A list of labels to assign to this route table.
A customBgpAddress
block supports the following:
-
ipAddress
- (Required) The custom bgp ip address which belongs to the IP Configuration. -
ipConfigurationId
- (Required) The ID of the IP Configuration which belongs to the VPN Gateway.
Attributes Reference
In addition to the Arguments listed above - the following Attributes are exported:
id
- The ID of the VPN Gateway Connection.
Timeouts
The timeouts
block allows you to specify timeouts for certain actions:
create
- (Defaults to 30 minutes) Used when creating the VPN Gateway Connection.read
- (Defaults to 5 minutes) Used when retrieving the VPN Gateway Connection.update
- (Defaults to 30 minutes) Used when updating the VPN Gateway Connection.delete
- (Defaults to 30 minutes) Used when deleting the VPN Gateway Connection.
Import
VPN Gateway Connections can be imported using the resourceId
, e.g.