Share via


Microsoft.Network vpnGateways 2018-12-01

Bicep resource definition

The vpnGateways resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/vpnGateways@2018-12-01' = {
  scope: resourceSymbolicName or scope
  ___location: 'string'
  name: 'string'
  properties: {
    bgpSettings: {
      asn: int
      bgpPeeringAddress: 'string'
      peerWeight: int
    }
    connections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          connectionBandwidth: int
          enableBgp: bool
          enableInternetSecurity: bool
          enableRateLimiting: bool
          ipsecPolicies: [
            {
              dhGroup: 'string'
              ikeEncryption: 'string'
              ikeIntegrity: 'string'
              ipsecEncryption: 'string'
              ipsecIntegrity: 'string'
              pfsGroup: 'string'
              saDataSizeKilobytes: int
              saLifeTimeSeconds: int
            }
          ]
          provisioningState: 'string'
          remoteVpnSite: {
            id: 'string'
          }
          routingWeight: int
          sharedKey: 'string'
          vpnConnectionProtocolType: 'string'
        }
      }
    ]
    provisioningState: 'string'
    virtualHub: {
      id: 'string'
    }
    vpnGatewayScaleUnit: int
  }
  tags: {
    {customized property}: 'string'
  }
}

Property Values

Microsoft.Network/vpnGateways

Name Description Value
___location Resource ___location. string
name The resource name string (required)
properties Parameters for VpnGateway VpnGatewayProperties
scope Use when creating a resource at a scope that is different than the deployment scope. Set this property to the symbolic name of a resource to apply the extension resource.
tags Resource tags Dictionary of tag names and values. See Tags in templates

BgpSettings

Name Description Value
asn The BGP speaker's ASN. int
bgpPeeringAddress The BGP peering address and BGP identifier of this BGP speaker. string
peerWeight The weight added to routes learned from this BGP speaker. int

IpsecPolicy

Name Description Value
dhGroup The DH Groups used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Groups used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

VpnConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Parameters for VpnConnection VpnConnectionProperties

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
enableBgp EnableBgp flag bool
enableInternetSecurity Enable internet security bool
enableRateLimiting EnableBgp flag bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
remoteVpnSite Id of the connected vpn site. SubResource
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
vpnConnectionProtocolType Connection protocol used for this connection 'IKEv1'
'IKEv2'

VpnGatewayProperties

Name Description Value
bgpSettings Local network gateway's BGP speaker settings. BgpSettings
connections List of all vpn connections to the gateway. VpnConnection[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
virtualHub The VirtualHub to which the gateway belongs SubResource
vpnGatewayScaleUnit The scale unit for this vpn gateway. int

Usage Examples

Azure Verified Modules

The following Azure Verified Modules can be used to deploy this resource type.

Module Description
VPN Gateway AVM Resource Module for VPN Gateway

Azure Quickstart Samples

The following Azure Quickstart templates contain Bicep samples for deploying this resource type.

Bicep File Description
Creates Virtual WAN resources This template allows you to create virtual WAN resources including Virtual WAN, Virtual Hub, VPN Gateway, VPN Site and a VPN Connecton.

ARM template resource definition

The vpnGateways resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/vpnGateways",
  "apiVersion": "2018-12-01",
  "name": "string",
  "___location": "string",
  "properties": {
    "bgpSettings": {
      "asn": "int",
      "bgpPeeringAddress": "string",
      "peerWeight": "int"
    },
    "connections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "connectionBandwidth": "int",
          "enableBgp": "bool",
          "enableInternetSecurity": "bool",
          "enableRateLimiting": "bool",
          "ipsecPolicies": [
            {
              "dhGroup": "string",
              "ikeEncryption": "string",
              "ikeIntegrity": "string",
              "ipsecEncryption": "string",
              "ipsecIntegrity": "string",
              "pfsGroup": "string",
              "saDataSizeKilobytes": "int",
              "saLifeTimeSeconds": "int"
            }
          ],
          "provisioningState": "string",
          "remoteVpnSite": {
            "id": "string"
          },
          "routingWeight": "int",
          "sharedKey": "string",
          "vpnConnectionProtocolType": "string"
        }
      }
    ],
    "provisioningState": "string",
    "virtualHub": {
      "id": "string"
    },
    "vpnGatewayScaleUnit": "int"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property Values

Microsoft.Network/vpnGateways

Name Description Value
apiVersion The api version '2018-12-01'
___location Resource ___location. string
name The resource name string (required)
properties Parameters for VpnGateway VpnGatewayProperties
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/vpnGateways'

BgpSettings

Name Description Value
asn The BGP speaker's ASN. int
bgpPeeringAddress The BGP peering address and BGP identifier of this BGP speaker. string
peerWeight The weight added to routes learned from this BGP speaker. int

IpsecPolicy

Name Description Value
dhGroup The DH Groups used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Groups used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

VpnConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Parameters for VpnConnection VpnConnectionProperties

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
enableBgp EnableBgp flag bool
enableInternetSecurity Enable internet security bool
enableRateLimiting EnableBgp flag bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
remoteVpnSite Id of the connected vpn site. SubResource
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
vpnConnectionProtocolType Connection protocol used for this connection 'IKEv1'
'IKEv2'

VpnGatewayProperties

Name Description Value
bgpSettings Local network gateway's BGP speaker settings. BgpSettings
connections List of all vpn connections to the gateway. VpnConnection[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
virtualHub The VirtualHub to which the gateway belongs SubResource
vpnGatewayScaleUnit The scale unit for this vpn gateway. int

Usage Examples

Azure Quickstart Templates

The following Azure Quickstart templates deploy this resource type.

Template Description
Azure Virtual WAN (vWAN) Multi-Hub Deployment

Deploy to Azure
This template allows you to create an Azure Virtual WAN (vWAN) multi-hub deployment including all gateways and VNET connections.
Azure vWAN Multi-Hub Deployment with Custom Routing Tables

Deploy to Azure
This template allows you to create an Azure Virtual WAN (vWAN) multi-hub deployment, including all gateways and VNET connections, and demonstrate the usage of Route Tables for custom routing.
Creates Virtual WAN resources

Deploy to Azure
This template allows you to create virtual WAN resources including Virtual WAN, Virtual Hub, VPN Gateway, VPN Site and a VPN Connecton.

Terraform (AzAPI provider) resource definition

The vpnGateways resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/vpnGateways@2018-12-01"
  name = "string"
  parent_id = "string"
  ___location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    properties = {
      bgpSettings = {
        asn = int
        bgpPeeringAddress = "string"
        peerWeight = int
      }
      connections = [
        {
          id = "string"
          name = "string"
          properties = {
            connectionBandwidth = int
            enableBgp = bool
            enableInternetSecurity = bool
            enableRateLimiting = bool
            ipsecPolicies = [
              {
                dhGroup = "string"
                ikeEncryption = "string"
                ikeIntegrity = "string"
                ipsecEncryption = "string"
                ipsecIntegrity = "string"
                pfsGroup = "string"
                saDataSizeKilobytes = int
                saLifeTimeSeconds = int
              }
            ]
            provisioningState = "string"
            remoteVpnSite = {
              id = "string"
            }
            routingWeight = int
            sharedKey = "string"
            vpnConnectionProtocolType = "string"
          }
        }
      ]
      provisioningState = "string"
      virtualHub = {
        id = "string"
      }
      vpnGatewayScaleUnit = int
    }
  }
}

Property Values

Microsoft.Network/vpnGateways

Name Description Value
___location Resource ___location. string
name The resource name string (required)
parent_id The ID of the resource to apply this extension resource to. string (required)
properties Parameters for VpnGateway VpnGatewayProperties
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/vpnGateways@2018-12-01"

BgpSettings

Name Description Value
asn The BGP speaker's ASN. int
bgpPeeringAddress The BGP peering address and BGP identifier of this BGP speaker. string
peerWeight The weight added to routes learned from this BGP speaker. int

IpsecPolicy

Name Description Value
dhGroup The DH Groups used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Groups used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

VpnConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Parameters for VpnConnection VpnConnectionProperties

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
enableBgp EnableBgp flag bool
enableInternetSecurity Enable internet security bool
enableRateLimiting EnableBgp flag bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
remoteVpnSite Id of the connected vpn site. SubResource
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
vpnConnectionProtocolType Connection protocol used for this connection 'IKEv1'
'IKEv2'

VpnGatewayProperties

Name Description Value
bgpSettings Local network gateway's BGP speaker settings. BgpSettings
connections List of all vpn connections to the gateway. VpnConnection[]
provisioningState The provisioning state of the resource. 'Deleting'
'Failed'
'Succeeded'
'Updating'
virtualHub The VirtualHub to which the gateway belongs SubResource
vpnGatewayScaleUnit The scale unit for this vpn gateway. int

Usage Examples

Terraform Samples

A basic example of deploying VPN Gateway within a Virtual Hub.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "___location" {
  type    = string
  default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  ___location = var.___location
}

resource "azapi_resource" "virtualWan" {
  type      = "Microsoft.Network/virtualWans@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      allowBranchToBranchTraffic     = true
      disableVpnEncryption           = false
      office365LocalBreakoutCategory = "None"
      type                           = "Standard"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "virtualHub" {
  type      = "Microsoft.Network/virtualHubs@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      addressPrefix        = "10.0.0.0/24"
      hubRoutingPreference = "ExpressRoute"
      virtualRouterAutoScaleConfiguration = {
        minCapacity = 2
      }
      virtualWan = {
        id = azapi_resource.virtualWan.id
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "vpnGateway" {
  type      = "Microsoft.Network/vpnGateways@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      enableBgpRouteTranslationForNat = false
      isRoutingPreferenceInternet     = false
      virtualHub = {
        id = azapi_resource.virtualHub.id
      }
      vpnGatewayScaleUnit = 1
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  timeouts {
    create = "180m"
    update = "180m"
    delete = "60m"
  }
}