Azure Network Gateway
This page shows how to write Terraform and Azure Resource Manager for Network Gateway and write them securely.
azurerm_virtual_network_gateway (Terraform)
The Gateway in Network can be configured in Terraform with the resource name azurerm_virtual_network_gateway
. The following sections describe 10 examples of how to use the resource and its parameters.
Example Usage from GitHub
resource "azurerm_virtual_network_gateway" "hubvpn" {
name = "hubvpn"
location = azurerm_resource_group.test.location
resource_group_name = azurerm_resource_group.test.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "gw-rg1" {
name = "gw-rg1"
location = azurerm_resource_group.rg1.location
resource_group_name = azurerm_resource_group.rg1.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "hubvpngw" {
name = "hubvpngw"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "hubvpngw" {
name = "hubvpngw"
location = var.location
resource_group_name = azurerm_resource_group.rg.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "Basic" {
name = "test"
location = azurerm_resource_group.example.location
resource_group_name = azurerm_resource_group.example.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "hubvpngw" {
name = var.vpngwname
location = var.location
resource_group_name = var.resource_group_name
tags = var.tags
resource "azurerm_virtual_network_gateway" "vpn-hub" {
name = "hod-ukw-prod-testinfra-vng-hub"
resource_group_name = azurerm_resource_group.rsg-hub.name
location = var.location
type = "Vpn"
resource "azurerm_virtual_network_gateway" "vng" {
name = "vpn-gateway"
location = azurerm_resource_group.rg.location
resource_group_name = azurerm_resource_group.rg.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "hub-vnet-gateway" {
name = "hub-vpn-gateway1"
location = azurerm_resource_group.hub-rg.location
resource_group_name = azurerm_resource_group.hub-rg.name
type = "Vpn"
resource "azurerm_virtual_network_gateway" "onprem_vpn_gateway" {
name = "onprem-vpn-gateway"
location = var.onprem_location
resource_group_name = var.onprem_rg_name
type = "Vpn"
Parameters
-
active_active
optional computed - bool -
default_local_network_gateway_id
optional - string -
enable_bgp
optional computed - bool -
generation
optional computed - string -
id
optional computed - string -
location
required - string -
name
required - string -
private_ip_address_enabled
optional - bool -
resource_group_name
required - string -
sku
required - string -
tags
optional - map from string to string -
type
required - string -
vpn_type
optional - string -
bgp_settings
list block-
asn
optional - number -
peer_weight
optional - number -
peering_address
optional computed - string -
peering_addresses
list block-
apipa_addresses
optional - list of string -
default_addresses
optional computed - list of string -
ip_configuration_name
optional computed - string -
tunnel_ip_addresses
optional computed - list of string
-
-
-
custom_route
list block-
address_prefixes
optional - set of string
-
-
ip_configuration
list block-
name
optional - string -
private_ip_address_allocation
optional - string -
public_ip_address_id
required - string -
subnet_id
required - string
-
-
timeouts
single block -
vpn_client_configuration
list block-
aad_audience
optional - string -
aad_issuer
optional - string -
aad_tenant
optional - string -
address_space
required - list of string -
radius_server_address
optional - string -
radius_server_secret
optional - string -
vpn_client_protocols
optional computed - set of string -
revoked_certificate
set block-
name
required - string -
thumbprint
required - string
-
-
root_certificate
set block-
name
required - string -
public_cert_data
required - string
-
-
Explanation in Terraform Registry
Manages a Virtual Network Gateway to establish secure, cross-premises connectivity. -> Note: Please be aware that provisioning a Virtual Network Gateway takes a long time (between 30 minutes and 1 hour)
Tips: Best Practices for The Other Azure Network Resources
In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.
azurerm_network_security_group
Ensure to disable RDP port from the Internet
It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.
azurerm_network_security_rule
Ensure to set a more restrictive CIDR range for ingress from the internet
It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.
azurerm_network_watcher_flow_log
Ensure to enable Retention policy for flow logs and set it to enough duration
It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.
Microsoft.Network/virtualNetworkGateways (Azure Resource Manager)
The virtualNetworkGateways in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/virtualNetworkGateways
. The following sections describe how to use the resource and its parameters.
Example Usage from GitHub
"type": "Microsoft.Network/virtualNetworkGateways",
"name": "branch-ne-vpn",
"location": "northeurope",
"properties": {
"ipConfigurations": [
{
"type": "Microsoft.Network/virtualNetworkGateways",
"location": "eastus2",
"tags": {},
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "04ead348-262e-428e-b259-bb37681c027a",
"type": "Microsoft.Network/virtualNetworkGateways"
}
]
"type": "Microsoft.Network/virtualNetworkGateways"
}
]
"type": "Microsoft.Network/virtualNetworkGateways",
"apiVersion": "2019-09-01",
"name": "[variables('vnet1VpnGwName')]",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Network/publicIPAddresses', variables('vnet1VpnGwIpName'))]",
"type": "Microsoft.Network/virtualNetworkGateways",
"apiVersion": "2020-05-01",
"name": "[parameters('hubVng01Name')]",
"location": "[parameters('location')]",
"tags": {
"Owner": "Block Solutions",
"type": "Microsoft.Network/virtualNetworkGateways",
"name": "[parameters('gatewayName1')]",
"location": "[parameters('location1')]",
"properties": {
"ipConfigurations": [
{
"equals": "Microsoft.Network/virtualNetworkGateways"
},
"then": {
"effect": "deployIfNotExists",
"details": {
"type": "Microsoft.Insights/diagnosticSettings",
"type": "Microsoft.Network/virtualNetworkGateways",
"name": "[parameters('VpnGatewayWestUsName')]",
"apiVersion": "2017-10-01",
"location": "westus",
"scale": null,
"properties": {
"type": "Microsoft.Network/virtualNetworkGateways",
"location": "loc1",
"properties": {
"provisioningState": "Succeeded",
"resourceGuid": "00000000-0000-0000-0000-000000000000",
"ipConfigurations": [
Parameters
name
required - stringtype
required - stringapiVersion
required - stringlocation
required - stringResource location.
tags
optional - stringResource tags.
properties
requiredipConfigurations
optional arrayproperties
optionalprivateIPAllocationMethod
optional - stringThe private IP address allocation method.
subnet
optionalid
required - stringResource ID.
publicIPAddress
optionalid
required - stringResource ID.
name
optional - stringThe name of the resource that is unique within a resource group. This name can be used to access the resource.
gatewayType
optional - stringThe type of this virtual network gateway.
vpnType
optional - stringThe type of this virtual network gateway.
vpnGatewayGeneration
optional - stringThe generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN.
enableBgp
optional - booleanWhether BGP is enabled for this virtual network gateway or not.
enablePrivateIpAddress
optional - booleanWhether private IP needs to be enabled on this gateway for connections or not.
activeActive
optional - booleanActiveActive flag.
gatewayDefaultSite
optionalid
required - stringResource ID.
sku
optionalname
optional - stringGateway SKU name.
tier
optional - stringGateway SKU tier.
vpnClientConfiguration
optionalvpnClientAddressPool
optionaladdressPrefixes
required - arrayA list of address blocks reserved for this virtual network in CIDR notation.
vpnClientRootCertificates
optional arrayproperties
requiredpublicCertData
required - stringThe certificate public data.
name
optional - stringThe name of the resource that is unique within a resource group. This name can be used to access the resource.
vpnClientRevokedCertificates
optional arrayproperties
optionalthumbprint
optional - stringThe revoked VPN client certificate thumbprint.
name
optional - stringThe name of the resource that is unique within a resource group. This name can be used to access the resource.
vpnClientProtocols
optional - arrayVpnClientProtocols for Virtual network gateway.
vpnAuthenticationTypes
optional - arrayVPN authentication types for the virtual network gateway..
vpnClientIpsecPolicies
optional arraysaLifeTimeSeconds
required - integerThe IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel.
saDataSizeKilobytes
required - integerThe IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel.
ipsecEncryption
required - stringThe IPSec encryption algorithm (IKE phase 1).
ipsecIntegrity
required - stringThe IPSec integrity algorithm (IKE phase 1).
ikeEncryption
required - stringThe IKE encryption algorithm (IKE phase 2).
ikeIntegrity
required - stringThe IKE integrity algorithm (IKE phase 2).
dhGroup
required - stringThe DH Group used in IKE Phase 1 for initial SA.
pfsGroup
required - stringThe Pfs Group used in IKE Phase 2 for new child SA.
radiusServerAddress
optional - stringThe radius server address property of the VirtualNetworkGateway resource for vpn client connection.
radiusServerSecret
optional - stringThe radius secret property of the VirtualNetworkGateway resource for vpn client connection.
radiusServers
optional arrayradiusServerAddress
required - stringThe address of this radius server.
radiusServerScore
optional - integerThe initial score assigned to this radius server.
radiusServerSecret
optional - stringThe secret used for this radius server.
aadTenant
optional - stringThe AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.
aadAudience
optional - stringThe AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.
aadIssuer
optional - stringThe AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.
bgpSettings
optionalasn
optional - integerThe BGP speaker's ASN.
bgpPeeringAddress
optional - stringThe BGP peering address and BGP identifier of this BGP speaker.
peerWeight
optional - integerThe weight added to routes learned from this BGP speaker.
bgpPeeringAddresses
optional arrayipconfigurationId
optional - stringThe ID of IP configuration which belongs to gateway.
customBgpIpAddresses
optional - arrayThe list of custom BGP peering addresses which belong to IP configuration.
customRoutes
optionaladdressPrefixes
required - arrayA list of address blocks reserved for this virtual network in CIDR notation.
enableDnsForwarding
optional - booleanWhether dns forwarding is enabled or not.
vNetExtendedLocationResourceId
optional - stringMAS FIJI customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet.
virtualNetworkExtendedLocation
optionalname
required - stringThe name of the extended location.
type
required - stringThe type of the extended location.
Frequently asked questions
What is Azure Network Gateway?
Azure Network Gateway is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.
Where can I find the example code for the Azure Network Gateway?
For Terraform, the larryclaman/vpnscaffolds, BBE75/Terraform and rodrigoffonseca/Azure-Network-Terraform-lab source code examples are useful. See the Terraform Example section for further details.
For Azure Resource Manager, the tkubica12/azure-virtual-wan, ringend/azure and blinkops/blink-azure-query source code examples are useful. See the Azure Resource Manager Example section for further details.