Skip to content

azurermVpnGatewayConnection

Manages a VPN Gateway Connection.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as azurerm from "./.gen/providers/azurerm";
/*The following providers are missing schema information and might need manual adjustments to synthesize correctly: azurerm.
For a more precise conversion please use the --provider flag in convert.*/
const azurermResourceGroupExample = new azurerm.resourceGroup.ResourceGroup(
  this,
  "example",
  {
    location: "West Europe",
    name: "example-resources",
  }
);
const azurermVirtualWanExample = new azurerm.virtualWan.VirtualWan(
  this,
  "example_1",
  {
    location: azurermResourceGroupExample.location,
    name: "example-vwan",
    resource_group_name: azurermResourceGroupExample.name,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualWanExample.overrideLogicalId("example");
const azurermVpnSiteExample = new azurerm.vpnSite.VpnSite(this, "example_2", {
  link: [
    {
      ip_address: "10.1.0.0",
      name: "link1",
    },
    {
      ip_address: "10.2.0.0",
      name: "link2",
    },
  ],
  location: azurermResourceGroupExample.location,
  name: "example-vpn-site",
  resource_group_name: azurermResourceGroupExample.name,
  virtual_wan_id: azurermVirtualWanExample.id,
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVpnSiteExample.overrideLogicalId("example");
const azurermVirtualHubExample = new azurerm.virtualHub.VirtualHub(
  this,
  "example_3",
  {
    address_prefix: "10.0.0.0/24",
    location: azurermResourceGroupExample.location,
    name: "example-hub",
    resource_group_name: azurermResourceGroupExample.name,
    virtual_wan_id: azurermVirtualWanExample.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVirtualHubExample.overrideLogicalId("example");
const azurermVpnGatewayExample = new azurerm.vpnGateway.VpnGateway(
  this,
  "example_4",
  {
    location: azurermResourceGroupExample.location,
    name: "example-vpng",
    resource_group_name: azurermResourceGroupExample.name,
    virtual_hub_id: azurermVirtualHubExample.id,
  }
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVpnGatewayExample.overrideLogicalId("example");
const azurermVpnGatewayConnectionExample =
  new azurerm.vpnGatewayConnection.VpnGatewayConnection(this, "example_5", {
    name: "example",
    remote_vpn_site_id: azurermVpnSiteExample.id,
    vpn_gateway_id: azurermVpnGatewayExample.id,
    vpn_link: [
      {
        name: "link1",
        vpn_site_link_id: `\${${azurermVpnSiteExample.link.fqn}[0].id}`,
      },
      {
        name: "link2",
        vpn_site_link_id: `\${${azurermVpnSiteExample.link.fqn}[1].id}`,
      },
    ],
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
azurermVpnGatewayConnectionExample.overrideLogicalId("example");

Arguments Reference

The following arguments are supported:

  • name - (Required) The name which should be used for this VPN Gateway Connection. Changing this forces a new VPN Gateway Connection to be created.

  • remoteVpnSiteId - (Required) The ID of the remote VPN Site, which will connect to the VPN Gateway. Changing this forces a new VPN Gateway Connection to be created.

  • vpnGatewayId - (Required) The ID of the VPN Gateway that this VPN Gateway Connection belongs to. Changing this forces a new VPN Gateway Connection to be created.

  • vpnLink - (Required) One or more vpnLink blocks as defined below.

  • internetSecurityEnabled - (Optional) Whether Internet Security is enabled for this VPN Connection. Defaults to false.

  • routing - (Optional) A routing block as defined below. If this is not specified, there will be a default route table created implicitly.

  • trafficSelectorPolicy - (Optional) One or more trafficSelectorPolicy blocks as defined below.

A ipsecPolicy block supports the following:

  • dhGroup - (Required) The DH Group used in IKE Phase 1 for initial SA. Possible values are none, dhGroup1, dhGroup2, dhGroup14, dhGroup24, dhGroup2048, ecp256, ecp384.

  • ikeEncryptionAlgorithm - (Required) The IKE encryption algorithm (IKE phase 2). Possible values are des, des3, aes128, aes192, aes256, gcmaes128, gcmaes256.

  • ikeIntegrityAlgorithm - (Required) The IKE integrity algorithm (IKE phase 2). Possible values are md5, sha1, sha256, sha384, gcmaes128, gcmaes256.

  • encryptionAlgorithm - (Required) The IPSec encryption algorithm (IKE phase 1). Possible values are aes128, aes192, aes256, des, des3, gcmaes128, gcmaes192, gcmaes256, none.

  • integrityAlgorithm - (Required) The IPSec integrity algorithm (IKE phase 1). Possible values are md5, sha1, sha256, gcmaes128, gcmaes192, gcmaes256.

  • pfsGroup - (Required) The Pfs Group used in IKE Phase 2 for the new child SA. Possible values are none, pfs1, pfs2, pfs14, pfs24, pfs2048, pfsmm, ecp256, ecp384.

  • saDataSizeKb - (Required) The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for the site to site VPN tunnel.

  • saLifetimeSec - (Required) The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for the site to site VPN tunnel.

A vpnLink block supports the following:

  • name - (Required) The name which should be used for this VPN Link Connection.

  • egressNatRuleIds - (Optional) A list of the egress NAT Rule Ids.

  • ingressNatRuleIds - (Optional) A list of the ingress NAT Rule Ids.

  • vpnSiteLinkId - (Required) The ID of the connected VPN Site Link. Changing this forces a new VPN Gateway Connection to be created.

  • bandwidthMbps - (Optional) The expected connection bandwidth in MBPS. Defaults to 10.

  • bgpEnabled - (Optional) Should the BGP be enabled? Defaults to false. Changing this forces a new VPN Gateway Connection to be created.

  • connectionMode - (Optional) The connection mode of this VPN Link. Possible values are default, initiatorOnly and responderOnly. Defaults to default.

  • ipsecPolicy - (Optional) One or more ipsecPolicy blocks as defined above.

  • protocol - (Optional) The protocol used for this VPN Link Connection. Possible values are ikEv1 and ikEv2. Defaults to ikEv2.

  • ratelimitEnabled - (Optional) Should the rate limit be enabled? Defaults to false.

  • routeWeight - (Optional) Routing weight for this VPN Link Connection. Defaults to 0.

  • sharedKey - (Optional) SharedKey for this VPN Link Connection.

  • localAzureIpAddressEnabled - (Optional) Whether to use local Azure IP to initiate connection? Defaults to false.

  • policyBasedTrafficSelectorEnabled - (Optional) Whether to enable policy-based traffic selectors? Defaults to false.

  • customBgpAddress - (Optional) One or more customBgpAddress blocks as defined below.

A routing block supports the following:

  • associatedRouteTable - (Required) The ID of the Route Table associated with this VPN Connection.

  • propagatedRouteTable - (Optional) A propagatedRouteTable block as defined below.

  • inboundRouteMapId - (Optional) The resource ID of the Route Map associated with this Routing Configuration for inbound learned routes.

  • outboundRouteMapId - (Optional) The resource ID of the Route Map associated with this Routing Configuration for outbound advertised routes.

A trafficSelectorPolicy block supports the following:

  • localAddressRanges - (Required) A list of local address spaces in CIDR format for this VPN Gateway Connection.

  • remoteAddressRanges - (Required) A list of remote address spaces in CIDR format for this VPN Gateway Connection.

A propagatedRouteTable block supports the following:

  • routeTableIds - (Required) A list of Route Table IDs to associated with this VPN Gateway Connection.

  • labels - (Optional) A list of labels to assign to this route table.

A customBgpAddress block supports the following:

  • ipAddress - (Required) The custom bgp ip address which belongs to the IP Configuration.

  • ipConfigurationId - (Required) The ID of the IP Configuration which belongs to the VPN Gateway.

Attributes Reference

In addition to the Arguments listed above - the following Attributes are exported:

  • id - The ID of the VPN Gateway Connection.

Timeouts

The timeouts block allows you to specify timeouts for certain actions:

  • create - (Defaults to 30 minutes) Used when creating the VPN Gateway Connection.
  • read - (Defaults to 5 minutes) Used when retrieving the VPN Gateway Connection.
  • update - (Defaults to 30 minutes) Used when updating the VPN Gateway Connection.
  • delete - (Defaults to 30 minutes) Used when deleting the VPN Gateway Connection.

Import

VPN Gateway Connections can be imported using the resourceId, e.g.

terraform import azurerm_vpn_gateway_connection.example /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/mygroup1/providers/Microsoft.Network/vpnGateways/gateway1/vpnConnections/conn1