This feature creates an Azure VPN Gateway with its own dedicated Subnet, public IP, and the connections resources.
Gateway SKU list description is available on Microsoft documentation.
Module version | Terraform version | OpenTofu version | AzureRM version |
---|---|---|---|
>= 8.x.x | Unverified | 1.8.x | >= 4.0 |
>= 7.x.x | 1.3.x | >= 3.0 | |
>= 6.x.x | 1.x | >= 3.0 | |
>= 5.x.x | 0.15.x | >= 2.0 | |
>= 4.x.x | 0.13.x / 0.14.x | >= 2.0 | |
>= 3.x.x | 0.12.x | >= 2.0 | |
>= 2.x.x | 0.12.x | < 2.0 | |
< 2.x.x | 0.11.x | < 2.0 |
If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.
More details are available in the CONTRIBUTING.md file.
This module is optimized to work with the Claranet terraform-wrapper tool
which set some terraform variables in the environment needed by this module.
More details about variables set by the terraform-wrapper
available in the documentation.
module "azure_region" {
source = "claranet/regions/azurerm"
version = "x.x.x"
azure_region = var.azure_region
}
module "rg" {
source = "claranet/rg/azurerm"
version = "x.x.x"
location = module.azure_region.location
client_name = var.client_name
environment = var.environment
stack = var.stack
}
module "azure_network_vnet" {
source = "claranet/vnet/azurerm"
version = "x.x.x"
environment = var.environment
location = module.azure_region.location
location_short = module.azure_region.location_short
client_name = var.client_name
stack = var.stack
resource_group_name = module.rg.resource_group_name
vnet_cidr = ["10.10.1.0/16"]
}
module "logs" {
source = "claranet/run/azurerm//modules/logs"
version = "x.x.x"
client_name = var.client_name
location = module.azure_region.location
location_short = module.azure_region.location_short
environment = var.environment
stack = var.stack
resource_group_name = module.rg.resource_group_name
extra_tags = {
foo = "bar"
}
}
module "vpn_gw" {
source = "claranet/vpn/azurerm"
version = "x.x.x"
client_name = var.client_name
environment = var.environment
stack = var.stack
location = module.azure_region.location
location_short = module.azure_region.location_short
resource_group_name = module.rg.resource_group_name
virtual_network_name = module.azure_network_vnet.virtual_network_name
subnet_gateway_cidr = "10.10.1.0/25"
vpn_connections = [
{
name = "azure_to_claranet"
name_suffix = "claranet"
vpn_gw_custom_name = "azure_to_claranet_vpn_connection"
local_gw_custom_name = "azure_to_claranet_local_gateway"
extra_tags = { to = "claranet" }
local_gateway_address = "89.185.1.1"
local_gateway_address_spaces = ["89.185.1.1/32"]
}
]
logs_destinations_ids = [
module.logs.log_analytics_workspace_id,
module.logs.logs_storage_account_id
]
extra_tags = {
foo = "bar"
}
}
Name | Version |
---|---|
azurecaf | ~> 1.2, >= 1.2.22 |
azurerm | ~> 3.107 |
random | ~> 3.0 |
Name | Source | Version |
---|---|---|
diagnostics | claranet/diagnostic-settings/azurerm | ~> 7.0.0 |
subnet_gateway | claranet/subnet/azurerm | 7.2.0 |
Name | Type |
---|---|
azurerm_local_network_gateway.local_network_gateway | resource |
azurerm_public_ip.virtual_gateway_pubip | resource |
azurerm_virtual_network_gateway.public_virtual_network_gateway | resource |
azurerm_virtual_network_gateway_connection.virtual_network_gateway_connection | resource |
random_password.vpn_ipsec_shared_key | resource |
azurecaf_name.gw_pub_ip | data source |
azurecaf_name.local_network_gateway | data source |
azurecaf_name.vnet_gw | data source |
azurecaf_name.vpn_gw_connection | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_routes_to_advertise | Additional routes reserved for this virtual network in CIDR notation. | list(string) |
null |
no |
client_name | Client name/account used in naming. | string |
n/a | yes |
custom_diagnostic_settings_name | Custom name of the diagnostics settings, name will be 'default' if not set. | string |
"default" |
no |
custom_name | Custom VPN Gateway name, generated if not set. | string |
"" |
no |
default_tags_enabled | Option to enable or disable default tags. | bool |
true |
no |
environment | Project environment. | string |
n/a | yes |
extra_tags | Additional tags to associate with your VPN Gateway. | map(string) |
{} |
no |
location | Azure region to use. | string |
n/a | yes |
location_short | Short string for Azure location. | string |
n/a | yes |
logs_categories | Log categories to send to destinations. | list(string) |
null |
no |
logs_destinations_ids | List of destination resources IDs for logs diagnostic destination. Can be Storage Account , Log Analytics Workspace and Event Hub . No more than one of each can be set.If you want to specify an Azure EventHub to send logs and metrics to, you need to provide a formated string with both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the ` |
` character. | list(string) |
n/a |
logs_metrics_categories | Metrics categories to send to destinations. | list(string) |
null |
no |
name_prefix | Optional prefix for the generated name. | string |
"" |
no |
name_suffix | Optional suffix for the generated name. | string |
"" |
no |
network_resource_group_name | VNet and Subnet Resource group name. To use only if you need to have a dedicated Resource Group for all VPN GW resources. (set via resource_group_name variable.) |
string |
"" |
no |
resource_group_name | Name of the resource group. | string |
n/a | yes |
stack | Project stack name. | string |
n/a | yes |
subnet_gateway_cidr | CIDR range for the dedicated Gateway subnet. Must be a range available in the VNet. | string |
null |
no |
subnet_id | Subnet Gateway ID to use if already existing. Must be named GatewaySubnet . |
string |
null |
no |
use_caf_naming | Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false . |
bool |
true |
no |
virtual_network_name | Virtual Network Name where the dedicated VPN Subnet and GW will be created. | string |
n/a | yes |
vpn_client_configuration | VPN client configuration authorizations. | object({ |
null |
no |
vpn_connections | List of VPN Connection configurations. | list(object({ |
[] |
no |
vpn_gw_active_active | If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a HighPerformance or an UltraPerformance SKU. If false, an active-standby gateway will be created. |
bool |
false |
no |
vpn_gw_enable_bgp | If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. | bool |
false |
no |
vpn_gw_generation | Configuration of the generation of the virtual network gateway. Valid options are Generation1 , Generation2 or None |
string |
"Generation2" |
no |
vpn_gw_ipconfig_custom_names | List of VPN GW IP Config resource custom name. One per IP on the gateway. | list(string) |
[] |
no |
vpn_gw_public_ip_allocation_method | Defines the allocation method for this IP address. Possible values are Static or Dynamic . |
string |
"Dynamic" |
no |
vpn_gw_public_ip_custom_names | List of VPN GW Public IP resource custom name. One per IP on the gateway. | list(string) |
[] |
no |
vpn_gw_public_ip_number | Number of Public IPs to allocate and associated to the Gateway. By default only 1. Maximum is 3. | number |
1 |
no |
vpn_gw_public_ip_sku | The SKU of the Public IP. Accepted values are Basic and Standard . |
string |
"Basic" |
no |
vpn_gw_public_ip_zones | Public IP zones to configure. | list(number) |
[ |
no |
vpn_gw_routing_type | The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased . Defaults to RouteBased. |
string |
"RouteBased" |
no |
vpn_gw_sku | Configuration of the size and capacity of the virtual network gateway. Valid options are Basic , Standard , HighPerformance , UltraPerformance , ErGw[1-3]AZ , VpnGw[1-5] , VpnGw[1-5]AZ , and depend on the type and vpn_type arguments.A PolicyBased gateway only supports the Basic SKU. Further, the UltraPerformance sku is only supported by an ExpressRoute gateway. SKU details and list is available at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways. |
string |
"VpnGw2AZ" |
no |
vpn_gw_type | The type of the Virtual Network Gateway. Valid options are Vpn or ExpressRoute . Changing the type forces a new resource to be created |
string |
"Vpn" |
no |
Name | Description |
---|---|
vpn_connection_ids | The VPN created connections IDs. |
vpn_gw_id | Azure VPN GW ID. |
vpn_gw_name | Azure VPN GW name. |
vpn_gw_subnet_id | Dedicated subnet ID for the GW. |
vpn_local_gateway_names | Azure VNET local Gateway names. |
vpn_local_gw_ids | Azure VNET local Gateway IDs. |
vpn_public_ip | Azure VPN GW public IP. |
vpn_public_ip_name | Azure VPN GW public IP resource name. |
vpn_shared_keys | Shared Keys used for VPN connections. |
- If
vpn_gw_active_active
variable istrue
, at least two public IPs will be provisionned unless more IPs are set via thevpn_gw_public_ip_number
variable.
Microsoft VPN Gateway documentation docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways