Skip to content

Latest commit

 

History

History
168 lines (139 loc) · 13.7 KB

README.md

File metadata and controls

168 lines (139 loc) · 13.7 KB

Azure VPN Gateway

Changelog Notice Apache V2 License OpenTofu Registry

This feature creates an Azure VPN Gateway with its own dedicated Subnet, public IP, and the connections resources.

Gateway SKU list description is available on Microsoft documentation.

Global versioning rule for Claranet Azure modules

Module version Terraform version OpenTofu version AzureRM version
>= 8.x.x Unverified 1.8.x >= 4.0
>= 7.x.x 1.3.x >= 3.0
>= 6.x.x 1.x >= 3.0
>= 5.x.x 0.15.x >= 2.0
>= 4.x.x 0.13.x / 0.14.x >= 2.0
>= 3.x.x 0.12.x >= 2.0
>= 2.x.x 0.12.x < 2.0
< 2.x.x 0.11.x < 2.0

Contributing

If you want to contribute to this repository, feel free to use our pre-commit git hook configuration which will help you automatically update and format some files for you by enforcing our Terraform code module best-practices.

More details are available in the CONTRIBUTING.md file.

Usage

This module is optimized to work with the Claranet terraform-wrapper tool which set some terraform variables in the environment needed by this module. More details about variables set by the terraform-wrapper available in the documentation.

⚠️ Since modules version v8.0.0, we do not maintain/check anymore the compatibility with Hashicorp Terraform. Instead, we recommend to use OpenTofu.

module "vpn_gw" {
  source  = "claranet/vpn/azurerm"
  version = "x.x.x"

  client_name         = var.client_name
  environment         = var.environment
  stack               = var.stack
  location            = module.azure_region.location
  location_short      = module.azure_region.location_short
  resource_group_name = module.rg.name

  virtual_network_name = module.vnet.name
  subnet_cidr          = "10.10.1.0/25"

  vpn_connections = [
    {
      name                         = "azure_to_claranet"
      name_suffix                  = "claranet"
      custom_name                  = "azure_to_claranet_vpn_connection"
      local_gw_custom_name         = "azure_to_claranet_local_gateway"
      extra_tags                   = { to = "claranet" }
      local_gateway_address        = "89.185.1.1"
      local_gateway_address_spaces = ["89.185.1.1/32"]
    }
  ]

  logs_destinations_ids = [
    module.logs.id,
    module.logs.storage_account_id
  ]

  extra_tags = {
    foo = "bar"
  }
}

Providers

Name Version
azurecaf ~> 1.2.28
azurerm ~> 4.0
random ~> 3.0

Modules

Name Source Version
diagnostics claranet/diagnostic-settings/azurerm ~> 8.0.0
subnet_gateway claranet/subnet/azurerm ~> 8.0.0

Resources

Name Type
azurerm_local_network_gateway.main resource
azurerm_public_ip.main resource
azurerm_virtual_network_gateway.main resource
azurerm_virtual_network_gateway_connection.main resource
random_password.main resource
azurecaf_name.gw_pub_ip data source
azurecaf_name.local_network_gateway data source
azurecaf_name.vnet_gw data source
azurecaf_name.vpn_gw_connection data source

Inputs

Name Description Type Default Required
active_active If true, an active-active Virtual Network Gateway will be created. An active-active gateway requires a HighPerformance or an UltraPerformance SKU. If false, an active-standby gateway will be created. bool false no
additional_routes_to_advertise Additional routes reserved for this virtual network in CIDR notation. list(string) [] no
bgp_enabled If true, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to false. bool false no
client_name Client name/account used in naming. string n/a yes
custom_name Custom VPN Gateway name, generated if not set. string "" no
default_tags_enabled Option to enable or disable default tags. bool true no
diagnostic_settings_custom_name Custom name of the diagnostics settings, name will be default if not set. string "default" no
environment Project environment. string n/a yes
extra_tags Additional tags to associate with your VPN Gateway. map(string) {} no
gateway_generation Configuration of the generation of the Virtual Network Gateway. Valid options are Generation1, Generation2 or None. string "Generation2" no
ipconfig_custom_names List of VPN GW IP Config resource custom name. One per IP on the gateway. list(string) [] no
location Azure region to use. string n/a yes
location_short Short string for Azure location. string n/a yes
logs_categories Log categories to send to destinations. list(string) null no
logs_destinations_ids List of destination resources IDs for logs diagnostic destination.
Can be Storage Account, Log Analytics Workspace and Event Hub. No more than one of each can be set.
If you want to use Azure EventHub as a destination, you must provide a formatted string containing both the EventHub Namespace authorization send ID and the EventHub name (name of the queue to use in the Namespace) separated by the | character.
list(string) n/a yes
logs_metrics_categories Metrics categories to send to destinations. list(string) null no
name_prefix Optional prefix for the generated name. string "" no
name_suffix Optional suffix for the generated name. string "" no
network_resource_group_name VNet and subnet Resource Group name. To use only if you need to have a dedicated Resource Group for all VPN Gateway resources. (set via resource_group_name variable.) string "" no
public_ip_allocation_method Defines the allocation method for this IP address. Possible values are Static or Dynamic. string "Static" no
public_ip_count Number of Public IPs to allocate and associated to the Gateway. By default only 1. Maximum is 3. number 1 no
public_ip_custom_names List of VPN GW Public IP resource custom name. One per IP on the gateway. list(string) [] no
public_ip_sku The SKU of the public IP. Accepted values are Basic and Standard. string "Standard" no
public_ip_zones Public IP zones to configure. list(number)
[
1,
2,
3
]
no
resource_group_name Name of the resource group. string n/a yes
routing_type The routing type of the Virtual Network Gateway. Valid options are RouteBased or PolicyBased. Defaults to RouteBased. string "RouteBased" no
sku Configuration of the size and capacity of the Virtual Network Gateway.
Valid options are Basic, Standard, HighPerformance, UltraPerformance, ErGw[1-3]AZ, VpnGw[1-5], VpnGw[1-5]AZ, and depend on the type and vpn_type arguments.
A PolicyBased gateway only supports the Basic SKU. Further, the UltraPerformance sku is only supported by an ExpressRoute gateway.
SKU details and list is available in the documentation.
string "VpnGw2AZ" no
stack Project stack name. string n/a yes
subnet_cidr CIDR range for the dedicated Gateway subnet. Must be a range available in the VNet. string null no
subnet_id Subnet Gateway ID to use if already existing. Must be named GatewaySubnet. string null no
type The type of the Virtual Network Gateway. Valid options are Vpn or ExpressRoute. Changing the type forces a new resource to be created. string "Vpn" no
virtual_network_name Virtual Network Name where the dedicated VPN subnet and Gateway will be created. string n/a yes
vpn_client_configuration VPN client configuration authorizations.
object({
address_space = list(string) # The address space out of which IP addresses for vpn clients will be taken
entra_tenant = optional(string) # Entra (aka AzureAD) Tenant URL
entra_audience = optional(string) # The client id of the Azure VPN application
entra_issuer = optional(string) # The STS url for your tenant
root_certificate = optional(list(object({
name = string
public_cert_data = string
})), [])
revoked_certificate = optional(list(object({
name = string
public_cert_data = string
})), [])
radius_server_address = optional(string)
radius_server_secret = optional(string)
vpn_auth_types = optional(list(string), ["AAD"])
vpn_client_protocols = optional(list(string), ["OpenVPN"])
})
null no
vpn_connections List of VPN connection configurations.
list(object({
name = string
extra_tags = optional(map(string))

name_suffix = optional(string)
local_gw_custom_name = optional(string) # Generated if not set
vpn_gw_custom_name = optional(string) # Generated if not set

local_gateway_address = optional(string)
local_gateway_fqdn = optional(string)
local_gateway_address_spaces = optional(list(string), []) # CIDR Format
local_azure_ip_address_enabled = optional(bool, false)

shared_key = optional(string) # Generated if not set

connection_mode = optional(string, "Default")
connection_protocol = optional(string, "IKEv2")
dpd_timeout_seconds = optional(number, 45)

enable_bgp = optional(bool, false)
custom_bgp_addresses = optional(object({
primary = string
secondary = string
}))

use_policy_based_traffic_selectors = optional(bool, false)
traffic_selector_policy = optional(list(object({
local_address_cidrs = list(string)
remote_address_cidrs = list(string)
})), [])

egress_nat_rule_ids = optional(list(string))
ingress_nat_rule_ids = optional(list(string))

ipsec_policy = optional(object({
dh_group = string
ike_encryption = string
ike_integrity = string
ipsec_encryption = string
ipsec_integrity = string
pfs_group = string

sa_datasize = optional(number)
sa_lifetime = optional(number)
}))
}))
[] no

Outputs

Name Description
id VPN Gateway ID.
local_gateway_ids Azure VNET local Gateway IDs.
local_gateway_names Azure VNET local Gateway names.
module_diagnostics Diagnostics settings module outputs.
name VPN Gateway name.
public_ip_adresses Azure VPN Gateway public IPs.
public_ip_name Azure VPN Gateway public IP resource name.
resource VPN Gateway resource object.
resource_public_ip Azure VPN Gateway Public IP resource object.
shared_keys Shared Keys used for VPN connections.
subnet_id Dedicated subnet ID for the GW.
vpn_connection_ids The VPN created connections IDs.

Specifications

  • If vpn_gw_active_active variable is true, at least two public IPs will be provisionned unless more IPs are set via the vpn_gw_public_ip_number variable.

Related documentation

Microsoft VPN Gateway documentation docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways