Azure VPN Gateway

This feature creates an Azure VPN Gateway with its own dedicated Subnet, public IP, and the connections resources.

Gateway SKU list description is available on Microsoft documentation.

Global versioning rule for Claranet Azure modules

Module version	Terraform version	OpenTofu version	AzureRM version
>= 8.x.x	Unverified	1.8.x	>= 4.0
>= 7.x.x	1.3.x		>= 3.0
>= 6.x.x	1.x		>= 3.0
>= 5.x.x	0.15.x		>= 2.0
>= 4.x.x	0.13.x / 0.14.x		>= 2.0
>= 3.x.x	0.12.x		>= 2.0
>= 2.x.x	0.12.x		< 2.0
< 2.x.x	0.11.x		< 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "vpn_gw" {
  source  = "claranet/vpn/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.name

  virtual_network_name = module.vnet.name
  subnet_cidr          = "10.10.1.0/25"

  nat_rules = {
    OnPremToAzure = {
      external_mapping = [
        {
          address_space = "172.16.0.0/16"
      }]
      internal_mapping = [
        {
          address_space = "10.16.0.0/16"
      }]
      mode = "IngressSnat"
      type = "Static"

    }
  }
  vpn_connections = [
    {
      name                         = "azure_to_claranet"
      name_suffix                  = "claranet"
      custom_name                  = "azure_to_claranet_vpn_connection"
      local_gw_custom_name         = "azure_to_claranet_local_gateway"
      extra_tags                   = { to = "claranet" }
      local_gateway_address        = "89.185.1.1"
      local_gateway_address_spaces = ["89.185.1.1/32"]

      ingress_nat_rule_names = ["OnPremToAzure"]
    }
  ]

  logs_destinations_ids = [
    module.logs.id,
    module.logs.storage_account_id
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name	Version
azurecaf	>= 1.2.28
azurerm	~> 4.31
random	~> 3.0

Modules

Name	Source	Version
diagnostics	claranet/diagnostic-settings/azurerm	~> 8.2.0
subnet_gateway	claranet/subnet/azurerm	~> 8.1.0

Resources

Name	Type
azurerm_local_network_gateway.main	resource
azurerm_public_ip.main	resource
azurerm_virtual_network_gateway.main	resource
azurerm_virtual_network_gateway_connection.main	resource
azurerm_virtual_network_gateway_nat_rule.main	resource
random_password.main	resource
azurecaf_name.gw_pub_ip	data source
azurecaf_name.local_network_gateway	data source
azurecaf_name.vnet_gw	data source
azurecaf_name.vpn_gw_connection	data source

Inputs

Name	Description	Type	Default	Required
active_active	If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a HighPerformance or an UltraPerformance SKU. If false, an active-standby gateway will be created.	bool	false	no
additional_routes_to_advertise	Additional routes reserved for this virtual network in CIDR notation.	list(string)	[]	no
bgp_enabled	If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false.	bool	false	no
client_name	Client name/account used in naming.	string	n/a	yes
custom_name	Custom VPN Gateway name, generated if not set.	string	""	no
default_tags_enabled	Option to enable or disable default tags.	bool	true	no
diagnostic_settings_custom_name	Custom name of the diagnostics settings, name will be default if not set.	string	"default"	no
environment	Project environment.	string	n/a	yes
extra_tags	Additional tags to associate with your VPN Gateway.	map(string)	{}	no
gateway_generation	Configuration of the generation of the Virtual Network Gateway. Valid options are Generation1, Generation2 or None.	string	"Generation2"	no
ipconfig_custom_names	List of VPN GW IP Config resource custom name. One per IP on the gateway.	list(string)	[]	no
location	Azure region to use.	string	n/a	yes
location_short	Short string for Azure location.	string	n/a	yes
logs_categories	Log categories to send to destinations.	list(string)	null	no
logs_destinations_ids	List of destination resources IDs for logs diagnostic destination. Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set. If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.	list(string)	n/a	yes
logs_metrics_categories	Metrics categories to send to destinations.	list(string)	null	no
name_prefix	Optional prefix for the generated name.	string	""	no
name_suffix	Optional suffix for the generated name.	string	""	no
nat_rules	Map of NAT rules to apply to the VPN Gateway. For dynamic NAT rules, if ip_configuration_name is not set, the first IP configuration will be used.	map(object({ external_mapping = list(object({ address_space = string port_range = optional(string) })) internal_mapping = list(object({ address_space = string port_range = optional(string) })) mode = string type = optional(string, "Static") ip_configuration_name = optional(string) }) )	{}	no
network_resource_group_name	VNet and subnet Resource Group name. To use only if you need to have a dedicated Resource Group for all VPN Gateway resources. (set via resource_group_name variable.)	string	""	no
private_ip_address_enabled	Whether the Virtual Network Gateway should have a private IP address. Defaults to false. If set to true, the gateway will have a private IP address.	bool	false	no
public_ip_allocation_method	Defines the allocation method for this IP address. Possible values are Static or Dynamic.	string	"Static"	no
public_ip_count	Number of Public IPs to allocate and associated to the Gateway. By default only 1. Maximum is 3.	number	1	no
public_ip_custom_names	List of VPN GW Public IP resource custom name. One per IP on the gateway.	list(string)	[]	no
public_ip_sku	The SKU of the public IP. Accepted values are Basic and Standard.	string	"Standard"	no
public_ip_zones	Public IP zones to configure.	list(number)	[ 1, 2, 3 ]	no
resource_group_name	Name of the resource group.	string	n/a	yes
routing_type	The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased.	string	"RouteBased"	no
sku	Configuration of the size and capacity of the Virtual Network Gateway. Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw[1-3]AZ, VpnGw[1-5], VpnGw[1-5]AZ, and depend on the type and vpn_type arguments. A PolicyBased gateway only supports the Basic SKU. Further, the UltraPerformance sku is only supported by an ExpressRoute gateway. SKU details and list is available in the documentation.	string	"VpnGw2AZ"	no
stack	Project stack name.	string	n/a	yes
subnet_cidr	CIDR range for the dedicated Gateway subnet. Must be a range available in the VNet.	string	null	no
subnet_id	Subnet Gateway ID to use if already existing. Must be named GatewaySubnet.	string	null	no
type	The type of the Virtual Network Gateway. Valid options are Vpn or ExpressRoute. Changing the type forces a new resource to be created.	string	"Vpn"	no
virtual_network_name	Virtual Network Name where the dedicated VPN subnet and Gateway will be created.	string	n/a	yes
vpn_client_configuration	VPN client configuration authorizations.	object({ address_space = list(string) # The address space out of which IP addresses for vpn clients will be taken entra_tenant = optional(string) # Entra (aka AzureAD) Tenant URL entra_audience = optional(string) # The client id of the Azure VPN application entra_issuer = optional(string) # The STS url for your tenant root_certificate = optional(list(object({ name = string public_cert_data = string })), []) revoked_certificate = optional(list(object({ name = string public_cert_data = string })), []) radius_server_address = optional(string) radius_server_secret = optional(string) vpn_auth_types = optional(list(string), ["AAD"]) vpn_client_protocols = optional(list(string), ["OpenVPN"]) })	null	no
vpn_connections	List of VPN connection configurations.	list(object({ name = string extra_tags = optional(map(string)) name_suffix = optional(string) local_gw_custom_name = optional(string) # Generated if not set vpn_gw_custom_name = optional(string) # Generated if not set local_gateway_address = optional(string) local_gateway_fqdn = optional(string) local_gateway_address_spaces = optional(list(string), []) # CIDR Format local_azure_ip_address_enabled = optional(bool, false) local_gateway_bgp_settings = optional(object({ asn = number bgp_peering_address = string })) shared_key = optional(string) # Generated if not set connection_mode = optional(string, "Default") connection_protocol = optional(string, "IKEv2") dpd_timeout_seconds = optional(number, 45) enable_bgp = optional(bool, false) custom_bgp_addresses = optional(object({ primary = string secondary = string })) use_policy_based_traffic_selectors = optional(bool, false) traffic_selector_policy = optional(list(object({ local_address_cidrs = list(string) remote_address_cidrs = list(string) })), []) egress_nat_rule_names = optional(list(string), []) ingress_nat_rule_names = optional(list(string), []) ipsec_policy = optional(object({ dh_group = string ike_encryption = string ike_integrity = string ipsec_encryption = string ipsec_integrity = string pfs_group = string sa_datasize = optional(number) sa_lifetime = optional(number) })) }))	[]	no

Outputs

Name	Description
id	VPN Gateway ID.
local_gateway_ids	Azure VNET local Gateway IDs.
local_gateway_names	Azure VNET local Gateway names.
module_diagnostics	Diagnostics settings module outputs.
name	VPN Gateway name.
public_ip_adresses	Azure VPN Gateway public IPs.
public_ip_name	Azure VPN Gateway public IP resource name.
resource	VPN Gateway resource object.
resource_public_ip	Azure VPN Gateway Public IP resource object.
shared_keys	Shared Keys used for VPN connections.
subnet_id	Dedicated subnet ID for the GW.
vpn_connection_ids	The VPN created connections IDs.

Specifications

• If vpn_gw_active_active variable is true, at least two public IPs will be provisionned unless more IPs are set via the vpn_gw_public_ip_number variable.

Related documentation

Microsoft VPN Gateway documentation docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways