Top / Microsoft Azure / Azure Network / Gateway

Azure Network Gateway

This page shows how to write Terraform and Azure Resource Manager for Network Gateway and write them securely.

terraform-logo

Review your .tf file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

azurerm_virtual_network_gateway (Terraform)

The Gateway in Network can be configured in Terraform with the resource name azurerm_virtual_network_gateway. The following sections describe 10 examples of how to use the resource and its parameters.

Example Usage from GitHub

vpn.tf#L1
resource "azurerm_virtual_network_gateway" "hubvpn" {
  name                = "hubvpn"
  location            = azurerm_resource_group.test.location
  resource_group_name = azurerm_resource_group.test.name

  type     = "Vpn"
gobal-vnet-peering.tf#L1
resource "azurerm_virtual_network_gateway" "gw-rg1" {
  name                = "gw-rg1"
  location            = azurerm_resource_group.rg1.location
  resource_group_name = azurerm_resource_group.rg1.name

  type     = "Vpn"
VPN.tf#L10
resource "azurerm_virtual_network_gateway" "hubvpngw" {
  name                = "hubvpngw"
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name

  type     = "Vpn"
VPN.tf#L10
resource "azurerm_virtual_network_gateway" "hubvpngw" {
  name                = "hubvpngw"
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name

  type     = "Vpn"
vpn_gateway_test.tf#L33
resource "azurerm_virtual_network_gateway" "Basic" {
  name                = "test"
  location            = azurerm_resource_group.example.location
  resource_group_name = azurerm_resource_group.example.name

  type     = "Vpn"
main.tf#L11
resource "azurerm_virtual_network_gateway" "hubvpngw" {
  name                = var.vpngwname
  location            = var.location
  resource_group_name = var.resource_group_name
  tags                = var.tags
vpn.tf#L2
resource "azurerm_virtual_network_gateway" "vpn-hub" {
  name                = "hod-ukw-prod-testinfra-vng-hub"
  resource_group_name = azurerm_resource_group.rsg-hub.name
  location            = var.location

  type = "Vpn"
main.tf#L47
resource "azurerm_virtual_network_gateway" "vng" {
    name = "vpn-gateway"
    location = azurerm_resource_group.rg.location
    resource_group_name = azurerm_resource_group.rg.name

    type = "Vpn"
gateway.tf#L10
resource "azurerm_virtual_network_gateway" "hub-vnet-gateway" {
  name                = "hub-vpn-gateway1"
  location            = azurerm_resource_group.hub-rg.location
  resource_group_name = azurerm_resource_group.hub-rg.name

  type     = "Vpn"
onprem_vpn.tf#L10
resource "azurerm_virtual_network_gateway" "onprem_vpn_gateway" {
  name                = "onprem-vpn-gateway"
  location            = var.onprem_location
  resource_group_name = var.onprem_rg_name

  type     = "Vpn"

Review your Terraform file for Azure best practices

Shisho Cloud, our free checker to make sure your Terraform configuration follows best practices, is available (beta).

Parameters

>> from Terraform Registry

Explanation in Terraform Registry

Manages a Virtual Network Gateway to establish secure, cross-premises connectivity. -> Note: Please be aware that provisioning a Virtual Network Gateway takes a long time (between 30 minutes and 1 hour)

>> from Terraform Registry

Tips: Best Practices for The Other Azure Network Resources

In addition to the azurerm_network_security_group, Azure Network has the other resources that should be configured for security reasons. Please check some examples of those resources and precautions.

risk-label

azurerm_network_security_group

Ensure to disable RDP port from the Internet

It is better to disable the RDP port from the Internet. RDP access should not be accepted from the Internet (*, 0.0.0.0, /0, internet, any), and consider using the Azure Bastion Service.

risk-label

azurerm_network_security_rule

Ensure to set a more restrictive CIDR range for ingress from the internet

It is better to set a more restrictive CIDR range not to use very broad subnets. If possible, segments should be divided into smaller subnets.

risk-label

azurerm_network_watcher_flow_log

Ensure to enable Retention policy for flow logs and set it to enough duration

It is better to enable a retention policy for flow logs. Flow logs show us all network activity in the cloud environment and support us when we face critical incidents.

Review your Azure Network settings

In addition to the above, there are other security points you should be aware of making sure that your .tf files are protected in Shisho Cloud.

Microsoft.Network/virtualNetworkGateways (Azure Resource Manager)

The virtualNetworkGateways in Microsoft.Network can be configured in Azure Resource Manager with the resource name Microsoft.Network/virtualNetworkGateways. The following sections describe how to use the resource and its parameters.

Example Usage from GitHub

branchesVpns.json#L11
            "type": "Microsoft.Network/virtualNetworkGateways",
            "name": "branch-ne-vpn",
            "location": "northeurope",
            "properties": {
                "ipConfigurations": [
                    {
useast2-vpn-1-05-06-21.json#L5
    "type": "Microsoft.Network/virtualNetworkGateways",
    "location": "eastus2",
    "tags": {},
    "properties": {
        "provisioningState": "Succeeded",
        "resourceGuid": "04ead348-262e-428e-b259-bb37681c027a",
test-get-expected.json#L8
    "type": "Microsoft.Network/virtualNetworkGateways"
  }
]
test-get-expected.json#L8
    "type": "Microsoft.Network/virtualNetworkGateways"
  }
]
template.json#L76
            "type": "Microsoft.Network/virtualNetworkGateways",
            "apiVersion": "2019-09-01",
            "name": "[variables('vnet1VpnGwName')]",
            "location": "[resourceGroup().location]",
            "dependsOn": [
                "[resourceId('Microsoft.Network/publicIPAddresses', variables('vnet1VpnGwIpName'))]",
Hub-VNG.json#L46
            "type": "Microsoft.Network/virtualNetworkGateways",
            "apiVersion": "2020-05-01",
            "name": "[parameters('hubVng01Name')]",
            "location": "[parameters('location')]",
            "tags": {
              "Owner": "Block Solutions",
creatingGateways.json#L37
      "type": "Microsoft.Network/virtualNetworkGateways",
      "name": "[parameters('gatewayName1')]",
      "location": "[parameters('location1')]",
      "properties": {
        "ipConfigurations": [
          {
vnetgAzMonDeloyIfNotExists.json#L18
                "equals": "Microsoft.Network/virtualNetworkGateways"
            },
            "then": {
                "effect": "deployIfNotExists",
                "details": {
                    "type": "Microsoft.Insights/diagnosticSettings",
arm_vnet_core.json#L96
            "type": "Microsoft.Network/virtualNetworkGateways",
            "name": "[parameters('VpnGatewayWestUsName')]",
            "apiVersion": "2017-10-01",
            "location": "westus",
            "scale": null,
            "properties": {
VirtualNetworkGatewayList.json#L15
                        "type": "Microsoft.Network/virtualNetworkGateways",
                        "location": "loc1",
                        "properties": {
                            "provisioningState": "Succeeded",
                            "resourceGuid": "00000000-0000-0000-0000-000000000000",
                            "ipConfigurations": [

Parameters

  • name required - string
  • type required - string
  • apiVersion required - string
  • location required - string

    Resource location.

  • tags optional - string

    Resource tags.

  • properties required
      • ipConfigurations optional array
          • properties optional
              • privateIPAllocationMethod optional - string

                The private IP address allocation method.

              • subnet optional
                  • id required - string

                    Resource ID.

              • publicIPAddress optional
                  • id required - string

                    Resource ID.

          • name optional - string

            The name of the resource that is unique within a resource group. This name can be used to access the resource.

      • gatewayType optional - string

        The type of this virtual network gateway.

      • vpnType optional - string

        The type of this virtual network gateway.

      • vpnGatewayGeneration optional - string

        The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN.

      • enableBgp optional - boolean

        Whether BGP is enabled for this virtual network gateway or not.

      • enablePrivateIpAddress optional - boolean

        Whether private IP needs to be enabled on this gateway for connections or not.

      • activeActive optional - boolean

        ActiveActive flag.

      • gatewayDefaultSite optional
          • id required - string

            Resource ID.

      • sku optional
          • name optional - string

            Gateway SKU name.

          • tier optional - string

            Gateway SKU tier.

      • vpnClientConfiguration optional
          • vpnClientAddressPool optional
              • addressPrefixes required - array

                A list of address blocks reserved for this virtual network in CIDR notation.

          • vpnClientRootCertificates optional array
              • properties required
                  • publicCertData required - string

                    The certificate public data.

              • name optional - string

                The name of the resource that is unique within a resource group. This name can be used to access the resource.

          • vpnClientRevokedCertificates optional array
              • properties optional
                  • thumbprint optional - string

                    The revoked VPN client certificate thumbprint.

              • name optional - string

                The name of the resource that is unique within a resource group. This name can be used to access the resource.

          • vpnClientProtocols optional - array

            VpnClientProtocols for Virtual network gateway.

          • vpnAuthenticationTypes optional - array

            VPN authentication types for the virtual network gateway..

          • vpnClientIpsecPolicies optional array
              • saLifeTimeSeconds required - integer

                The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel.

              • saDataSizeKilobytes required - integer

                The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel.

              • ipsecEncryption required - string

                The IPSec encryption algorithm (IKE phase 1).

              • ipsecIntegrity required - string

                The IPSec integrity algorithm (IKE phase 1).

              • ikeEncryption required - string

                The IKE encryption algorithm (IKE phase 2).

              • ikeIntegrity required - string

                The IKE integrity algorithm (IKE phase 2).

              • dhGroup required - string

                The DH Group used in IKE Phase 1 for initial SA.

              • pfsGroup required - string

                The Pfs Group used in IKE Phase 2 for new child SA.

          • radiusServerAddress optional - string

            The radius server address property of the VirtualNetworkGateway resource for vpn client connection.

          • radiusServerSecret optional - string

            The radius secret property of the VirtualNetworkGateway resource for vpn client connection.

          • radiusServers optional array
              • radiusServerAddress required - string

                The address of this radius server.

              • radiusServerScore optional - integer

                The initial score assigned to this radius server.

              • radiusServerSecret optional - string

                The secret used for this radius server.

          • aadTenant optional - string

            The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.

          • aadAudience optional - string

            The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.

          • aadIssuer optional - string

            The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.

      • bgpSettings optional
          • asn optional - integer

            The BGP speaker's ASN.

          • bgpPeeringAddress optional - string

            The BGP peering address and BGP identifier of this BGP speaker.

          • peerWeight optional - integer

            The weight added to routes learned from this BGP speaker.

          • bgpPeeringAddresses optional array
              • ipconfigurationId optional - string

                The ID of IP configuration which belongs to gateway.

              • customBgpIpAddresses optional - array

                The list of custom BGP peering addresses which belong to IP configuration.

      • customRoutes optional
          • addressPrefixes required - array

            A list of address blocks reserved for this virtual network in CIDR notation.

      • enableDnsForwarding optional - boolean

        Whether dns forwarding is enabled or not.

      • vNetExtendedLocationResourceId optional - string

        MAS FIJI customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet.

      • virtualNetworkExtendedLocation optional
          • name required - string

            The name of the extended location.

          • type required - string

            The type of the extended location.

>> from Azure Resource Manager Documentation

The Other Related Azure Network Resources

Frequently asked questions

What is Azure Network Gateway?

Azure Network Gateway is a resource for Network of Microsoft Azure. Settings can be wrote in Terraform.

Where can I find the example code for the Azure Network Gateway?

For Terraform, the larryclaman/vpnscaffolds, BBE75/Terraform and rodrigoffonseca/Azure-Network-Terraform-lab source code examples are useful. See the Terraform Example section for further details.

For Azure Resource Manager, the tkubica12/azure-virtual-wan, ringend/azure and blinkops/blink-azure-query source code examples are useful. See the Azure Resource Manager Example section for further details.

security-icon

Automate config file reviews on your commits

Fix issues in your infrastructure as code with auto-generated patches.

Table of Contents