Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
- Latest
- 2025-01-01
- 2024-10-01
- 2024-07-01
- 2024-05-01
- 2024-03-01
- 2024-01-01
- 2023-11-01
- 2023-09-01
- 2023-06-01
- 2023-05-01
- 2023-04-01
- 2023-02-01
- 2022-11-01
- 2022-09-01
- 2022-07-01
- 2022-05-01
- 2022-01-01
- 2021-08-01
- 2021-05-01
- 2021-03-01
- 2021-02-01
- 2020-11-01
- 2020-08-01
- 2020-07-01
- 2020-06-01
- 2020-05-01
- 2020-04-01
- 2020-03-01
- 2019-12-01
- 2019-11-01
- 2019-09-01
- 2019-08-01
- 2019-07-01
- 2019-06-01
- 2019-04-01
- 2019-02-01
- 2018-12-01
- 2018-11-01
- 2018-10-01
- 2018-08-01
- 2018-07-01
- 2018-06-01
- 2018-04-01
- 2018-02-01
- 2018-01-01
- 2017-11-01
- 2017-10-01
- 2017-09-01
- 2017-08-01
- 2017-06-01
- 2017-03-30
- 2017-03-01
- 2016-12-01
- 2016-09-01
- 2016-06-01
- 2016-03-30
- 2015-06-15
- 2015-05-01-preview
Bicep resource definition
The virtualNetworkGateways resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/virtualNetworkGateways resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/virtualNetworkGateways@2024-03-01' = {
  scope: resourceSymbolicName or scope
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  ___location: 'string'
  name: 'string'
  properties: {
    activeActive: bool
    adminState: 'string'
    allowRemoteVnetTraffic: bool
    allowVirtualWanTraffic: bool
    autoScaleConfiguration: {
      bounds: {
        max: int
        min: int
      }
    }
    bgpSettings: {
      asn: int
      bgpPeeringAddress: 'string'
      bgpPeeringAddresses: [
        {
          customBgpIpAddresses: [
            'string'
          ]
          ipconfigurationId: 'string'
        }
      ]
      peerWeight: int
    }
    customRoutes: {
      addressPrefixes: [
        'string'
      ]
    }
    disableIPSecReplayProtection: bool
    enableBgp: bool
    enableBgpRouteTranslationForNat: bool
    enableDnsForwarding: bool
    enablePrivateIpAddress: bool
    gatewayDefaultSite: {
      id: 'string'
    }
    gatewayType: 'string'
    ipConfigurations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          privateIPAllocationMethod: 'string'
          publicIPAddress: {
            id: 'string'
          }
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    natRules: [
      {
        id: 'string'
        name: 'string'
        properties: {
          externalMappings: [
            {
              addressSpace: 'string'
              portRange: 'string'
            }
          ]
          internalMappings: [
            {
              addressSpace: 'string'
              portRange: 'string'
            }
          ]
          ipConfigurationId: 'string'
          mode: 'string'
          type: 'string'
        }
      }
    ]
    resiliencyModel: 'string'
    sku: {
      name: 'string'
      tier: 'string'
    }
    virtualNetworkGatewayPolicyGroups: [
      {
        id: 'string'
        name: 'string'
        properties: {
          isDefault: bool
          policyMembers: [
            {
              attributeType: 'string'
              attributeValue: 'string'
              name: 'string'
            }
          ]
          priority: int
        }
      }
    ]
    vNetExtendedLocationResourceId: 'string'
    vpnClientConfiguration: {
      aadAudience: 'string'
      aadIssuer: 'string'
      aadTenant: 'string'
      radiusServerAddress: 'string'
      radiusServers: [
        {
          radiusServerAddress: 'string'
          radiusServerScore: int
          radiusServerSecret: 'string'
        }
      ]
      radiusServerSecret: 'string'
      vngClientConnectionConfigurations: [
        {
          id: 'string'
          name: 'string'
          properties: {
            virtualNetworkGatewayPolicyGroups: [
              {
                id: 'string'
              }
            ]
            vpnClientAddressPool: {
              addressPrefixes: [
                'string'
              ]
            }
          }
        }
      ]
      vpnAuthenticationTypes: [
        'string'
      ]
      vpnClientAddressPool: {
        addressPrefixes: [
          'string'
        ]
      }
      vpnClientIpsecPolicies: [
        {
          dhGroup: 'string'
          ikeEncryption: 'string'
          ikeIntegrity: 'string'
          ipsecEncryption: 'string'
          ipsecIntegrity: 'string'
          pfsGroup: 'string'
          saDataSizeKilobytes: int
          saLifeTimeSeconds: int
        }
      ]
      vpnClientProtocols: [
        'string'
      ]
      vpnClientRevokedCertificates: [
        {
          id: 'string'
          name: 'string'
          properties: {
            thumbprint: 'string'
          }
        }
      ]
      vpnClientRootCertificates: [
        {
          id: 'string'
          name: 'string'
          properties: {
            publicCertData: 'string'
          }
        }
      ]
    }
    vpnGatewayGeneration: 'string'
    vpnType: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}
Property Values
Microsoft.Network/virtualNetworkGateways
| Name | Description | Value | 
|---|---|---|
| extendedLocation | The extended ___location of type local virtual network gateway. | ExtendedLocation | 
| identity | The identity of the virtual network gateway, if configured. | ManagedServiceIdentity | 
| ___location | Resource ___location. | string | 
| name | The resource name | string (required) | 
| properties | Properties of the virtual network gateway. | VirtualNetworkGatewayPropertiesFormat (required) | 
| scope | Use when creating a resource at a scope that is different than the deployment scope. | Set this property to the symbolic name of a resource to apply the extension resource. | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
AddressSpace
| Name | Description | Value | 
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] | 
BgpSettings
| Name | Description | Value | 
|---|---|---|
| asn | The BGP speaker's ASN. | int Constraints: Min value = 0 Max value = 4294967295 | 
| bgpPeeringAddress | The BGP peering address and BGP identifier of this BGP speaker. | string | 
| bgpPeeringAddresses | BGP peering address with IP configuration ID for virtual network gateway. | IPConfigurationBgpPeeringAddress[] | 
| peerWeight | The weight added to routes learned from this BGP speaker. | int | 
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
| Name | Description | Value | 
|---|
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended ___location. | string | 
| type | The type of the extended ___location. | 'EdgeZone' | 
IPConfigurationBgpPeeringAddress
| Name | Description | Value | 
|---|---|---|
| customBgpIpAddresses | The list of custom BGP peering addresses which belong to IP configuration. | string[] | 
| ipconfigurationId | The ID of IP configuration which belongs to gateway. | string | 
IpsecPolicy
| Name | Description | Value | 
|---|---|---|
| dhGroup | The DH Group used in IKE Phase 1 for initial SA. | 'DHGroup1' 'DHGroup14' 'DHGroup2' 'DHGroup2048' 'DHGroup24' 'ECP256' 'ECP384' 'None' (required) | 
| ikeEncryption | The IKE encryption algorithm (IKE phase 2). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES256' (required) | 
| ikeIntegrity | The IKE integrity algorithm (IKE phase 2). | 'GCMAES128' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' 'SHA384' (required) | 
| ipsecEncryption | The IPSec encryption algorithm (IKE phase 1). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES192' 'GCMAES256' 'None' (required) | 
| ipsecIntegrity | The IPSec integrity algorithm (IKE phase 1). | 'GCMAES128' 'GCMAES192' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' (required) | 
| pfsGroup | The Pfs Group used in IKE Phase 2 for new child SA. | 'ECP256' 'ECP384' 'None' 'PFS1' 'PFS14' 'PFS2' 'PFS2048' 'PFS24' 'PFSMM' (required) | 
| saDataSizeKilobytes | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. | int (required) | 
| saLifeTimeSeconds | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. | int (required) | 
ManagedServiceIdentity
| Name | Description | Value | 
|---|---|---|
| type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' | 
| userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities | 
ManagedServiceIdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
RadiusServer
| Name | Description | Value | 
|---|---|---|
| radiusServerAddress | The address of this radius server. | string (required) | 
| radiusServerScore | The initial score assigned to this radius server. | int | 
| radiusServerSecret | The secret used for this radius server. | string | 
ResourceTags
| Name | Description | Value | 
|---|
SubResource
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
VirtualNetworkGatewayAutoScaleBounds
| Name | Description | Value | 
|---|---|---|
| max | Maximum Scale Units for Autoscale configuration | int | 
| min | Minimum scale Units for Autoscale configuration | int | 
VirtualNetworkGatewayAutoScaleConfiguration
| Name | Description | Value | 
|---|---|---|
| bounds | The bounds of the autoscale configuration | VirtualNetworkGatewayAutoScaleBounds | 
VirtualNetworkGatewayIPConfiguration
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the virtual network gateway ip configuration. | VirtualNetworkGatewayIPConfigurationPropertiesFormat | 
VirtualNetworkGatewayIPConfigurationPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| privateIPAllocationMethod | The private IP address allocation method. | 'Dynamic' 'Static' | 
| publicIPAddress | The reference to the public IP resource. | SubResource | 
| subnet | The reference to the subnet resource. | SubResource | 
VirtualNetworkGatewayNatRule
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the Virtual Network Gateway NAT rule. | VirtualNetworkGatewayNatRuleProperties | 
VirtualNetworkGatewayNatRuleProperties
| Name | Description | Value | 
|---|---|---|
| externalMappings | The private IP address external mapping for NAT. | VpnNatRuleMapping[] | 
| internalMappings | The private IP address internal mapping for NAT. | VpnNatRuleMapping[] | 
| ipConfigurationId | The IP Configuration ID this NAT rule applies to. | string | 
| mode | The Source NAT direction of a VPN NAT. | 'EgressSnat' 'IngressSnat' | 
| type | The type of NAT rule for VPN NAT. | 'Dynamic' 'Static' | 
VirtualNetworkGatewayPolicyGroup
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of tVirtualNetworkGatewayPolicyGroup. | VirtualNetworkGatewayPolicyGroupProperties | 
VirtualNetworkGatewayPolicyGroupMember
| Name | Description | Value | 
|---|---|---|
| attributeType | The Vpn Policy member attribute type. | 'AADGroupId' 'CertificateGroupId' 'RadiusAzureGroupId' | 
| attributeValue | The value of Attribute used for this VirtualNetworkGatewayPolicyGroupMember. | string | 
| name | Name of the VirtualNetworkGatewayPolicyGroupMember. | string | 
VirtualNetworkGatewayPolicyGroupProperties
| Name | Description | Value | 
|---|---|---|
| isDefault | Shows if this is a Default VirtualNetworkGatewayPolicyGroup or not. | bool (required) | 
| policyMembers | Multiple PolicyMembers for VirtualNetworkGatewayPolicyGroup. | VirtualNetworkGatewayPolicyGroupMember[] (required) | 
| priority | Priority for VirtualNetworkGatewayPolicyGroup. | int (required) | 
VirtualNetworkGatewayPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| activeActive | ActiveActive flag. | bool | 
| adminState | Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet | 'Disabled' 'Enabled' | 
| allowRemoteVnetTraffic | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | bool | 
| allowVirtualWanTraffic | Configures this gateway to accept traffic from remote Virtual WAN networks. | bool | 
| autoScaleConfiguration | Autoscale configuration for virutal network gateway | VirtualNetworkGatewayAutoScaleConfiguration | 
| bgpSettings | Virtual network gateway's BGP speaker settings. | BgpSettings | 
| customRoutes | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. | AddressSpace | 
| disableIPSecReplayProtection | disableIPSecReplayProtection flag. | bool | 
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. | bool | 
| enableBgpRouteTranslationForNat | EnableBgpRouteTranslationForNat flag. | bool | 
| enableDnsForwarding | Whether dns forwarding is enabled or not. | bool | 
| enablePrivateIpAddress | Whether private IP needs to be enabled on this gateway for connections or not. | bool | 
| gatewayDefaultSite | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | SubResource | 
| gatewayType | The type of this virtual network gateway. | 'ExpressRoute' 'LocalGateway' 'Vpn' | 
| ipConfigurations | IP configurations for virtual network gateway. | VirtualNetworkGatewayIPConfiguration[] | 
| natRules | NatRules for virtual network gateway. | VirtualNetworkGatewayNatRule[] | 
| resiliencyModel | Property to indicate if the Express Route Gateway has resiliency model of MultiHomed or SingleHomed | 'MultiHomed' 'SingleHomed' | 
| sku | The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. | VirtualNetworkGatewaySku | 
| virtualNetworkGatewayPolicyGroups | The reference to the VirtualNetworkGatewayPolicyGroup resource which represents the available VirtualNetworkGatewayPolicyGroup for the gateway. | VirtualNetworkGatewayPolicyGroup[] | 
| vNetExtendedLocationResourceId | Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. | string | 
| vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. | VpnClientConfiguration | 
| vpnGatewayGeneration | The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. | 'Generation1' 'Generation2' 'None' | 
| vpnType | The type of this virtual network gateway. | 'PolicyBased' 'RouteBased' | 
VirtualNetworkGatewaySku
| Name | Description | Value | 
|---|---|---|
| name | Gateway SKU name. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'ErGwScale' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' | 
| tier | Gateway SKU tier. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'ErGwScale' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' | 
VngClientConnectionConfiguration
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client root certificate. | VngClientConnectionConfigurationProperties | 
VngClientConnectionConfigurationProperties
| Name | Description | Value | 
|---|---|---|
| virtualNetworkGatewayPolicyGroups | List of references to virtualNetworkGatewayPolicyGroups | SubResource[] (required) | 
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace (required) | 
VpnClientConfiguration
| Name | Description | Value | 
|---|---|---|
| aadAudience | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| aadIssuer | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| aadTenant | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| radiusServerAddress | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. | string | 
| radiusServers | The radiusServers property for multiple radius server configuration. | RadiusServer[] | 
| radiusServerSecret | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. | string | 
| vngClientConnectionConfigurations | per ip address pool connection policy for virtual network gateway P2S client. | VngClientConnectionConfiguration[] | 
| vpnAuthenticationTypes | VPN authentication types for the virtual network gateway.. | String array containing any of: 'AAD' 'Certificate' 'Radius' | 
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace | 
| vpnClientIpsecPolicies | VpnClientIpsecPolicies for virtual network gateway P2S client. | IpsecPolicy[] | 
| vpnClientProtocols | VpnClientProtocols for Virtual network gateway. | String array containing any of: 'IkeV2' 'OpenVPN' 'SSTP' | 
| vpnClientRevokedCertificates | VpnClientRevokedCertificate for Virtual network gateway. | VpnClientRevokedCertificate[] | 
| vpnClientRootCertificates | VpnClientRootCertificate for virtual network gateway. | VpnClientRootCertificate[] | 
VpnClientRevokedCertificate
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client revoked certificate. | VpnClientRevokedCertificatePropertiesFormat | 
VpnClientRevokedCertificatePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| thumbprint | The revoked VPN client certificate thumbprint. | string | 
VpnClientRootCertificate
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client root certificate. | VpnClientRootCertificatePropertiesFormat (required) | 
VpnClientRootCertificatePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| publicCertData | The certificate public data. | string (required) | 
VpnNatRuleMapping
| Name | Description | Value | 
|---|---|---|
| addressSpace | Address space for Vpn NatRule mapping. | string | 
| portRange | Port range for Vpn NatRule mapping. | string | 
Usage Examples
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description | 
|---|---|
| Virtual Network Gateway | AVM Resource Module for Virtual Network Gateway | 
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description | 
|---|---|
| Create a BGP VNET to VNET connection | This template allows you to connect two VNETs using Virtual Network Gateways and BGP | 
| Create a Point-to-Site Gateway with Azure AD | This template deploys a VPN Virtual Network Gateway configured with an Azure Active Directory Point-to-Site connection | 
| ExpressRoute circuit with private peering and Azure VNet | This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit | 
| Site-to-Site VPN with active-active VPN Gateways with BGP | This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones. | 
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. | 
ARM template resource definition
The virtualNetworkGateways resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/virtualNetworkGateways resource, add the following JSON to your template.
{
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2024-03-01",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "___location": "string",
  "properties": {
    "activeActive": "bool",
    "adminState": "string",
    "allowRemoteVnetTraffic": "bool",
    "allowVirtualWanTraffic": "bool",
    "autoScaleConfiguration": {
      "bounds": {
        "max": "int",
        "min": "int"
      }
    },
    "bgpSettings": {
      "asn": "int",
      "bgpPeeringAddress": "string",
      "bgpPeeringAddresses": [
        {
          "customBgpIpAddresses": [ "string" ],
          "ipconfigurationId": "string"
        }
      ],
      "peerWeight": "int"
    },
    "customRoutes": {
      "addressPrefixes": [ "string" ]
    },
    "disableIPSecReplayProtection": "bool",
    "enableBgp": "bool",
    "enableBgpRouteTranslationForNat": "bool",
    "enableDnsForwarding": "bool",
    "enablePrivateIpAddress": "bool",
    "gatewayDefaultSite": {
      "id": "string"
    },
    "gatewayType": "string",
    "ipConfigurations": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "privateIPAllocationMethod": "string",
          "publicIPAddress": {
            "id": "string"
          },
          "subnet": {
            "id": "string"
          }
        }
      }
    ],
    "natRules": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "externalMappings": [
            {
              "addressSpace": "string",
              "portRange": "string"
            }
          ],
          "internalMappings": [
            {
              "addressSpace": "string",
              "portRange": "string"
            }
          ],
          "ipConfigurationId": "string",
          "mode": "string",
          "type": "string"
        }
      }
    ],
    "resiliencyModel": "string",
    "sku": {
      "name": "string",
      "tier": "string"
    },
    "virtualNetworkGatewayPolicyGroups": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "isDefault": "bool",
          "policyMembers": [
            {
              "attributeType": "string",
              "attributeValue": "string",
              "name": "string"
            }
          ],
          "priority": "int"
        }
      }
    ],
    "vNetExtendedLocationResourceId": "string",
    "vpnClientConfiguration": {
      "aadAudience": "string",
      "aadIssuer": "string",
      "aadTenant": "string",
      "radiusServerAddress": "string",
      "radiusServers": [
        {
          "radiusServerAddress": "string",
          "radiusServerScore": "int",
          "radiusServerSecret": "string"
        }
      ],
      "radiusServerSecret": "string",
      "vngClientConnectionConfigurations": [
        {
          "id": "string",
          "name": "string",
          "properties": {
            "virtualNetworkGatewayPolicyGroups": [
              {
                "id": "string"
              }
            ],
            "vpnClientAddressPool": {
              "addressPrefixes": [ "string" ]
            }
          }
        }
      ],
      "vpnAuthenticationTypes": [ "string" ],
      "vpnClientAddressPool": {
        "addressPrefixes": [ "string" ]
      },
      "vpnClientIpsecPolicies": [
        {
          "dhGroup": "string",
          "ikeEncryption": "string",
          "ikeIntegrity": "string",
          "ipsecEncryption": "string",
          "ipsecIntegrity": "string",
          "pfsGroup": "string",
          "saDataSizeKilobytes": "int",
          "saLifeTimeSeconds": "int"
        }
      ],
      "vpnClientProtocols": [ "string" ],
      "vpnClientRevokedCertificates": [
        {
          "id": "string",
          "name": "string",
          "properties": {
            "thumbprint": "string"
          }
        }
      ],
      "vpnClientRootCertificates": [
        {
          "id": "string",
          "name": "string",
          "properties": {
            "publicCertData": "string"
          }
        }
      ]
    },
    "vpnGatewayGeneration": "string",
    "vpnType": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}
Property Values
Microsoft.Network/virtualNetworkGateways
| Name | Description | Value | 
|---|---|---|
| apiVersion | The api version | '2024-03-01' | 
| extendedLocation | The extended ___location of type local virtual network gateway. | ExtendedLocation | 
| identity | The identity of the virtual network gateway, if configured. | ManagedServiceIdentity | 
| ___location | Resource ___location. | string | 
| name | The resource name | string (required) | 
| properties | Properties of the virtual network gateway. | VirtualNetworkGatewayPropertiesFormat (required) | 
| tags | Resource tags | Dictionary of tag names and values. See Tags in templates | 
| type | The resource type | 'Microsoft.Network/virtualNetworkGateways' | 
AddressSpace
| Name | Description | Value | 
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] | 
BgpSettings
| Name | Description | Value | 
|---|---|---|
| asn | The BGP speaker's ASN. | int Constraints: Min value = 0 Max value = 4294967295 | 
| bgpPeeringAddress | The BGP peering address and BGP identifier of this BGP speaker. | string | 
| bgpPeeringAddresses | BGP peering address with IP configuration ID for virtual network gateway. | IPConfigurationBgpPeeringAddress[] | 
| peerWeight | The weight added to routes learned from this BGP speaker. | int | 
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
| Name | Description | Value | 
|---|
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended ___location. | string | 
| type | The type of the extended ___location. | 'EdgeZone' | 
IPConfigurationBgpPeeringAddress
| Name | Description | Value | 
|---|---|---|
| customBgpIpAddresses | The list of custom BGP peering addresses which belong to IP configuration. | string[] | 
| ipconfigurationId | The ID of IP configuration which belongs to gateway. | string | 
IpsecPolicy
| Name | Description | Value | 
|---|---|---|
| dhGroup | The DH Group used in IKE Phase 1 for initial SA. | 'DHGroup1' 'DHGroup14' 'DHGroup2' 'DHGroup2048' 'DHGroup24' 'ECP256' 'ECP384' 'None' (required) | 
| ikeEncryption | The IKE encryption algorithm (IKE phase 2). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES256' (required) | 
| ikeIntegrity | The IKE integrity algorithm (IKE phase 2). | 'GCMAES128' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' 'SHA384' (required) | 
| ipsecEncryption | The IPSec encryption algorithm (IKE phase 1). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES192' 'GCMAES256' 'None' (required) | 
| ipsecIntegrity | The IPSec integrity algorithm (IKE phase 1). | 'GCMAES128' 'GCMAES192' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' (required) | 
| pfsGroup | The Pfs Group used in IKE Phase 2 for new child SA. | 'ECP256' 'ECP384' 'None' 'PFS1' 'PFS14' 'PFS2' 'PFS2048' 'PFS24' 'PFSMM' (required) | 
| saDataSizeKilobytes | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. | int (required) | 
| saLifeTimeSeconds | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. | int (required) | 
ManagedServiceIdentity
| Name | Description | Value | 
|---|---|---|
| type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' | 
| userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities | 
ManagedServiceIdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
RadiusServer
| Name | Description | Value | 
|---|---|---|
| radiusServerAddress | The address of this radius server. | string (required) | 
| radiusServerScore | The initial score assigned to this radius server. | int | 
| radiusServerSecret | The secret used for this radius server. | string | 
ResourceTags
| Name | Description | Value | 
|---|
SubResource
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
VirtualNetworkGatewayAutoScaleBounds
| Name | Description | Value | 
|---|---|---|
| max | Maximum Scale Units for Autoscale configuration | int | 
| min | Minimum scale Units for Autoscale configuration | int | 
VirtualNetworkGatewayAutoScaleConfiguration
| Name | Description | Value | 
|---|---|---|
| bounds | The bounds of the autoscale configuration | VirtualNetworkGatewayAutoScaleBounds | 
VirtualNetworkGatewayIPConfiguration
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the virtual network gateway ip configuration. | VirtualNetworkGatewayIPConfigurationPropertiesFormat | 
VirtualNetworkGatewayIPConfigurationPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| privateIPAllocationMethod | The private IP address allocation method. | 'Dynamic' 'Static' | 
| publicIPAddress | The reference to the public IP resource. | SubResource | 
| subnet | The reference to the subnet resource. | SubResource | 
VirtualNetworkGatewayNatRule
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the Virtual Network Gateway NAT rule. | VirtualNetworkGatewayNatRuleProperties | 
VirtualNetworkGatewayNatRuleProperties
| Name | Description | Value | 
|---|---|---|
| externalMappings | The private IP address external mapping for NAT. | VpnNatRuleMapping[] | 
| internalMappings | The private IP address internal mapping for NAT. | VpnNatRuleMapping[] | 
| ipConfigurationId | The IP Configuration ID this NAT rule applies to. | string | 
| mode | The Source NAT direction of a VPN NAT. | 'EgressSnat' 'IngressSnat' | 
| type | The type of NAT rule for VPN NAT. | 'Dynamic' 'Static' | 
VirtualNetworkGatewayPolicyGroup
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of tVirtualNetworkGatewayPolicyGroup. | VirtualNetworkGatewayPolicyGroupProperties | 
VirtualNetworkGatewayPolicyGroupMember
| Name | Description | Value | 
|---|---|---|
| attributeType | The Vpn Policy member attribute type. | 'AADGroupId' 'CertificateGroupId' 'RadiusAzureGroupId' | 
| attributeValue | The value of Attribute used for this VirtualNetworkGatewayPolicyGroupMember. | string | 
| name | Name of the VirtualNetworkGatewayPolicyGroupMember. | string | 
VirtualNetworkGatewayPolicyGroupProperties
| Name | Description | Value | 
|---|---|---|
| isDefault | Shows if this is a Default VirtualNetworkGatewayPolicyGroup or not. | bool (required) | 
| policyMembers | Multiple PolicyMembers for VirtualNetworkGatewayPolicyGroup. | VirtualNetworkGatewayPolicyGroupMember[] (required) | 
| priority | Priority for VirtualNetworkGatewayPolicyGroup. | int (required) | 
VirtualNetworkGatewayPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| activeActive | ActiveActive flag. | bool | 
| adminState | Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet | 'Disabled' 'Enabled' | 
| allowRemoteVnetTraffic | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | bool | 
| allowVirtualWanTraffic | Configures this gateway to accept traffic from remote Virtual WAN networks. | bool | 
| autoScaleConfiguration | Autoscale configuration for virutal network gateway | VirtualNetworkGatewayAutoScaleConfiguration | 
| bgpSettings | Virtual network gateway's BGP speaker settings. | BgpSettings | 
| customRoutes | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. | AddressSpace | 
| disableIPSecReplayProtection | disableIPSecReplayProtection flag. | bool | 
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. | bool | 
| enableBgpRouteTranslationForNat | EnableBgpRouteTranslationForNat flag. | bool | 
| enableDnsForwarding | Whether dns forwarding is enabled or not. | bool | 
| enablePrivateIpAddress | Whether private IP needs to be enabled on this gateway for connections or not. | bool | 
| gatewayDefaultSite | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | SubResource | 
| gatewayType | The type of this virtual network gateway. | 'ExpressRoute' 'LocalGateway' 'Vpn' | 
| ipConfigurations | IP configurations for virtual network gateway. | VirtualNetworkGatewayIPConfiguration[] | 
| natRules | NatRules for virtual network gateway. | VirtualNetworkGatewayNatRule[] | 
| resiliencyModel | Property to indicate if the Express Route Gateway has resiliency model of MultiHomed or SingleHomed | 'MultiHomed' 'SingleHomed' | 
| sku | The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. | VirtualNetworkGatewaySku | 
| virtualNetworkGatewayPolicyGroups | The reference to the VirtualNetworkGatewayPolicyGroup resource which represents the available VirtualNetworkGatewayPolicyGroup for the gateway. | VirtualNetworkGatewayPolicyGroup[] | 
| vNetExtendedLocationResourceId | Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. | string | 
| vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. | VpnClientConfiguration | 
| vpnGatewayGeneration | The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. | 'Generation1' 'Generation2' 'None' | 
| vpnType | The type of this virtual network gateway. | 'PolicyBased' 'RouteBased' | 
VirtualNetworkGatewaySku
| Name | Description | Value | 
|---|---|---|
| name | Gateway SKU name. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'ErGwScale' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' | 
| tier | Gateway SKU tier. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'ErGwScale' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' | 
VngClientConnectionConfiguration
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client root certificate. | VngClientConnectionConfigurationProperties | 
VngClientConnectionConfigurationProperties
| Name | Description | Value | 
|---|---|---|
| virtualNetworkGatewayPolicyGroups | List of references to virtualNetworkGatewayPolicyGroups | SubResource[] (required) | 
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace (required) | 
VpnClientConfiguration
| Name | Description | Value | 
|---|---|---|
| aadAudience | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| aadIssuer | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| aadTenant | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| radiusServerAddress | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. | string | 
| radiusServers | The radiusServers property for multiple radius server configuration. | RadiusServer[] | 
| radiusServerSecret | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. | string | 
| vngClientConnectionConfigurations | per ip address pool connection policy for virtual network gateway P2S client. | VngClientConnectionConfiguration[] | 
| vpnAuthenticationTypes | VPN authentication types for the virtual network gateway.. | String array containing any of: 'AAD' 'Certificate' 'Radius' | 
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace | 
| vpnClientIpsecPolicies | VpnClientIpsecPolicies for virtual network gateway P2S client. | IpsecPolicy[] | 
| vpnClientProtocols | VpnClientProtocols for Virtual network gateway. | String array containing any of: 'IkeV2' 'OpenVPN' 'SSTP' | 
| vpnClientRevokedCertificates | VpnClientRevokedCertificate for Virtual network gateway. | VpnClientRevokedCertificate[] | 
| vpnClientRootCertificates | VpnClientRootCertificate for virtual network gateway. | VpnClientRootCertificate[] | 
VpnClientRevokedCertificate
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client revoked certificate. | VpnClientRevokedCertificatePropertiesFormat | 
VpnClientRevokedCertificatePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| thumbprint | The revoked VPN client certificate thumbprint. | string | 
VpnClientRootCertificate
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client root certificate. | VpnClientRootCertificatePropertiesFormat (required) | 
VpnClientRootCertificatePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| publicCertData | The certificate public data. | string (required) | 
VpnNatRuleMapping
| Name | Description | Value | 
|---|---|---|
| addressSpace | Address space for Vpn NatRule mapping. | string | 
| portRange | Port range for Vpn NatRule mapping. | string | 
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description | 
|---|---|
| App Service Environment with Azure SQL backend | This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment. | 
| Connect an ExpressRoute circuit to a VNET | This template creates a VNET, an ExpresRoute Gateway and a connection to a provisioned and enabled ExpressRoute circuit with AzurePrivatePeering configured. | 
| Create a BGP VNET to VNET connection | This template allows you to connect two VNETs using Virtual Network Gateways and BGP | 
| Create a DevTest environment with P2S VPN and IIS | This template creates a simple DevTest environment with a Point-to-Site VPN and IIS on a Windows server which is a great way to get started. | 
| Create a Point-to-Site Gateway | This template allows you to create a Point-to-Site connection using VirtualNetworkGateways | 
| Create a Point-to-Site Gateway with Azure AD | This template deploys a VPN Virtual Network Gateway configured with an Azure Active Directory Point-to-Site connection | 
| Create a Site-to-Site VPN Connection | This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways | 
| Create a Site-to-Site VPN Connection with VM | This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways | 
| Create a VNET to VNET connection across two regions | This template allows you to connect two VNETs in different regions using Virtual Network Gateways | 
| Create SQL MI with point-to-site connection configured | Deploy Azure Sql Database Managed Instance (SQL MI) and Virtual network gateway configured for point-to-site connection inside the new virtual network. | 
| Create three vNets to demonstrate transitive BGP connections | This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections | 
| Create VNet with two Subnets, local network, and gateway | This template creates a VNet, 2 subnets, and a gateway | 
| Deploy a Hub and Spoke topology sandbox | This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes. | 
| Deploy HBase geo replication | This template allows you to configure an Azure environment for HBase replication across two different regions with VPN vnet-to-vnet connection. | 
| ExpressRoute circuit with private peering and Azure VNet | This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit | 
| Extend an existing Azure VNET to a Multi-VNET Configuration | This template allows you to extend an existing single VNET environment to a Multi-VNET environment that extends across two datacenter regions using VNET-to-VNET gateways | 
| Site-to-Site VPN with active-active VPN Gateways with BGP | This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones. | 
| Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology | This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering. | 
Terraform (AzAPI provider) resource definition
The virtualNetworkGateways resource type can be deployed with operations that target:
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/virtualNetworkGateways resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/virtualNetworkGateways@2024-03-01"
  name = "string"
  parent_id = "string"
  identity {
    type = "string"
    identity_ids = [
      "string"
    ]
  }
  ___location = "string"
  tags = {
    {customized property} = "string"
  }
  body = {
    extendedLocation = {
      name = "string"
      type = "string"
    }
    properties = {
      activeActive = bool
      adminState = "string"
      allowRemoteVnetTraffic = bool
      allowVirtualWanTraffic = bool
      autoScaleConfiguration = {
        bounds = {
          max = int
          min = int
        }
      }
      bgpSettings = {
        asn = int
        bgpPeeringAddress = "string"
        bgpPeeringAddresses = [
          {
            customBgpIpAddresses = [
              "string"
            ]
            ipconfigurationId = "string"
          }
        ]
        peerWeight = int
      }
      customRoutes = {
        addressPrefixes = [
          "string"
        ]
      }
      disableIPSecReplayProtection = bool
      enableBgp = bool
      enableBgpRouteTranslationForNat = bool
      enableDnsForwarding = bool
      enablePrivateIpAddress = bool
      gatewayDefaultSite = {
        id = "string"
      }
      gatewayType = "string"
      ipConfigurations = [
        {
          id = "string"
          name = "string"
          properties = {
            privateIPAllocationMethod = "string"
            publicIPAddress = {
              id = "string"
            }
            subnet = {
              id = "string"
            }
          }
        }
      ]
      natRules = [
        {
          id = "string"
          name = "string"
          properties = {
            externalMappings = [
              {
                addressSpace = "string"
                portRange = "string"
              }
            ]
            internalMappings = [
              {
                addressSpace = "string"
                portRange = "string"
              }
            ]
            ipConfigurationId = "string"
            mode = "string"
            type = "string"
          }
        }
      ]
      resiliencyModel = "string"
      sku = {
        name = "string"
        tier = "string"
      }
      virtualNetworkGatewayPolicyGroups = [
        {
          id = "string"
          name = "string"
          properties = {
            isDefault = bool
            policyMembers = [
              {
                attributeType = "string"
                attributeValue = "string"
                name = "string"
              }
            ]
            priority = int
          }
        }
      ]
      vNetExtendedLocationResourceId = "string"
      vpnClientConfiguration = {
        aadAudience = "string"
        aadIssuer = "string"
        aadTenant = "string"
        radiusServerAddress = "string"
        radiusServers = [
          {
            radiusServerAddress = "string"
            radiusServerScore = int
            radiusServerSecret = "string"
          }
        ]
        radiusServerSecret = "string"
        vngClientConnectionConfigurations = [
          {
            id = "string"
            name = "string"
            properties = {
              virtualNetworkGatewayPolicyGroups = [
                {
                  id = "string"
                }
              ]
              vpnClientAddressPool = {
                addressPrefixes = [
                  "string"
                ]
              }
            }
          }
        ]
        vpnAuthenticationTypes = [
          "string"
        ]
        vpnClientAddressPool = {
          addressPrefixes = [
            "string"
          ]
        }
        vpnClientIpsecPolicies = [
          {
            dhGroup = "string"
            ikeEncryption = "string"
            ikeIntegrity = "string"
            ipsecEncryption = "string"
            ipsecIntegrity = "string"
            pfsGroup = "string"
            saDataSizeKilobytes = int
            saLifeTimeSeconds = int
          }
        ]
        vpnClientProtocols = [
          "string"
        ]
        vpnClientRevokedCertificates = [
          {
            id = "string"
            name = "string"
            properties = {
              thumbprint = "string"
            }
          }
        ]
        vpnClientRootCertificates = [
          {
            id = "string"
            name = "string"
            properties = {
              publicCertData = "string"
            }
          }
        ]
      }
      vpnGatewayGeneration = "string"
      vpnType = "string"
    }
  }
}
Property Values
Microsoft.Network/virtualNetworkGateways
| Name | Description | Value | 
|---|---|---|
| extendedLocation | The extended ___location of type local virtual network gateway. | ExtendedLocation | 
| identity | The identity of the virtual network gateway, if configured. | ManagedServiceIdentity | 
| ___location | Resource ___location. | string | 
| name | The resource name | string (required) | 
| parent_id | The ID of the resource to apply this extension resource to. | string (required) | 
| properties | Properties of the virtual network gateway. | VirtualNetworkGatewayPropertiesFormat (required) | 
| tags | Resource tags | Dictionary of tag names and values. | 
| type | The resource type | "Microsoft.Network/virtualNetworkGateways@2024-03-01" | 
AddressSpace
| Name | Description | Value | 
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] | 
BgpSettings
| Name | Description | Value | 
|---|---|---|
| asn | The BGP speaker's ASN. | int Constraints: Min value = 0 Max value = 4294967295 | 
| bgpPeeringAddress | The BGP peering address and BGP identifier of this BGP speaker. | string | 
| bgpPeeringAddresses | BGP peering address with IP configuration ID for virtual network gateway. | IPConfigurationBgpPeeringAddress[] | 
| peerWeight | The weight added to routes learned from this BGP speaker. | int | 
Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties
| Name | Description | Value | 
|---|
ExtendedLocation
| Name | Description | Value | 
|---|---|---|
| name | The name of the extended ___location. | string | 
| type | The type of the extended ___location. | 'EdgeZone' | 
IPConfigurationBgpPeeringAddress
| Name | Description | Value | 
|---|---|---|
| customBgpIpAddresses | The list of custom BGP peering addresses which belong to IP configuration. | string[] | 
| ipconfigurationId | The ID of IP configuration which belongs to gateway. | string | 
IpsecPolicy
| Name | Description | Value | 
|---|---|---|
| dhGroup | The DH Group used in IKE Phase 1 for initial SA. | 'DHGroup1' 'DHGroup14' 'DHGroup2' 'DHGroup2048' 'DHGroup24' 'ECP256' 'ECP384' 'None' (required) | 
| ikeEncryption | The IKE encryption algorithm (IKE phase 2). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES256' (required) | 
| ikeIntegrity | The IKE integrity algorithm (IKE phase 2). | 'GCMAES128' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' 'SHA384' (required) | 
| ipsecEncryption | The IPSec encryption algorithm (IKE phase 1). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES192' 'GCMAES256' 'None' (required) | 
| ipsecIntegrity | The IPSec integrity algorithm (IKE phase 1). | 'GCMAES128' 'GCMAES192' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' (required) | 
| pfsGroup | The Pfs Group used in IKE Phase 2 for new child SA. | 'ECP256' 'ECP384' 'None' 'PFS1' 'PFS14' 'PFS2' 'PFS2048' 'PFS24' 'PFSMM' (required) | 
| saDataSizeKilobytes | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. | int (required) | 
| saLifeTimeSeconds | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. | int (required) | 
ManagedServiceIdentity
| Name | Description | Value | 
|---|---|---|
| type | The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. | 'None' 'SystemAssigned' 'SystemAssigned, UserAssigned' 'UserAssigned' | 
| userAssignedIdentities | The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. | ManagedServiceIdentityUserAssignedIdentities | 
ManagedServiceIdentityUserAssignedIdentities
| Name | Description | Value | 
|---|
RadiusServer
| Name | Description | Value | 
|---|---|---|
| radiusServerAddress | The address of this radius server. | string (required) | 
| radiusServerScore | The initial score assigned to this radius server. | int | 
| radiusServerSecret | The secret used for this radius server. | string | 
ResourceTags
| Name | Description | Value | 
|---|
SubResource
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
VirtualNetworkGatewayAutoScaleBounds
| Name | Description | Value | 
|---|---|---|
| max | Maximum Scale Units for Autoscale configuration | int | 
| min | Minimum scale Units for Autoscale configuration | int | 
VirtualNetworkGatewayAutoScaleConfiguration
| Name | Description | Value | 
|---|---|---|
| bounds | The bounds of the autoscale configuration | VirtualNetworkGatewayAutoScaleBounds | 
VirtualNetworkGatewayIPConfiguration
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the virtual network gateway ip configuration. | VirtualNetworkGatewayIPConfigurationPropertiesFormat | 
VirtualNetworkGatewayIPConfigurationPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| privateIPAllocationMethod | The private IP address allocation method. | 'Dynamic' 'Static' | 
| publicIPAddress | The reference to the public IP resource. | SubResource | 
| subnet | The reference to the subnet resource. | SubResource | 
VirtualNetworkGatewayNatRule
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the Virtual Network Gateway NAT rule. | VirtualNetworkGatewayNatRuleProperties | 
VirtualNetworkGatewayNatRuleProperties
| Name | Description | Value | 
|---|---|---|
| externalMappings | The private IP address external mapping for NAT. | VpnNatRuleMapping[] | 
| internalMappings | The private IP address internal mapping for NAT. | VpnNatRuleMapping[] | 
| ipConfigurationId | The IP Configuration ID this NAT rule applies to. | string | 
| mode | The Source NAT direction of a VPN NAT. | 'EgressSnat' 'IngressSnat' | 
| type | The type of NAT rule for VPN NAT. | 'Dynamic' 'Static' | 
VirtualNetworkGatewayPolicyGroup
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of tVirtualNetworkGatewayPolicyGroup. | VirtualNetworkGatewayPolicyGroupProperties | 
VirtualNetworkGatewayPolicyGroupMember
| Name | Description | Value | 
|---|---|---|
| attributeType | The Vpn Policy member attribute type. | 'AADGroupId' 'CertificateGroupId' 'RadiusAzureGroupId' | 
| attributeValue | The value of Attribute used for this VirtualNetworkGatewayPolicyGroupMember. | string | 
| name | Name of the VirtualNetworkGatewayPolicyGroupMember. | string | 
VirtualNetworkGatewayPolicyGroupProperties
| Name | Description | Value | 
|---|---|---|
| isDefault | Shows if this is a Default VirtualNetworkGatewayPolicyGroup or not. | bool (required) | 
| policyMembers | Multiple PolicyMembers for VirtualNetworkGatewayPolicyGroup. | VirtualNetworkGatewayPolicyGroupMember[] (required) | 
| priority | Priority for VirtualNetworkGatewayPolicyGroup. | int (required) | 
VirtualNetworkGatewayPropertiesFormat
| Name | Description | Value | 
|---|---|---|
| activeActive | ActiveActive flag. | bool | 
| adminState | Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet | 'Disabled' 'Enabled' | 
| allowRemoteVnetTraffic | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. | bool | 
| allowVirtualWanTraffic | Configures this gateway to accept traffic from remote Virtual WAN networks. | bool | 
| autoScaleConfiguration | Autoscale configuration for virutal network gateway | VirtualNetworkGatewayAutoScaleConfiguration | 
| bgpSettings | Virtual network gateway's BGP speaker settings. | BgpSettings | 
| customRoutes | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. | AddressSpace | 
| disableIPSecReplayProtection | disableIPSecReplayProtection flag. | bool | 
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. | bool | 
| enableBgpRouteTranslationForNat | EnableBgpRouteTranslationForNat flag. | bool | 
| enableDnsForwarding | Whether dns forwarding is enabled or not. | bool | 
| enablePrivateIpAddress | Whether private IP needs to be enabled on this gateway for connections or not. | bool | 
| gatewayDefaultSite | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | SubResource | 
| gatewayType | The type of this virtual network gateway. | 'ExpressRoute' 'LocalGateway' 'Vpn' | 
| ipConfigurations | IP configurations for virtual network gateway. | VirtualNetworkGatewayIPConfiguration[] | 
| natRules | NatRules for virtual network gateway. | VirtualNetworkGatewayNatRule[] | 
| resiliencyModel | Property to indicate if the Express Route Gateway has resiliency model of MultiHomed or SingleHomed | 'MultiHomed' 'SingleHomed' | 
| sku | The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. | VirtualNetworkGatewaySku | 
| virtualNetworkGatewayPolicyGroups | The reference to the VirtualNetworkGatewayPolicyGroup resource which represents the available VirtualNetworkGatewayPolicyGroup for the gateway. | VirtualNetworkGatewayPolicyGroup[] | 
| vNetExtendedLocationResourceId | Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. | string | 
| vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. | VpnClientConfiguration | 
| vpnGatewayGeneration | The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. | 'Generation1' 'Generation2' 'None' | 
| vpnType | The type of this virtual network gateway. | 'PolicyBased' 'RouteBased' | 
VirtualNetworkGatewaySku
| Name | Description | Value | 
|---|---|---|
| name | Gateway SKU name. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'ErGwScale' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' | 
| tier | Gateway SKU tier. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'ErGwScale' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' | 
VngClientConnectionConfiguration
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client root certificate. | VngClientConnectionConfigurationProperties | 
VngClientConnectionConfigurationProperties
| Name | Description | Value | 
|---|---|---|
| virtualNetworkGatewayPolicyGroups | List of references to virtualNetworkGatewayPolicyGroups | SubResource[] (required) | 
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace (required) | 
VpnClientConfiguration
| Name | Description | Value | 
|---|---|---|
| aadAudience | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| aadIssuer | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| aadTenant | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string | 
| radiusServerAddress | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. | string | 
| radiusServers | The radiusServers property for multiple radius server configuration. | RadiusServer[] | 
| radiusServerSecret | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. | string | 
| vngClientConnectionConfigurations | per ip address pool connection policy for virtual network gateway P2S client. | VngClientConnectionConfiguration[] | 
| vpnAuthenticationTypes | VPN authentication types for the virtual network gateway.. | String array containing any of: 'AAD' 'Certificate' 'Radius' | 
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace | 
| vpnClientIpsecPolicies | VpnClientIpsecPolicies for virtual network gateway P2S client. | IpsecPolicy[] | 
| vpnClientProtocols | VpnClientProtocols for Virtual network gateway. | String array containing any of: 'IkeV2' 'OpenVPN' 'SSTP' | 
| vpnClientRevokedCertificates | VpnClientRevokedCertificate for Virtual network gateway. | VpnClientRevokedCertificate[] | 
| vpnClientRootCertificates | VpnClientRootCertificate for virtual network gateway. | VpnClientRootCertificate[] | 
VpnClientRevokedCertificate
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client revoked certificate. | VpnClientRevokedCertificatePropertiesFormat | 
VpnClientRevokedCertificatePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| thumbprint | The revoked VPN client certificate thumbprint. | string | 
VpnClientRootCertificate
| Name | Description | Value | 
|---|---|---|
| id | Resource ID. | string | 
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string | 
| properties | Properties of the vpn client root certificate. | VpnClientRootCertificatePropertiesFormat (required) | 
VpnClientRootCertificatePropertiesFormat
| Name | Description | Value | 
|---|---|---|
| publicCertData | The certificate public data. | string (required) | 
VpnNatRuleMapping
| Name | Description | Value | 
|---|---|---|
| addressSpace | Address space for Vpn NatRule mapping. | string | 
| portRange | Port range for Vpn NatRule mapping. | string | 
Usage Examples
Terraform Samples
A basic example of deploying virtual network gateway to establish secure, cross-premises connectivity.
terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}
provider "azapi" {
  skip_provider_registration = false
}
variable "resource_name" {
  type    = string
  default = "acctest0001"
}
variable "___location" {
  type    = string
  default = "centralus"
}
resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  ___location = var.___location
}
resource "azapi_resource" "virtualNetwork" {
  type      = "Microsoft.Network/virtualNetworks@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      addressSpace = {
        addressPrefixes = [
          "10.6.0.0/16",
        ]
      }
      dhcpOptions = {
        dnsServers = [
        ]
      }
      subnets = [
      ]
    }
    tags = {
      SkipASMAzSecPack = "true"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  lifecycle {
    ignore_changes = [body.properties.subnets]
  }
}
resource "azapi_resource" "publicIPAddress" {
  type      = "Microsoft.Network/publicIPAddresses@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      ddosSettings = {
        protectionMode = "VirtualNetworkInherited"
      }
      idleTimeoutInMinutes     = 4
      publicIPAddressVersion   = "IPv4"
      publicIPAllocationMethod = "Static"
    }
    sku = {
      name = "Standard"
      tier = "Regional"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
resource "azapi_resource" "subnet" {
  type      = "Microsoft.Network/virtualNetworks/subnets@2022-07-01"
  parent_id = azapi_resource.virtualNetwork.id
  name      = "GatewaySubnet"
  body = {
    properties = {
      addressPrefix = "10.6.1.0/24"
      delegations = [
      ]
      privateEndpointNetworkPolicies    = "Enabled"
      privateLinkServiceNetworkPolicies = "Enabled"
      serviceEndpointPolicies = [
      ]
      serviceEndpoints = [
      ]
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}
resource "azapi_resource" "virtualNetworkGateway" {
  type      = "Microsoft.Network/virtualNetworkGateways@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      activeActive           = false
      enableBgp              = false
      enablePrivateIpAddress = false
      gatewayType            = "ExpressRoute"
      ipConfigurations = [
        {
          name = "vnetGatewayConfig"
          properties = {
            privateIPAllocationMethod = "Dynamic"
            publicIPAddress = {
              id = azapi_resource.publicIPAddress.id
            }
            subnet = {
              id = azapi_resource.subnet.id
            }
          }
        },
      ]
      sku = {
        name = "Standard"
        tier = "Standard"
      }
      vpnType = "RouteBased"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}