terraform-azurerm-avm-ptn-vnetgateway
This module is designed to deploy an Azure Virtual Network Gateway and several auxillary resources associated to it.
Features
- Virtual Network Gateway:
- VPN Gateway or ExpressRoute Gateway.
- Active-Active or Single.
- Deployment of
GatewaySubnet.
- Route Table
- Optional deployment of Route Table on the Gateway Subnet.
- Local Network Gateway:
- Optional deployment of
nLocal Network Gateways. - Optional deployment of
nVirtual Network Gateway Connections for Local Network Gateways.
- Optional deployment of
- ExpressRoute Circuit:
- Configure peering on
npre-provisioned ExpressRoute Circuits. - Optional deployment of
nVirtual Network Gateway Connections for ExpressRoute Circuits.
- Configure peering on
Example
resource "azurerm_resource_group" "rg" {
location = "uksouth"
name = "rg-connectivity-uksouth-prod"
}
resource "azurerm_virtual_network" "vnet" {
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg.location
name = "vnet-uksouth-prod"
resource_group_name = azurerm_resource_group.rg.name
}
module "vgw" {
source = "Azure/avm-ptn-vnetgateway/azurerm"
version = "<version>" # change this to your desired version, https://www.terraform.io/language/expressions/version-constraints
location = "uksouth"
name = "vgw-uksouth-prod"
subnet_address_prefix = "10.0.1.0/24"
virtual_network_id = azurerm_virtual_network.vnet.id
}Requirements
The following requirements are needed by this module:
Resources
The following resources are used by this module:
- azurerm_express_route_circuit_peering.vgw (resource)
- azurerm_local_network_gateway.vgw (resource)
- azurerm_public_ip.vgw (resource)
- azurerm_route_table.vgw (resource)
- azurerm_subnet.vgw (resource)
- azurerm_subnet_route_table_association.vgw (resource)
- azurerm_virtual_network_gateway.vgw (resource)
- azurerm_virtual_network_gateway_connection.vgw (resource)
- modtm_telemetry.telemetry (resource)
- random_uuid.telemetry (resource)
- azurerm_client_config.telemetry (data source)
- modtm_module_source.telemetry (data source)
Required Inputs
The following input variables are required:
location
Description: The Azure region where the resources will be deployed.
Type: string
name
Description: The name of the Virtual Network Gateway.
Type: string
virtual_network_id
Description: The resource id of the Virtual Network to which the Virtual Network Gateway will be attached.
Type: string
Optional Inputs
The following input variables are optional (have default values):
edge_zone
Description: Specifies the Edge Zone within the Azure Region where this Virtual Network Gateway should exist. Changing this forces a new Virtual Network Gateway to be created.
Type: string
Default: null
enable_telemetry
Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.
Type: bool
Default: true
express_route_circuits
Description: Map of Virtual Network Gateway Connections and Peering Configurations to create for existing ExpressRoute circuits.
-
id- (Required) The ID of the ExpressRoute circuit. -
connection- (Optional) aconnectionblock as defined below. Used to configure the Virtual Network Gateway Connection between the ExpressRoute Circuit and the Virtual Network Gateway.resource_group_name- (Optional) The name of the resource group in which to create the Virtual Network Gateway Connection. Defaults to the resource group of the Virtual Network.authorization_key- (Optional) The authorization key for the ExpressRoute Circuit.express_route_gateway_bypass- (Optional) Whether to bypass the ExpressRoute Gateway for data forwarding.private_link_fast_path_enabled- (Optional) Bypass the Express Route gateway when accessing private-links. When enabled express_route_gateway_bypass must be set to true. Defaults to false.name- (Optional) The name of the Virtual Network Gateway Connection.routing_weight- (Optional) The weight added to routes learned from this Virtual Network Gateway Connection. Defaults to 10.shared_key- (Optional) The shared key for the Virtual Network Gateway Connection.tags- (Optional) A mapping of tags to assign to the resource.
-
peering- (Optional) apeeringblock as defined below. Used to configure the ExpressRoute Circuit Peering.peering_type- (Required) The type of the peering. Possible values are AzurePrivatePeering, AzurePublicPeering or MicrosoftPeering.vlan_id- (Required) The VLAN ID for the peering.resource_group_name- (Optional) The name of the resource group in which to put the ExpressRoute Circuit Peering. Defaults to the resource group of the Virtual Network Gateway.ipv4_enabled- (Optional) Whether IPv4 is enabled on the peering. Defaults to true.peer_asn- (Optional) The peer ASN.primary_peer_address_prefix- (Optional) The primary address prefix.secondary_peer_address_prefix- (Optional) The secondary address prefix.shared_key- (Optional) The shared key for the peering.route_filter_id- (Optional) The ID of the route filter to apply to the peering.microsoft_peering_config- (Optional) amicrosoft_peering_configblock as defined below. Used to configure the Microsoft Peering.advertised_communities- (Optional) The list of communities to advertise to the Microsoft Peering.advertised_public_prefixes- (Required) The list of public prefixes to advertise to the Microsoft Peering.customer_asn- (Optional) The customer ASN.routing_registry_name- (Optional) The routing registry name.
Type:
map(object({
id = string
connection = optional(object({
resource_group_name = optional(string, null)
authorization_key = optional(string, null)
express_route_gateway_bypass = optional(bool, null)
private_link_fast_path_enabled = optional(bool, false)
name = optional(string, null)
routing_weight = optional(number, null)
shared_key = optional(string, null)
tags = optional(map(string), {})
}), null)
peering = optional(object({
peering_type = string
vlan_id = number
resource_group_name = optional(string, null)
ipv4_enabled = optional(bool, true)
peer_asn = optional(number, null)
primary_peer_address_prefix = optional(string, null)
secondary_peer_address_prefix = optional(string, null)
shared_key = optional(string, null)
route_filter_id = optional(string, null)
microsoft_peering_config = optional(object({
advertised_public_prefixes = list(string)
advertised_communities = optional(list(string), null)
customer_asn = optional(number, null)
routing_registry_name = optional(string, null)
}), null)
}), null)
}))Default: {}
express_route_remote_vnet_traffic_enabled
Description: Enabled ExpressRoute traffic incoming from other connected VNets
Type: bool
Default: false
express_route_virtual_wan_traffic_enabled
Description: Enabled ExpressRoute traffic incoming from other connected VWANs
Type: bool
Default: false
ip_configurations
Description: Map of IP Configurations to create for the Virtual Network Gateway.
name- (Optional) The name of the IP Configuration.apipa_addresses- (Optional) The list of APPIPA addresses.private_ip_address_allocation- (Optional) The private IP allocation method. Possible values are Static or Dynamic. Defaults to Dynamic.public_ip- (Optional) apublic_ipblock as defined below. Used to configure the Public IP Address for the IP Configuration.id- (Optional) The resource id of an existing public ip address to use for the IP Configuration.name- (Optional) The name of the Public IP Address.resource_group_name- (Optional) The name of the resource group in which to create the Public IP Address.allocation_method- (Optional) The allocation method of the Public IP Address. Possible values are Static or Dynamic. Defaults to Dynamic.sku- (Optional) The SKU of the Public IP Address. Possible values are Basic or Standard. Defaults to Standard.tags- (Optional) A mapping of tags to assign to the resource.zones- (Optional) The list of availability zones for the Public IP Address.edge_zone- (Optional) Specifies the Edge Zone within the Azure Region where this Public IP should exist. Changing this forces a new Public IP to be created.ddos_protection_mode- (Optional) The DDoS protection mode of the Public IP Address. Possible values are Disabled, Enabled or VirtualNetworkInherited. Defaults to VirtualNetworkInherited.ddos_protection_plan_id- (Optional) The ID of the DDoS protection plan for the Public IP Address.domain_name_label- (Optional) The domain name label for the Public IP Address.idle_timeout_in_minutes- (Optional) The idle timeout in minutes for the Public IP Address.ip_tags- (Optional) A mapping of IP tags to assign to the resource.ip_version- (Optional) The IP version of the Public IP Address. Possible values are IPv4 or IPv6. Defaults to IPv4.public_ip_prefix_id- (Optional) The ID of the Public IP Prefix for the Public IP Address.reverse_fqdn- (Optional) The reverse FQDN for the Public IP Address.sku_tier- (Optional) The tier of the Public IP Address. Possible values are Regional or Global. Defaults to Regional.
Type:
map(object({
name = optional(string, null)
apipa_addresses = optional(list(string), null)
private_ip_address_allocation = optional(string, "Dynamic")
public_ip = optional(object({
creation_enabled = optional(bool, true)
id = optional(string, null)
name = optional(string, null)
resource_group_name = optional(string, null)
allocation_method = optional(string, "Static")
sku = optional(string, "Standard")
tags = optional(map(string), {})
zones = optional(list(number), [1, 2, 3])
edge_zone = optional(string, null)
ddos_protection_mode = optional(string, "VirtualNetworkInherited")
ddos_protection_plan_id = optional(string, null)
domain_name_label = optional(string, null)
idle_timeout_in_minutes = optional(number, null)
ip_tags = optional(map(string), {})
ip_version = optional(string, "IPv4")
public_ip_prefix_id = optional(string, null)
reverse_fqdn = optional(string, null)
sku_tier = optional(string, "Regional")
}), {})
}))Default: {}
local_network_gateways
Description: Map of Local Network Gateways and Virtual Network Gateway Connections to create for the Virtual Network Gateway.
-
id- (Optional) The ID of the pre-exisitng Local Network Gateway. -
name- (Optional) The name of the Local Network Gateway to create. -
address_space- (Optional) The list of address spaces for the Local Network Gateway. -
gateway_fqdn- (Optional) The gateway FQDN for the Local Network Gateway. -
gateway_address- (Optional) The gateway IP address for the Local Network Gateway. -
tags- (Optional) A mapping of tags to assign to the resource. -
bgp_settings- (Optional) abgp_settingsblock as defined below. Used to configure the BGP settings for the Local Network Gateway.asn- (Required) The ASN of the Local Network Gateway.bgp_peering_address- (Required) The BGP peering address of the Local Network Gateway.peer_weight- (Optional) The weight added to routes learned from this BGP speaker.
-
connection- (Optional) aconnectionblock as defined below. Used to configure the Virtual Network Gateway Connection for the Local Network Gateway.name- (Optional) The name of the Virtual Network Gateway Connection.resource_group_name- (Optional) The name of the resource group in which to create the Virtual Network Gateway Connection. Defaults to the resource group of the Virtual Network.type- (Required) The type of Virtual Network Gateway Connection. Possible values are IPsec or Vnet2Vnet.connection_mode- (Optional) The connection mode.connection_protocol- (Optional) The connection protocol. Possible values are IKEv2 or IKEv1.dpd_timeout_seconds- (Optional) The dead peer detection timeout in seconds.egress_nat_rule_ids- (Optional) The list of egress NAT rule IDs.enable_bgp- (Optional) Whether or not BGP is enabled for this Virtual Network Gateway Connection.ingress_nat_rule_ids- (Optional) The list of ingress NAT rule IDs.local_azure_ip_address_enabled- (Optional) Whether or not the local Azure IP address is enabled.peer_virtual_network_gateway_id- (Optional) The ID of the peer Virtual Network Gateway.routing_weight- (Optional) The routing weight.shared_key- (Optional) The shared key.tags- (Optional) A mapping of tags to assign to the resource.use_policy_based_traffic_selectors- (Optional) Whether or not to use policy based traffic selectors.custom_bgp_addresses- (Optional) acustom_bgp_addressesblock as defined below. Used to configure the custom BGP addresses for the Virtual Network Gateway Connection.primary- (Required) The primary custom BGP address.secondary- (Required) The secondary custom BGP address.ipsec_policy- (Optional) aipsec_policyblock as defined below. Used to configure the IPsec policy for the Virtual Network Gateway Connection.dh_group- (Required) The DH Group used in IKE Phase 1 for initial SA.ike_encryption- (Required) The IKE encryption algorithm (IKE phase 2).ike_integrity- (Required) The IKE integrity algorithm (IKE phase 2).ipsec_encryption- (Required) The IPSec encryption algorithm (IKE phase 1).ipsec_integrity- (Required) The IPSec integrity algorithm (IKE phase 1).pfs_group- (Required) The Pfs Group used in IKE Phase 2 for new child SA.sa_datasize- (Optional) The IPSec Security Association (also called Quick Mode or Phase 2 SA) data size specified in KB for a policy.sa_lifetime- (Optional) The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime specified in seconds for a policy.traffic_selector_policy- (Optional) atraffic_selector_policyblock as defined below. Used to configure the traffic selector policy for the Virtual Network Gateway Connection.local_address_prefixes- (Required) The list of local address prefixes.remote_address_prefixes- (Required) The list of remote address prefixes.
Type:
map(object({
id = optional(string, null)
name = optional(string, null)
resource_group_name = optional(string, null)
address_space = optional(list(string), null)
gateway_fqdn = optional(string, null)
gateway_address = optional(string, null)
tags = optional(map(string), {})
bgp_settings = optional(object({
asn = number
bgp_peering_address = string
peer_weight = optional(number, null)
}), null)
connection = optional(object({
name = optional(string, null)
resource_group_name = optional(string, null)
type = string
connection_mode = optional(string, null)
connection_protocol = optional(string, null)
dpd_timeout_seconds = optional(number, null)
egress_nat_rule_ids = optional(list(string), null)
enable_bgp = optional(bool, null)
ingress_nat_rule_ids = optional(list(string), null)
local_azure_ip_address_enabled = optional(bool, null)
peer_virtual_network_gateway_id = optional(string, null)
routing_weight = optional(number, null)
shared_key = optional(string, null)
tags = optional(map(string), null)
use_policy_based_traffic_selectors = optional(bool, null)
custom_bgp_addresses = optional(object({
primary = string
secondary = string
}), null)
ipsec_policy = optional(object({
dh_group = string
ike_encryption = string
ike_integrity = string
ipsec_encryption = string
ipsec_integrity = string
pfs_group = string
sa_datasize = optional(number, null)
sa_lifetime = optional(number, null)
}), null)
traffic_selector_policy = optional(list(
object({
local_address_prefixes = list(string)
remote_address_prefixes = list(string)
})
), null)
}), null)
}))Default: {}
route_table_bgp_route_propagation_enabled
Description: Whether or not to enable BGP route propagation on the Route Table.
Type: bool
Default: true
route_table_creation_enabled
Description: Whether or not to create a Route Table associated with the Virtual Network Gateway Subnet.
Type: bool
Default: false
route_table_name
Description: Name of the Route Table associated with Virtual Network Gateway Subnet.
Type: string
Default: null
route_table_resource_group_name
Description: The name of the resource group in which to create the Route Table. If left blank, the resource group of the virtual network will be used.
Type: string
Default: null
route_table_tags
Description: Tags for the Route Table.
Type: map(string)
Default: {}
sku
Description: The SKU (size) of the Virtual Network Gateway.
Type: string
Default: "ErGw1AZ"
subnet_address_prefix
Description: The address prefix for the gateway subnet. Required if subnet_creation_enabled = true.
Type: string
Default: ""
subnet_creation_enabled
Description: Whether or not to create a subnet for the Virtual Network Gateway.
Type: bool
Default: true
tags
Description: Tags to apply to the Virtual Network Gateway.
Type: map(string)
Default: null
type
Description: The type of the Virtual Network Gateway, ExpressRoute or Vpn.
Type: string
Default: "ExpressRoute"
vpn_active_active_enabled
Description: Enable active-active mode for the Virtual Network Gateway.
Type: bool
Default: true
vpn_bgp_enabled
Description: Enable BGP for the Virtual Network Gateway.
Type: bool
Default: false
vpn_bgp_route_translation_for_nat_enabled
Description: Enable BGP route translation for NAT for the Virtual Network Gateway.
Type: bool
Default: false
vpn_bgp_settings
Description: BGP settings for the Virtual Network Gateway.
Type:
object({
asn = optional(number, 65515)
peer_weight = optional(number, null)
})Default: null
vpn_custom_route
Description: The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient.
Type:
object({
address_prefixes = list(string)
})Default: null
vpn_default_local_network_gateway_id
Description: The ID of the default local network gateway to use for the Virtual Network Gateway.
Type: string
Default: null
vpn_dns_forwarding_enabled
Description: Enable DNS forwarding for the Virtual Network Gateway.
Type: bool
Default: null
vpn_generation
Description: value for the Generation for the Gateway, Valid values are 'Generation1', 'Generation2'. Options differ depending on SKU.
Type: string
Default: null
vpn_ip_sec_replay_protection_enabled
Description: Enable IPsec replay protection for the Virtual Network Gateway.
Type: bool
Default: true
vpn_point_to_site
Description: Point to site configuration for the virtual network gateway.
address_space- (Required) Address space for the virtual network gateway.aad_tenant- (Optional) The AAD tenant to use for authentication.aad_audience- (Optional) The AAD audience to use for authentication.aad_issuer- (Optional) The AAD issuer to use for authentication.radius_server_address- (Optional) The address of the radius server.radius_server_secret- (Optional) The secret of the radius server.root_certificate- (Optional) The root certificate of the virtual network gateway.name- (Required) The name of the root certificate.public_cert_data- (Required) The public certificate data.
revoked_certificate- (Optional) The revoked certificate of the virtual network gateway.name- (Required) The name of the revoked certificate.thumbprint- (Required) The thumbprint of the revoked certificate.
radius_server- (Optional) The radius server of the virtual network gateway.address- (Required) The address of the radius server.secret- (Required) The secret of the radius server.score- (Required) The score of the radius server.
ipsec_policy- (Optional) The IPsec policy of the virtual network gateway.dh_group- (Required) The DH group of the IPsec policy.ike_encryption- (Required) The IKE encryption of the IPsec policy.ike_integrity- (Required) The IKE integrity of the IPsec policy.ipsec_encryption- (Required) The IPsec encryption of the IPsec policy.ipsec_integrity- (Required) The IPsec integrity of the IPsec policy.pfs_group- (Required) The PFS group of the IPsec policy.sa_data_size_in_kilobytes- (Optional) The SA data size in kilobytes of the IPsec policy.sa_lifetime_in_seconds- (Optional) The SA lifetime in seconds of the IPsec policy.
virtual_network_gateway_client_connection- (Optional) The virtual network gateway client connection of the virtual network gateway.name- (Required) The name of the virtual network gateway client connection.policy_group_names- (Required) The policy group names of the virtual network gateway client connection.address_prefixes- (Required) The address prefixes of the virtual network gateway client connection.
vpn_client_protocols- (Optional) The VPN client protocols.vpn_auth_types- (Optional) The VPN authentication types.
Type:
object({
address_space = list(string)
aad_tenant = optional(string, null)
aad_audience = optional(string, null)
aad_issuer = optional(string, null)
radius_server_address = optional(string, null)
radius_server_secret = optional(string, null)
root_certificates = optional(map(object({
name = string
public_cert_data = string
})), {})
revoked_certificates = optional(map(object({
name = string
thumbprint = string
})), {})
radius_servers = optional(map(object({
address = string
secret = string
score = number
})), {})
vpn_client_protocols = optional(list(string), null)
vpn_auth_types = optional(list(string), null)
ipsec_policy = optional(object({
dh_group = string
ike_encryption = string
ike_integrity = string
ipsec_encryption = string
ipsec_integrity = string
pfs_group = string
sa_data_size_in_kilobytes = optional(number, null)
sa_lifetime_in_seconds = optional(number, null)
}), null)
virtual_network_gateway_client_connections = optional(map(object({
name = string
policy_group_names = list(string)
address_prefixes = list(string)
})), {})
})Default: null
vpn_policy_groups
Description: The policy groups for the Virtual Network Gateway.
Type:
map(object({
name = string
is_default = optional(bool, null)
priority = optional(number, null)
policy_members = map(object({
name = string
type = string
value = string
}))
}))Default: {}
vpn_private_ip_address_enabled
Description: Enable private IP address for the Virtual Network Gateway for Virtual Network Gateway Connections. Only supported for AZ SKUs.
Type: bool
Default: null
vpn_type
Description: The VPN type of the Virtual Network Gateway.
Type: string
Default: "RouteBased"
Outputs
The following outputs are exported:
local_network_gateways
Description: A curated output of the Local Network Gateways created by this module.
public_ip_addresses
Description: A curated output of the Public IP Addresses created by this module.
resource_id
Description: The ID of the Virtual Network Gateway.
route_table
Description: A curated output of the Route Table created by this module.
subnet
Description: A curated output of the GatewaySubnet created by this module.
virtual_network_gateway
Description: A curated output of the Virtual Network Gateway created by this module.
virtual_network_gateway_connections
Description: A curated output of the Virtual Network Gateway Connections created by this module.
Modules
No modules.
Data Collection
The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.