/terraform-azurerm-vpn

Terraform module for Azure VPN stack (Gateway, Route table)

Primary LanguageHCLApache License 2.0Apache-2.0

Azure VPN Gateway

Changelog Notice Apache V2 License TF Registry

This feature creates an Azure VPN Gateway with its own dedicated Subnet, public IP, and the connections resources.

Gateway SKU list description is available on Microsoft documentation.

Global versioning rule for Claranet Azure modules

Module version Terraform version AzureRM version
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

module "azure_region" {
  source  = "claranet/regions/azurerm"
  version = "x.x.x"

  azure_region = var.azure_region
}

module "rg" {
  source  = "claranet/rg/azurerm"
  version = "x.x.x"

  location    = module.azure_region.location
  client_name = var.client_name
  environment = var.environment
  stack       = var.stack
}

module "azure_network_vnet" {
  source  = "claranet/vnet/azurerm"
  version = "x.x.x"

  environment    = var.environment
  location       = module.azure_region.location
  location_short = module.azure_region.location_short
  client_name    = var.client_name
  stack          = var.stack

  resource_group_name = module.rg.resource_group_name
  vnet_cidr           = ["10.10.1.0/16"]
}

module "vpn_gw" {
  source  = "claranet/vpn/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.resource_group_name

  virtual_network_name = module.azure_network_vnet.virtual_network_name
  subnet_gateway_cidr  = "10.10.1.0/25"

  vpn_connections = [
    {
      name                         = "azure_to_claranet"
      name_suffix                  = "claranet"
      vpn_gw_custom_name           = "azure_to_claranet_vpn_connection"
      local_gw_custom_name         = "azure_to_claranet_local_gateway"
      extra_tags                   = { to = "claranet" }
      local_gateway_address        = "89.185.1.1"
      local_gateway_address_spaces = ["89.185.1.1/32"]
    }
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name Version
azurecaf ~> 1.2, >= 1.2.22
azurerm ~> 3.22
random ~> 3.0

Modules

Name Source Version
subnet_gateway claranet/subnet/azurerm 6.0.0

Resources

Name Type
azurerm_local_network_gateway.local_network_gateway resource
azurerm_public_ip.virtual_gateway_pubip resource
azurerm_virtual_network_gateway.public_virtual_network_gateway resource
azurerm_virtual_network_gateway_connection.virtual_network_gateway_connection resource
random_password.vpn_ipsec_shared_key resource
azurecaf_name.gw_pub_ip data source
azurecaf_name.local_network_gateway data source
azurecaf_name.vnet_gw data source
azurecaf_name.vpn_gw_connection data source

Inputs

Name Description Type Default Required
additional_routes_to_advertise Additional routes reserved for this virtual network in CIDR notation. list(string) null no
client_name Client name/account used in naming. string n/a yes
custom_name Custom VPN Gateway name, generated if not set string "" no
default_tags_enabled Option to enable or disable default tags bool true no
environment Project environment. string n/a yes
extra_tags Additional tags to associate with your VPN Gateway map(string) {} no
location Azure region to use. string n/a yes
location_short Short string for Azure location. string n/a yes
name_prefix Optional prefix for the generated name string "" no
name_suffix Optional suffix for the generated name string "" no
network_resource_group_name VNet and Subnet Resource group name. To use only if you need to have a dedicated Resource Group for all VPN GW resources. (set via resource_group_name variable.) string "" no
resource_group_name Name of the resource group. string n/a yes
stack Project stack name. string n/a yes
subnet_gateway_cidr CIDR range for the dedicated Gateway subnet. Must be a range available in the VNet. string null no
subnet_id Subnet Gateway ID to use if already existing. Must be named GatewaySubnet. string null no
use_caf_naming Use the Azure CAF naming provider to generate default resource name. custom_name override this if set. Legacy default name is used if this is set to false. bool true no
virtual_network_name Virtual Network Name where the dedicated VPN Subnet and GW will be created. string n/a yes
vpn_aad_client_configuration VPN client configuration using Azure AD authorization. 
object({
    aad_audience  = string                 # The client id of the Azure VPN application
    aad_issuer    = string                 # The STS url for your tenant
    aad_tenant    = optional(string)       # AzureAD Tenant URL
    address_space = optional(list(string)) # The address space out of which IP addresses for vpn clients will be taken

    vpn_auth_types       = optional(list(string), ["AAD"])
    vpn_client_protocols = optional(list(string), ["OpenVPN"])
  })
 null no
vpn_connections List of VPN Connection configurations. 
list(object({
    name       = string
    extra_tags = optional(map(string))

    name_suffix          = optional(string)
    local_gw_custom_name = optional(string) # Generated if not set
    vpn_gw_custom_name   = optional(string) # Generated if not set

    local_gateway_address        = optional(string)
    local_gateway_fqdn           = optional(string)
    local_gateway_address_spaces = optional(list(string), []) # CIDR Format

    shared_key          = optional(string) # Generated if not set
    dpd_timeout_seconds = optional(number)

    egress_nat_rule_ids  = optional(list(string))
    ingress_nat_rule_ids = optional(list(string))

    ipsec_policy = optional(object({
      dh_group         = string
      ike_encryption   = string
      ike_integrity    = string
      ipsec_encryption = string
      ipsec_integrity  = string
      pfs_group        = string

      sa_datasize = optional(number)
      sa_lifetime = optional(number)
    }))
  }))
 [] no
vpn_gw_active_active If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a HighPerformance or an UltraPerformance SKU. If false, an active-standby gateway will be created. bool false no
vpn_gw_enable_bgp If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. bool false no
vpn_gw_generation Configuration of the generation of the virtual network gateway. Valid options are Generation1, Generation2 or None string "Generation2" no
vpn_gw_ipconfig_custom_name VPN GW IP Config resource custom name string "" no
vpn_gw_public_ip_allocation_method Defines the allocation method for this IP address. Possible values are Static or Dynamic. string "Dynamic" no
vpn_gw_public_ip_custom_name VPN GW Public IP resource custom name string "" no
vpn_gw_public_ip_number Number of Public IPs to allocate and associated to the Gateway. By default only 1. Maximum is 3. number 1 no
vpn_gw_public_ip_sku The SKU of the Public IP. Accepted values are Basic and Standard. string "Basic" no
vpn_gw_public_ip_zones Public IP zones to configure. list(number) 
[
  1,
  2,
  3
]
 no
vpn_gw_routing_type The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. string "RouteBased" no
vpn_gw_sku Configuration of the size and capacity of the virtual network gateway.
Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw[1-3]AZ, VpnGw[1-5], VpnGw[1-5]AZ, and depend on the type and vpn_type arguments.
A PolicyBased gateway only supports the Basic SKU. Further, the UltraPerformance sku is only supported by an ExpressRoute gateway.
SKU details and list is available at https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways.		 string "VpnGw2AZ" no
vpn_gw_type The type of the Virtual Network Gateway. Valid options are Vpn or ExpressRoute. Changing the type forces a new resource to be created string "Vpn" no

Outputs

Name Description
vpn_connection_ids The VPN created connections IDs.
vpn_gw_id Azure VPN GW ID.
vpn_gw_name Azure VPN GW name.
vpn_gw_subnet_id Dedicated subnet ID for the GW.
vpn_local_gateway_names Azure VNET local Gateway names.
vpn_local_gw_ids Azure VNET local Gateway IDs.
vpn_public_ip Azure VPN GW public IP.
vpn_public_ip_name Azure VPN GW public IP resource name.
vpn_shared_keys Shared Keys used for VPN connections.

Specifications

  • If vpn_gw_active_active variable is true, at least two public IPs will be provisionned unless more IPs are set via the vpn_gw_public_ip_number variable.

Related documentation

Microsoft VPN Gateway documentation docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways