Basic SKU for public ip address is deprecated and no longer valid when trying to attach to most vpn gateway skus

[valsharess]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

1. Set vpn gateway sku to VpnGw1
2. Deploy fails as a basic public ip cannot be used for this sku type anymore, basic public ip only works for basic vpn gateway, docs here

https://github.com/Azure/terraform-azurerm-caf-enterprise-scale/blob/main/modules/connectivity/locals.tf#L748

I've worked around it for now by using custom settings override but the defaults need to be fixed.

[jtracey93]

Hey @valsharess,

Thanks for reporting.

This will need to be changed in a new major release as it will be a breaking change for those that have the basic SKU for IPs already deployed.

But we will update the ALZ TF Accelerator to have these overrides set by default out of the box which @jaredfholgate will take a look at 👍

[samuelhornbyparallo]

Hi, This is blocking us from deploying a new Landing Zone. Is there any update on the status of getting this resolved?

[valsharess]

Hi, This is blocking us from deploying a new Landing Zone. Is there any update on the status of getting this resolved?

You can override the sku with custom settings, you shouldn't be totally blocked

[samuelhornbyparallo]

Hi, This is blocking us from deploying a new Landing Zone. Is there any update on the status of getting this resolved?

You can override the sku with custom settings, you shouldn't be totally blocked

Thanks, It would be good to get a working example on this thread

[valsharess]

Hi, This is blocking us from deploying a new Landing Zone. Is there any update on the status of getting this resolved?

You can override the sku with custom settings, you shouldn't be totally blocked

Thanks, It would be good to get a working example on this thread

      custom_settings_by_resource_type = {
        azurerm_public_ip = {
          connectivity_vpn = {
            australiaeast = {
              sku = "Standard"
              allocation_method = "Static"
            }

[cbezenco]

Thanks I got it working using the custom settings shared but note that I also had to change my SKU from VpnGw1 to VpnGw1AZ (I was getting another error initially after using the custom_settings_by_resource_type override)

[cbezenco]

FYI, the workaround does not seem to work when deploying into a non-AZ enabled region.
Here is what happen when I try to deploy on ukwest.

advanced = { custom_settings_by_resource_type = { azurerm_public_ip = { connectivity_vpn = { ukwest = { sku = "Standard" allocation_method = "Static" }, uksouth = { sku = "Standard" allocation_method = "Static" } } },

Only the first pip for vpngateway is setup with Standard. The custom settings is not applied to the second pip (pip2 below).

Seems to be potentially a bug with custom settings ? Shall I open a bug ? I understand custom_settings is not officially supported.

module.caf-enterprise-scale.azurerm_public_ip.connectivity["/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/publicIPAddresses/dev-vpngw-ukwest-pip"] will be created

• resource "azurerm_public_ip" "connectivity" {

  • allocation_method = "Static"
  • ddos_protection_mode = "VirtualNetworkInherited"
  • fqdn = (known after apply)
  • id = (known after apply)
  • idle_timeout_in_minutes = 4
  • ip_address = (known after apply)
  • ip_version = "IPv4"
  • location = "ukwest"
  • name = "dev-vpngw-ukwest-pip"
  • resource_group_name = "dev-connectivity-ukwest"
  • sku = "Standard"
  • sku_tier = "Regional"
  • tags = {
    • "demo_type" = "deploy_connectivity_resources_custom"
    • "deployedBy" = "terraform/azure/caf-enterprise-scale" } }

  module.caf-enterprise-scale.azurerm_public_ip.connectivity["/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/publicIPAddresses/dev-vpngw-ukwest-pip2"] will be created

• resource "azurerm_public_ip" "connectivity" {

  • allocation_method = "Dynamic"
  • ddos_protection_mode = "VirtualNetworkInherited"
  • fqdn = (known after apply)
  • id = (known after apply)
  • idle_timeout_in_minutes = 4
  • ip_address = (known after apply)
  • ip_version = "IPv4"
  • location = "ukwest"
  • name = "dev-vpngw-ukwest-pip2"
  • resource_group_name = "dev-connectivity-ukwest" + sku = "Basic"
  • sku_tier = "Regional"
  • tags = {
    • "demo_type" = "deploy_connectivity_resources_custom"
    • "deployedBy" = "terraform/azure/caf-enterprise-scale" } }

  module.caf-enterprise-scale.azurerm_virtual_network_gateway.connectivity["/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/virtualNetworkGateways/dev-vpngw-ukwest"] will be created

• resource "azurerm_virtual_network_gateway" "connectivity" {

  • active_active = true

  • bgp_route_translation_for_nat_enabled = false

  • enable_bgp = true

  • generation = "Generation1"

  • id = (known after apply)

  • ip_sec_replay_protection_enabled = true

  • location = "ukwest"

  • name = "dev-vpngw-ukwest"

  • remote_vnet_traffic_enabled = false

  • resource_group_name = "dev-connectivity-ukwest"

  • sku = "VpnGw1"

  • tags = {

    • "demo_type" = "deploy_connectivity_resources_custom"
    • "deployedBy" = "terraform/azure/caf-enterprise-scale" }

  • type = "Vpn"

  • virtual_wan_traffic_enabled = false

  • vpn_type = "RouteBased"

  • ip_configuration {

    • name = "dev-vpngw-ukwest-pip"
    • private_ip_address_allocation = "Dynamic"
    • public_ip_address_id = "/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/publicIPAddresses/dev-vpngw-ukwest-pip"
    • subnet_id = "/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/virtualNetworks/dev-hub-ukwest/subnets/GatewaySubnet" }

  • ip_configuration {

    • name = "dev-vpngw-ukwest-pip2"
    • private_ip_address_allocation = "Dynamic"
    • public_ip_address_id = "/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/publicIPAddresses/dev-vpngw-ukwest-pip2"
    • subnet_id = "/subscriptions/2560ed2d-c2de-48d7-b953-cb112107a0f5/resourceGroups/dev-connectivity-ukwest/providers/Microsoft.Network/virtualNetworks/dev-hub-ukwest/subnets/GatewaySubnet" } }

[ShadiAlbatal]

Hi, This is blocking us from deploying a new Landing Zone. Is there any update on the status of getting this resolved?

You can override the sku with custom settings, you shouldn't be totally blocked

Thanks, It would be good to get a working example on this thread

      custom_settings_by_resource_type = {
        azurerm_public_ip = {
          connectivity_vpn = {
            australiaeast = {
              sku = "Standard"
              allocation_method = "Static"
            }

Where to add this block?

[cbezenco]

[ShadiAlbatal]

yes, i finally got it working, thank. however, i am facing a problem with this

Hi, This is blocking us from deploying a new Landing Zone. Is there any update on the status of getting this resolved?

You can override the sku with custom settings, you shouldn't be totally blocked

Thanks, It would be good to get a working example on this thread

      custom_settings_by_resource_type = {
        azurerm_public_ip = {
          connectivity_vpn = {
            australiaeast = {
              sku = "Standard"
              allocation_method = "Static"
            }

overriding by resource type is understood that you will override settings, but what is the duty of connectivity_vpn phrase? how does it translate in the settings? I am trying to override another setting outside the ip settings, but does not read. what how to write it from scrash?

[ShadiAlbatal]

overriding by resource type is understood that you will override settings, but what is the duty of connectivity_vpn phrase? how does it translate in the settings? I am trying to override another setting outside the ip settings, but does not read. what how to write it from scrash?

overriding by resource type is understood that you will override settings, but what is the duty of connectivity_vpn phrase? how does it translate in the settings? I am trying to override another setting outside the ip settings, but does not read. what how to write it from scrash?

[matt-FFFFFF]

Our plans are to default to AZ SKUs in the next major version.

When we do this we will swap the IP to standard.

[SvenAelterman]

@matt-FFFFFF Wasn't v6 the next major release? This is still an issue with v6.

For everyone else, the connectivity_vpn is to distinguish VPN gateways from ER gateways. Overriding ER gateway details uses connectivity_expressroute. If you're deploying your VPN GW in active/active mode (which you probably should), you'll also need to override connectivity_vpn_2 (for the azurerm_public_ip resource type).