Share via


Microsoft.Network vpnGateways/vpnConnections 2024-07-01

Bicep resource definition

The vpnGateways/vpnConnections resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways/vpnConnections resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/vpnGateways/vpnConnections@2024-07-01' = {
  parent: resourceSymbolicName
  name: 'string'
  properties: {
    connectionBandwidth: int
    dpdTimeoutSeconds: int
    enableBgp: bool
    enableInternetSecurity: bool
    enableRateLimiting: bool
    ipsecPolicies: [
      {
        dhGroup: 'string'
        ikeEncryption: 'string'
        ikeIntegrity: 'string'
        ipsecEncryption: 'string'
        ipsecIntegrity: 'string'
        pfsGroup: 'string'
        saDataSizeKilobytes: int
        saLifeTimeSeconds: int
      }
    ]
    remoteVpnSite: {
      id: 'string'
    }
    routingConfiguration: {
      associatedRouteTable: {
        id: 'string'
      }
      inboundRouteMap: {
        id: 'string'
      }
      outboundRouteMap: {
        id: 'string'
      }
      propagatedRouteTables: {
        ids: [
          {
            id: 'string'
          }
        ]
        labels: [
          'string'
        ]
      }
      vnetRoutes: {
        staticRoutes: [
          {
            addressPrefixes: [
              'string'
            ]
            name: 'string'
            nextHopIpAddress: 'string'
          }
        ]
        staticRoutesConfig: {
          vnetLocalRouteOverrideCriteria: 'string'
        }
      }
    }
    routingWeight: int
    sharedKey: 'string'
    trafficSelectorPolicies: [
      {
        localAddressRanges: [
          'string'
        ]
        remoteAddressRanges: [
          'string'
        ]
      }
    ]
    useLocalAzureIpAddress: bool
    usePolicyBasedTrafficSelectors: bool
    vpnConnectionProtocolType: 'string'
    vpnLinkConnections: [
      {
        id: 'string'
        name: 'string'
        properties: {
          connectionBandwidth: int
          dpdTimeoutSeconds: int
          egressNatRules: [
            {
              id: 'string'
            }
          ]
          enableBgp: bool
          enableRateLimiting: bool
          ingressNatRules: [
            {
              id: 'string'
            }
          ]
          ipsecPolicies: [
            {
              dhGroup: 'string'
              ikeEncryption: 'string'
              ikeIntegrity: 'string'
              ipsecEncryption: 'string'
              ipsecIntegrity: 'string'
              pfsGroup: 'string'
              saDataSizeKilobytes: int
              saLifeTimeSeconds: int
            }
          ]
          routingWeight: int
          sharedKey: 'string'
          useLocalAzureIpAddress: bool
          usePolicyBasedTrafficSelectors: bool
          vpnConnectionProtocolType: 'string'
          vpnGatewayCustomBgpAddresses: [
            {
              customBgpIpAddress: 'string'
              ipConfigurationId: 'string'
            }
          ]
          vpnLinkConnectionMode: 'string'
          vpnSiteLink: {
            id: 'string'
          }
        }
      }
    ]
  }
}

Property Values

Microsoft.Network/vpnGateways/vpnConnections

Name Description Value
name The resource name string (required)
parent In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource.

For more information, see Child resource outside parent resource.
Symbolic name for resource of type: vpnGateways
properties Properties of the VPN connection. VpnConnectionProperties

GatewayCustomBgpIpAddressIpConfiguration

Name Description Value
customBgpIpAddress The custom BgpPeeringAddress which belongs to IpconfigurationId. string (required)
ipConfigurationId The IpconfigurationId of ipconfiguration which belongs to gateway. string (required)

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

PropagatedRouteTable

Name Description Value
ids The list of resource ids of all the RouteTables. SubResource[]
labels The list of labels. string[]

RoutingConfiguration

Name Description Value
associatedRouteTable The resource id RouteTable associated with this RoutingConfiguration. SubResource
inboundRouteMap The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes. SubResource
outboundRouteMap The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes. SubResource
propagatedRouteTables The list of RouteTables to advertise the routes to. PropagatedRouteTable
vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection. VnetRoute

StaticRoute

Name Description Value
addressPrefixes List of all address prefixes. string[]
name The name of the StaticRoute that is unique within a VnetRoute. string
nextHopIpAddress The ip address of the next hop. string

StaticRoutesConfig

Name Description Value
vnetLocalRouteOverrideCriteria Parameter determining whether NVA in spoke vnet is bypassed for traffic with destination in spoke. 'Contains'
'Equal'

SubResource

Name Description Value
id Resource ID. string

TrafficSelectorPolicy

Name Description Value
localAddressRanges A collection of local address spaces in CIDR format. string[] (required)
remoteAddressRanges A collection of remote address spaces in CIDR format. string[] (required)

VnetRoute

Name Description Value
staticRoutes List of all Static Routes. StaticRoute[]
staticRoutesConfig Configuration for static routes on this HubVnetConnection. StaticRoutesConfig

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds DPD timeout in seconds for vpn connection. int
enableBgp EnableBgp flag. bool
enableInternetSecurity Enable internet security. bool
enableRateLimiting EnableBgp flag. bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
remoteVpnSite Id of the connected vpn site. SubResource
routingConfiguration The Routing Configuration indicating the associated and propagated route tables on this connection. RoutingConfiguration
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
trafficSelectorPolicies The Traffic Selector Policies to be considered by this connection. TrafficSelectorPolicy[]
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnLinkConnections List of all vpn site link connections to the gateway. VpnSiteLinkConnection[]

VpnSiteLinkConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the VPN site link connection. VpnSiteLinkConnectionProperties

VpnSiteLinkConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds Dead Peer Detection timeout in seconds for VpnLink connection. int
egressNatRules List of egress NatRules. SubResource[]
enableBgp EnableBgp flag. bool
enableRateLimiting EnableBgp flag. bool
ingressNatRules List of ingress NatRules. SubResource[]
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnGatewayCustomBgpAddresses vpnGatewayCustomBgpAddresses used by this connection. GatewayCustomBgpIpAddressIpConfiguration[]
vpnLinkConnectionMode Vpn link connection mode. 'Default'
'InitiatorOnly'
'ResponderOnly'
vpnSiteLink Id of the connected vpn site link. SubResource

ARM template resource definition

The vpnGateways/vpnConnections resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways/vpnConnections resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/vpnGateways/vpnConnections",
  "apiVersion": "2024-07-01",
  "name": "string",
  "properties": {
    "connectionBandwidth": "int",
    "dpdTimeoutSeconds": "int",
    "enableBgp": "bool",
    "enableInternetSecurity": "bool",
    "enableRateLimiting": "bool",
    "ipsecPolicies": [
      {
        "dhGroup": "string",
        "ikeEncryption": "string",
        "ikeIntegrity": "string",
        "ipsecEncryption": "string",
        "ipsecIntegrity": "string",
        "pfsGroup": "string",
        "saDataSizeKilobytes": "int",
        "saLifeTimeSeconds": "int"
      }
    ],
    "remoteVpnSite": {
      "id": "string"
    },
    "routingConfiguration": {
      "associatedRouteTable": {
        "id": "string"
      },
      "inboundRouteMap": {
        "id": "string"
      },
      "outboundRouteMap": {
        "id": "string"
      },
      "propagatedRouteTables": {
        "ids": [
          {
            "id": "string"
          }
        ],
        "labels": [ "string" ]
      },
      "vnetRoutes": {
        "staticRoutes": [
          {
            "addressPrefixes": [ "string" ],
            "name": "string",
            "nextHopIpAddress": "string"
          }
        ],
        "staticRoutesConfig": {
          "vnetLocalRouteOverrideCriteria": "string"
        }
      }
    },
    "routingWeight": "int",
    "sharedKey": "string",
    "trafficSelectorPolicies": [
      {
        "localAddressRanges": [ "string" ],
        "remoteAddressRanges": [ "string" ]
      }
    ],
    "useLocalAzureIpAddress": "bool",
    "usePolicyBasedTrafficSelectors": "bool",
    "vpnConnectionProtocolType": "string",
    "vpnLinkConnections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "connectionBandwidth": "int",
          "dpdTimeoutSeconds": "int",
          "egressNatRules": [
            {
              "id": "string"
            }
          ],
          "enableBgp": "bool",
          "enableRateLimiting": "bool",
          "ingressNatRules": [
            {
              "id": "string"
            }
          ],
          "ipsecPolicies": [
            {
              "dhGroup": "string",
              "ikeEncryption": "string",
              "ikeIntegrity": "string",
              "ipsecEncryption": "string",
              "ipsecIntegrity": "string",
              "pfsGroup": "string",
              "saDataSizeKilobytes": "int",
              "saLifeTimeSeconds": "int"
            }
          ],
          "routingWeight": "int",
          "sharedKey": "string",
          "useLocalAzureIpAddress": "bool",
          "usePolicyBasedTrafficSelectors": "bool",
          "vpnConnectionProtocolType": "string",
          "vpnGatewayCustomBgpAddresses": [
            {
              "customBgpIpAddress": "string",
              "ipConfigurationId": "string"
            }
          ],
          "vpnLinkConnectionMode": "string",
          "vpnSiteLink": {
            "id": "string"
          }
        }
      }
    ]
  }
}

Property Values

Microsoft.Network/vpnGateways/vpnConnections

Name Description Value
apiVersion The api version '2024-07-01'
name The resource name string (required)
properties Properties of the VPN connection. VpnConnectionProperties
type The resource type 'Microsoft.Network/vpnGateways/vpnConnections'

GatewayCustomBgpIpAddressIpConfiguration

Name Description Value
customBgpIpAddress The custom BgpPeeringAddress which belongs to IpconfigurationId. string (required)
ipConfigurationId The IpconfigurationId of ipconfiguration which belongs to gateway. string (required)

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

PropagatedRouteTable

Name Description Value
ids The list of resource ids of all the RouteTables. SubResource[]
labels The list of labels. string[]

RoutingConfiguration

Name Description Value
associatedRouteTable The resource id RouteTable associated with this RoutingConfiguration. SubResource
inboundRouteMap The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes. SubResource
outboundRouteMap The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes. SubResource
propagatedRouteTables The list of RouteTables to advertise the routes to. PropagatedRouteTable
vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection. VnetRoute

StaticRoute

Name Description Value
addressPrefixes List of all address prefixes. string[]
name The name of the StaticRoute that is unique within a VnetRoute. string
nextHopIpAddress The ip address of the next hop. string

StaticRoutesConfig

Name Description Value
vnetLocalRouteOverrideCriteria Parameter determining whether NVA in spoke vnet is bypassed for traffic with destination in spoke. 'Contains'
'Equal'

SubResource

Name Description Value
id Resource ID. string

TrafficSelectorPolicy

Name Description Value
localAddressRanges A collection of local address spaces in CIDR format. string[] (required)
remoteAddressRanges A collection of remote address spaces in CIDR format. string[] (required)

VnetRoute

Name Description Value
staticRoutes List of all Static Routes. StaticRoute[]
staticRoutesConfig Configuration for static routes on this HubVnetConnection. StaticRoutesConfig

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds DPD timeout in seconds for vpn connection. int
enableBgp EnableBgp flag. bool
enableInternetSecurity Enable internet security. bool
enableRateLimiting EnableBgp flag. bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
remoteVpnSite Id of the connected vpn site. SubResource
routingConfiguration The Routing Configuration indicating the associated and propagated route tables on this connection. RoutingConfiguration
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
trafficSelectorPolicies The Traffic Selector Policies to be considered by this connection. TrafficSelectorPolicy[]
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnLinkConnections List of all vpn site link connections to the gateway. VpnSiteLinkConnection[]

VpnSiteLinkConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the VPN site link connection. VpnSiteLinkConnectionProperties

VpnSiteLinkConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds Dead Peer Detection timeout in seconds for VpnLink connection. int
egressNatRules List of egress NatRules. SubResource[]
enableBgp EnableBgp flag. bool
enableRateLimiting EnableBgp flag. bool
ingressNatRules List of ingress NatRules. SubResource[]
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnGatewayCustomBgpAddresses vpnGatewayCustomBgpAddresses used by this connection. GatewayCustomBgpIpAddressIpConfiguration[]
vpnLinkConnectionMode Vpn link connection mode. 'Default'
'InitiatorOnly'
'ResponderOnly'
vpnSiteLink Id of the connected vpn site link. SubResource

Usage Examples

Terraform (AzAPI provider) resource definition

The vpnGateways/vpnConnections resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways/vpnConnections resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/vpnGateways/vpnConnections@2024-07-01"
  name = "string"
  parent_id = "string"
  body = {
    properties = {
      connectionBandwidth = int
      dpdTimeoutSeconds = int
      enableBgp = bool
      enableInternetSecurity = bool
      enableRateLimiting = bool
      ipsecPolicies = [
        {
          dhGroup = "string"
          ikeEncryption = "string"
          ikeIntegrity = "string"
          ipsecEncryption = "string"
          ipsecIntegrity = "string"
          pfsGroup = "string"
          saDataSizeKilobytes = int
          saLifeTimeSeconds = int
        }
      ]
      remoteVpnSite = {
        id = "string"
      }
      routingConfiguration = {
        associatedRouteTable = {
          id = "string"
        }
        inboundRouteMap = {
          id = "string"
        }
        outboundRouteMap = {
          id = "string"
        }
        propagatedRouteTables = {
          ids = [
            {
              id = "string"
            }
          ]
          labels = [
            "string"
          ]
        }
        vnetRoutes = {
          staticRoutes = [
            {
              addressPrefixes = [
                "string"
              ]
              name = "string"
              nextHopIpAddress = "string"
            }
          ]
          staticRoutesConfig = {
            vnetLocalRouteOverrideCriteria = "string"
          }
        }
      }
      routingWeight = int
      sharedKey = "string"
      trafficSelectorPolicies = [
        {
          localAddressRanges = [
            "string"
          ]
          remoteAddressRanges = [
            "string"
          ]
        }
      ]
      useLocalAzureIpAddress = bool
      usePolicyBasedTrafficSelectors = bool
      vpnConnectionProtocolType = "string"
      vpnLinkConnections = [
        {
          id = "string"
          name = "string"
          properties = {
            connectionBandwidth = int
            dpdTimeoutSeconds = int
            egressNatRules = [
              {
                id = "string"
              }
            ]
            enableBgp = bool
            enableRateLimiting = bool
            ingressNatRules = [
              {
                id = "string"
              }
            ]
            ipsecPolicies = [
              {
                dhGroup = "string"
                ikeEncryption = "string"
                ikeIntegrity = "string"
                ipsecEncryption = "string"
                ipsecIntegrity = "string"
                pfsGroup = "string"
                saDataSizeKilobytes = int
                saLifeTimeSeconds = int
              }
            ]
            routingWeight = int
            sharedKey = "string"
            useLocalAzureIpAddress = bool
            usePolicyBasedTrafficSelectors = bool
            vpnConnectionProtocolType = "string"
            vpnGatewayCustomBgpAddresses = [
              {
                customBgpIpAddress = "string"
                ipConfigurationId = "string"
              }
            ]
            vpnLinkConnectionMode = "string"
            vpnSiteLink = {
              id = "string"
            }
          }
        }
      ]
    }
  }
}

Property Values

Microsoft.Network/vpnGateways/vpnConnections

Name Description Value
name The resource name string (required)
parent_id The ID of the resource that is the parent for this resource. ID for resource of type: vpnGateways
properties Properties of the VPN connection. VpnConnectionProperties
type The resource type "Microsoft.Network/vpnGateways/vpnConnections@2024-07-01"

GatewayCustomBgpIpAddressIpConfiguration

Name Description Value
customBgpIpAddress The custom BgpPeeringAddress which belongs to IpconfigurationId. string (required)
ipConfigurationId The IpconfigurationId of ipconfiguration which belongs to gateway. string (required)

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

PropagatedRouteTable

Name Description Value
ids The list of resource ids of all the RouteTables. SubResource[]
labels The list of labels. string[]

RoutingConfiguration

Name Description Value
associatedRouteTable The resource id RouteTable associated with this RoutingConfiguration. SubResource
inboundRouteMap The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes. SubResource
outboundRouteMap The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes. SubResource
propagatedRouteTables The list of RouteTables to advertise the routes to. PropagatedRouteTable
vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection. VnetRoute

StaticRoute

Name Description Value
addressPrefixes List of all address prefixes. string[]
name The name of the StaticRoute that is unique within a VnetRoute. string
nextHopIpAddress The ip address of the next hop. string

StaticRoutesConfig

Name Description Value
vnetLocalRouteOverrideCriteria Parameter determining whether NVA in spoke vnet is bypassed for traffic with destination in spoke. 'Contains'
'Equal'

SubResource

Name Description Value
id Resource ID. string

TrafficSelectorPolicy

Name Description Value
localAddressRanges A collection of local address spaces in CIDR format. string[] (required)
remoteAddressRanges A collection of remote address spaces in CIDR format. string[] (required)

VnetRoute

Name Description Value
staticRoutes List of all Static Routes. StaticRoute[]
staticRoutesConfig Configuration for static routes on this HubVnetConnection. StaticRoutesConfig

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds DPD timeout in seconds for vpn connection. int
enableBgp EnableBgp flag. bool
enableInternetSecurity Enable internet security. bool
enableRateLimiting EnableBgp flag. bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
remoteVpnSite Id of the connected vpn site. SubResource
routingConfiguration The Routing Configuration indicating the associated and propagated route tables on this connection. RoutingConfiguration
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
trafficSelectorPolicies The Traffic Selector Policies to be considered by this connection. TrafficSelectorPolicy[]
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnLinkConnections List of all vpn site link connections to the gateway. VpnSiteLinkConnection[]

VpnSiteLinkConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the VPN site link connection. VpnSiteLinkConnectionProperties

VpnSiteLinkConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds Dead Peer Detection timeout in seconds for VpnLink connection. int
egressNatRules List of egress NatRules. SubResource[]
enableBgp EnableBgp flag. bool
enableRateLimiting EnableBgp flag. bool
ingressNatRules List of ingress NatRules. SubResource[]
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnGatewayCustomBgpAddresses vpnGatewayCustomBgpAddresses used by this connection. GatewayCustomBgpIpAddressIpConfiguration[]
vpnLinkConnectionMode Vpn link connection mode. 'Default'
'InitiatorOnly'
'ResponderOnly'
vpnSiteLink Id of the connected vpn site link. SubResource

Usage Examples

Terraform Samples

A basic example of deploying VPN Gateway Connection.

terraform {
  required_providers {
    azapi = {
      source = "Azure/azapi"
    }
  }
}

provider "azapi" {
  skip_provider_registration = false
}

variable "resource_name" {
  type    = string
  default = "acctest0001"
}

variable "___location" {
  type    = string
  default = "westeurope"
}

resource "azapi_resource" "resourceGroup" {
  type     = "Microsoft.Resources/resourceGroups@2020-06-01"
  name     = var.resource_name
  ___location = var.___location
}

resource "azapi_resource" "virtualWan" {
  type      = "Microsoft.Network/virtualWans@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      allowBranchToBranchTraffic     = true
      disableVpnEncryption           = false
      office365LocalBreakoutCategory = "None"
      type                           = "Standard"
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "virtualHub" {
  type      = "Microsoft.Network/virtualHubs@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      addressPrefix        = "10.0.0.0/24"
      hubRoutingPreference = "ExpressRoute"
      virtualRouterAutoScaleConfiguration = {
        minCapacity = 2
      }
      virtualWan = {
        id = azapi_resource.virtualWan.id
      }
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

resource "azapi_resource" "vpnSite" {
  type      = "Microsoft.Network/vpnSites@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      addressSpace = {
        addressPrefixes = [
          "10.0.1.0/24",
        ]
      }
      virtualWan = {
        id = azapi_resource.virtualWan.id
      }
      vpnSiteLinks = [
        {
          name = "link1"
          properties = {
            fqdn      = ""
            ipAddress = "10.0.1.1"
            linkProperties = {
              linkProviderName = ""
              linkSpeedInMbps  = 0
            }
          }
        },
        {
          name = "link2"
          properties = {
            fqdn      = ""
            ipAddress = "10.0.1.2"
            linkProperties = {
              linkProviderName = ""
              linkSpeedInMbps  = 0
            }
          }
        },
      ]
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}

data "azapi_resource_id" "link1" {
  type      = "Microsoft.Network/vpnSites/vpnSiteLinks@2022-07-01"
  parent_id = azapi_resource.vpnSite.id
  name      = "link1"
}

data "azapi_resource_id" "link2" {
  type      = "Microsoft.Network/vpnSites/vpnSiteLinks@2022-07-01"
  parent_id = azapi_resource.vpnSite.id
  name      = "link2"
}

resource "azapi_resource" "vpnGateway" {
  type      = "Microsoft.Network/vpnGateways@2022-07-01"
  parent_id = azapi_resource.resourceGroup.id
  name      = var.resource_name
  ___location  = var.___location
  body = {
    properties = {
      enableBgpRouteTranslationForNat = false
      isRoutingPreferenceInternet     = false
      virtualHub = {
        id = azapi_resource.virtualHub.id
      }
      vpnGatewayScaleUnit = 1
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
  timeouts {
    create = "180m"
    update = "180m"
    delete = "60m"
  }
}

resource "azapi_resource" "vpnConnection" {
  type      = "Microsoft.Network/vpnGateways/vpnConnections@2022-07-01"
  parent_id = azapi_resource.vpnGateway.id
  name      = var.resource_name
  body = {
    properties = {
      enableInternetSecurity = false
      remoteVpnSite = {
        id = azapi_resource.vpnSite.id
      }
      vpnLinkConnections = [
        {
          name = "link1"
          properties = {
            connectionBandwidth            = 10
            enableBgp                      = false
            enableRateLimiting             = false
            routingWeight                  = 0
            useLocalAzureIpAddress         = false
            usePolicyBasedTrafficSelectors = false
            vpnConnectionProtocolType      = "IKEv2"
            vpnGatewayCustomBgpAddresses = [
            ]
            vpnLinkConnectionMode = "Default"
            vpnSiteLink = {
              id = data.azapi_resource_id.link1.id
            }
          }
        },
        {
          name = "link2"
          properties = {
            connectionBandwidth            = 10
            enableBgp                      = false
            enableRateLimiting             = false
            routingWeight                  = 0
            useLocalAzureIpAddress         = false
            usePolicyBasedTrafficSelectors = false
            vpnConnectionProtocolType      = "IKEv2"
            vpnGatewayCustomBgpAddresses = [
            ]
            vpnLinkConnectionMode = "Default"
            vpnSiteLink = {
              id = data.azapi_resource_id.link2.id
            }
          }
        },
      ]
    }
  }
  schema_validation_enabled = false
  response_export_values    = ["*"]
}