Microsoft.Network connections 2021-03-01
Bicep resource definition
The connections resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/connections resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.Network/connections@2021-03-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
properties: {
authorizationKey: 'string'
connectionMode: 'string'
connectionProtocol: 'string'
connectionType: 'string'
dpdTimeoutSeconds: int
egressNatRules: [
{
id: 'string'
}
]
enableBgp: bool
expressRouteGatewayBypass: bool
ingressNatRules: [
{
id: 'string'
}
]
ipsecPolicies: [
{
dhGroup: 'string'
ikeEncryption: 'string'
ikeIntegrity: 'string'
ipsecEncryption: 'string'
ipsecIntegrity: 'string'
pfsGroup: 'string'
saDataSizeKilobytes: int
saLifeTimeSeconds: int
}
]
localNetworkGateway2: {
id: 'string'
location: 'string'
properties: {
bgpSettings: {
asn: int
bgpPeeringAddress: 'string'
bgpPeeringAddresses: [
{
customBgpIpAddresses: [
'string'
]
ipconfigurationId: 'string'
}
]
peerWeight: int
}
fqdn: 'string'
gatewayIpAddress: 'string'
localNetworkAddressSpace: {
addressPrefixes: [
'string'
]
}
}
tags: {}
}
peer: {
id: 'string'
}
routingWeight: int
sharedKey: 'string'
trafficSelectorPolicies: [
{
localAddressRanges: [
'string'
]
remoteAddressRanges: [
'string'
]
}
]
useLocalAzureIpAddress: bool
usePolicyBasedTrafficSelectors: bool
virtualNetworkGateway1: {
extendedLocation: {
name: 'string'
type: 'EdgeZone'
}
id: 'string'
location: 'string'
properties: {
activeActive: bool
bgpSettings: {
asn: int
bgpPeeringAddress: 'string'
bgpPeeringAddresses: [
{
customBgpIpAddresses: [
'string'
]
ipconfigurationId: 'string'
}
]
peerWeight: int
}
customRoutes: {
addressPrefixes: [
'string'
]
}
enableBgp: bool
enableBgpRouteTranslationForNat: bool
enableDnsForwarding: bool
enablePrivateIpAddress: bool
gatewayDefaultSite: {
id: 'string'
}
gatewayType: 'string'
ipConfigurations: [
{
id: 'string'
name: 'string'
properties: {
privateIPAllocationMethod: 'string'
publicIPAddress: {
id: 'string'
}
subnet: {
id: 'string'
}
}
}
]
natRules: [
{
id: 'string'
name: 'string'
properties: {
externalMappings: [
{
addressSpace: 'string'
}
]
internalMappings: [
{
addressSpace: 'string'
}
]
ipConfigurationId: 'string'
mode: 'string'
type: 'string'
}
}
]
sku: {
name: 'string'
tier: 'string'
}
vNetExtendedLocationResourceId: 'string'
vpnClientConfiguration: {
aadAudience: 'string'
aadIssuer: 'string'
aadTenant: 'string'
radiusServerAddress: 'string'
radiusServers: [
{
radiusServerAddress: 'string'
radiusServerScore: int
radiusServerSecret: 'string'
}
]
radiusServerSecret: 'string'
vpnAuthenticationTypes: [
'string'
]
vpnClientAddressPool: {
addressPrefixes: [
'string'
]
}
vpnClientIpsecPolicies: [
{
dhGroup: 'string'
ikeEncryption: 'string'
ikeIntegrity: 'string'
ipsecEncryption: 'string'
ipsecIntegrity: 'string'
pfsGroup: 'string'
saDataSizeKilobytes: int
saLifeTimeSeconds: int
}
]
vpnClientProtocols: [
'string'
]
vpnClientRevokedCertificates: [
{
id: 'string'
name: 'string'
properties: {
thumbprint: 'string'
}
}
]
vpnClientRootCertificates: [
{
id: 'string'
name: 'string'
properties: {
publicCertData: 'string'
}
}
]
}
vpnGatewayGeneration: 'string'
vpnType: 'string'
}
tags: {}
}
virtualNetworkGateway2: {
extendedLocation: {
name: 'string'
type: 'EdgeZone'
}
id: 'string'
location: 'string'
properties: {
activeActive: bool
bgpSettings: {
asn: int
bgpPeeringAddress: 'string'
bgpPeeringAddresses: [
{
customBgpIpAddresses: [
'string'
]
ipconfigurationId: 'string'
}
]
peerWeight: int
}
customRoutes: {
addressPrefixes: [
'string'
]
}
enableBgp: bool
enableBgpRouteTranslationForNat: bool
enableDnsForwarding: bool
enablePrivateIpAddress: bool
gatewayDefaultSite: {
id: 'string'
}
gatewayType: 'string'
ipConfigurations: [
{
id: 'string'
name: 'string'
properties: {
privateIPAllocationMethod: 'string'
publicIPAddress: {
id: 'string'
}
subnet: {
id: 'string'
}
}
}
]
natRules: [
{
id: 'string'
name: 'string'
properties: {
externalMappings: [
{
addressSpace: 'string'
}
]
internalMappings: [
{
addressSpace: 'string'
}
]
ipConfigurationId: 'string'
mode: 'string'
type: 'string'
}
}
]
sku: {
name: 'string'
tier: 'string'
}
vNetExtendedLocationResourceId: 'string'
vpnClientConfiguration: {
aadAudience: 'string'
aadIssuer: 'string'
aadTenant: 'string'
radiusServerAddress: 'string'
radiusServers: [
{
radiusServerAddress: 'string'
radiusServerScore: int
radiusServerSecret: 'string'
}
]
radiusServerSecret: 'string'
vpnAuthenticationTypes: [
'string'
]
vpnClientAddressPool: {
addressPrefixes: [
'string'
]
}
vpnClientIpsecPolicies: [
{
dhGroup: 'string'
ikeEncryption: 'string'
ikeIntegrity: 'string'
ipsecEncryption: 'string'
ipsecIntegrity: 'string'
pfsGroup: 'string'
saDataSizeKilobytes: int
saLifeTimeSeconds: int
}
]
vpnClientProtocols: [
'string'
]
vpnClientRevokedCertificates: [
{
id: 'string'
name: 'string'
properties: {
thumbprint: 'string'
}
}
]
vpnClientRootCertificates: [
{
id: 'string'
name: 'string'
properties: {
publicCertData: 'string'
}
}
]
}
vpnGatewayGeneration: 'string'
vpnType: 'string'
}
tags: {}
}
}
}
Property values
connections
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| properties | Properties of the virtual network gateway connection. | VirtualNetworkGatewayConnectionPropertiesFormat (required) |
VirtualNetworkGatewayConnectionPropertiesFormat
| Name | Description | Value |
|---|---|---|
| authorizationKey | The authorizationKey. | string |
| connectionMode | The connection mode for this connection. | 'Default' 'InitiatorOnly' 'ResponderOnly' |
| connectionProtocol | Connection protocol used for this connection. | 'IKEv1' 'IKEv2' |
| connectionType | Gateway connection type. | 'ExpressRoute' 'IPsec' 'VPNClient' 'Vnet2Vnet' (required) |
| dpdTimeoutSeconds | The dead peer detection timeout of this connection in seconds. | int |
| egressNatRules | List of egress NatRules. | SubResource[] |
| enableBgp | EnableBgp flag. | bool |
| expressRouteGatewayBypass | Bypass ExpressRoute Gateway for data forwarding. | bool |
| ingressNatRules | List of ingress NatRules. | SubResource[] |
| ipsecPolicies | The IPSec Policies to be considered by this connection. | IpsecPolicy[] |
| localNetworkGateway2 | The reference to local network gateway resource. | LocalNetworkGateway |
| peer | The reference to peerings resource. | SubResource |
| routingWeight | The routing weight. | int |
| sharedKey | The IPSec shared key. | string |
| trafficSelectorPolicies | The Traffic Selector Policies to be considered by this connection. | TrafficSelectorPolicy[] |
| useLocalAzureIpAddress | Use private local Azure IP for the connection. | bool |
| usePolicyBasedTrafficSelectors | Enable policy-based traffic selectors. | bool |
| virtualNetworkGateway1 | The reference to virtual network gateway resource. | VirtualNetworkGateway (required) |
| virtualNetworkGateway2 | The reference to virtual network gateway resource. | VirtualNetworkGateway |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
IpsecPolicy
| Name | Description | Value |
|---|---|---|
| dhGroup | The DH Group used in IKE Phase 1 for initial SA. | 'DHGroup1' 'DHGroup14' 'DHGroup2' 'DHGroup2048' 'DHGroup24' 'ECP256' 'ECP384' 'None' (required) |
| ikeEncryption | The IKE encryption algorithm (IKE phase 2). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES256' (required) |
| ikeIntegrity | The IKE integrity algorithm (IKE phase 2). | 'GCMAES128' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' 'SHA384' (required) |
| ipsecEncryption | The IPSec encryption algorithm (IKE phase 1). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES192' 'GCMAES256' 'None' (required) |
| ipsecIntegrity | The IPSec integrity algorithm (IKE phase 1). | 'GCMAES128' 'GCMAES192' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' (required) |
| pfsGroup | The Pfs Group used in IKE Phase 2 for new child SA. | 'ECP256' 'ECP384' 'None' 'PFS1' 'PFS14' 'PFS2' 'PFS2048' 'PFS24' 'PFSMM' (required) |
| saDataSizeKilobytes | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. | int (required) |
| saLifeTimeSeconds | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. | int (required) |
LocalNetworkGateway
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Properties of the local network gateway. | LocalNetworkGatewayPropertiesFormat (required) |
| tags | Resource tags. | object |
LocalNetworkGatewayPropertiesFormat
| Name | Description | Value |
|---|---|---|
| bgpSettings | Local network gateway's BGP speaker settings. | BgpSettings |
| fqdn | FQDN of local network gateway. | string |
| gatewayIpAddress | IP address of local network gateway. | string |
| localNetworkAddressSpace | Local network site address space. | AddressSpace |
BgpSettings
| Name | Description | Value |
|---|---|---|
| asn | The BGP speaker's ASN. | int |
| bgpPeeringAddress | The BGP peering address and BGP identifier of this BGP speaker. | string |
| bgpPeeringAddresses | BGP peering address with IP configuration ID for virtual network gateway. | IPConfigurationBgpPeeringAddress[] |
| peerWeight | The weight added to routes learned from this BGP speaker. | int |
IPConfigurationBgpPeeringAddress
| Name | Description | Value |
|---|---|---|
| customBgpIpAddresses | The list of custom BGP peering addresses which belong to IP configuration. | string[] |
| ipconfigurationId | The ID of IP configuration which belongs to gateway. | string |
AddressSpace
| Name | Description | Value |
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] |
TrafficSelectorPolicy
| Name | Description | Value |
|---|---|---|
| localAddressRanges | A collection of local address spaces in CIDR format. | string[] (required) |
| remoteAddressRanges | A collection of remote address spaces in CIDR format. | string[] (required) |
VirtualNetworkGateway
| Name | Description | Value |
|---|---|---|
| extendedLocation | The extended location of type local virtual network gateway. | ExtendedLocation |
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Properties of the virtual network gateway. | VirtualNetworkGatewayPropertiesFormat (required) |
| tags | Resource tags. | object |
ExtendedLocation
| Name | Description | Value |
|---|---|---|
| name | The name of the extended location. | string |
| type | The type of the extended location. | 'EdgeZone' |
VirtualNetworkGatewayPropertiesFormat
| Name | Description | Value |
|---|---|---|
| activeActive | ActiveActive flag. | bool |
| bgpSettings | Virtual network gateway's BGP speaker settings. | BgpSettings |
| customRoutes | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. | AddressSpace |
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. | bool |
| enableBgpRouteTranslationForNat | EnableBgpRouteTranslationForNat flag. | bool |
| enableDnsForwarding | Whether dns forwarding is enabled or not. | bool |
| enablePrivateIpAddress | Whether private IP needs to be enabled on this gateway for connections or not. | bool |
| gatewayDefaultSite | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | SubResource |
| gatewayType | The type of this virtual network gateway. | 'ExpressRoute' 'LocalGateway' 'Vpn' |
| ipConfigurations | IP configurations for virtual network gateway. | VirtualNetworkGatewayIPConfiguration[] |
| natRules | NatRules for virtual network gateway. | VirtualNetworkGatewayNatRule[] |
| sku | The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. | VirtualNetworkGatewaySku |
| vNetExtendedLocationResourceId | Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. | string |
| vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. | VpnClientConfiguration |
| vpnGatewayGeneration | The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. | 'Generation1' 'Generation2' 'None' |
| vpnType | The type of this virtual network gateway. | 'PolicyBased' 'RouteBased' |
VirtualNetworkGatewayIPConfiguration
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the virtual network gateway ip configuration. | VirtualNetworkGatewayIPConfigurationPropertiesFormat |
VirtualNetworkGatewayIPConfigurationPropertiesFormat
| Name | Description | Value |
|---|---|---|
| privateIPAllocationMethod | The private IP address allocation method. | 'Dynamic' 'Static' |
| publicIPAddress | The reference to the public IP resource. | SubResource |
| subnet | The reference to the subnet resource. | SubResource |
VirtualNetworkGatewayNatRule
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the Virtual Network Gateway NAT rule. | VirtualNetworkGatewayNatRuleProperties |
VirtualNetworkGatewayNatRuleProperties
| Name | Description | Value |
|---|---|---|
| externalMappings | The private IP address external mapping for NAT. | VpnNatRuleMapping[] |
| internalMappings | The private IP address internal mapping for NAT. | VpnNatRuleMapping[] |
| ipConfigurationId | The IP Configuration ID this NAT rule applies to. | string |
| mode | The Source NAT direction of a VPN NAT. | 'EgressSnat' 'IngressSnat' |
| type | The type of NAT rule for VPN NAT. | 'Dynamic' 'Static' |
VpnNatRuleMapping
| Name | Description | Value |
|---|---|---|
| addressSpace | Address space for Vpn NatRule mapping. | string |
VirtualNetworkGatewaySku
| Name | Description | Value |
|---|---|---|
| name | Gateway SKU name. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' |
| tier | Gateway SKU tier. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' |
VpnClientConfiguration
| Name | Description | Value |
|---|---|---|
| aadAudience | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| aadIssuer | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| aadTenant | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| radiusServerAddress | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. | string |
| radiusServers | The radiusServers property for multiple radius server configuration. | RadiusServer[] |
| radiusServerSecret | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. | string |
| vpnAuthenticationTypes | VPN authentication types for the virtual network gateway.. | String array containing any of: 'AAD' 'Certificate' 'Radius' |
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace |
| vpnClientIpsecPolicies | VpnClientIpsecPolicies for virtual network gateway P2S client. | IpsecPolicy[] |
| vpnClientProtocols | VpnClientProtocols for Virtual network gateway. | String array containing any of: 'IkeV2' 'OpenVPN' 'SSTP' |
| vpnClientRevokedCertificates | VpnClientRevokedCertificate for Virtual network gateway. | VpnClientRevokedCertificate[] |
| vpnClientRootCertificates | VpnClientRootCertificate for virtual network gateway. | VpnClientRootCertificate[] |
RadiusServer
| Name | Description | Value |
|---|---|---|
| radiusServerAddress | The address of this radius server. | string (required) |
| radiusServerScore | The initial score assigned to this radius server. | int |
| radiusServerSecret | The secret used for this radius server. | string |
VpnClientRevokedCertificate
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the vpn client revoked certificate. | VpnClientRevokedCertificatePropertiesFormat |
VpnClientRevokedCertificatePropertiesFormat
| Name | Description | Value |
|---|---|---|
| thumbprint | The revoked VPN client certificate thumbprint. | string |
VpnClientRootCertificate
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the vpn client root certificate. | VpnClientRootCertificatePropertiesFormat (required) |
VpnClientRootCertificatePropertiesFormat
| Name | Description | Value |
|---|---|---|
| publicCertData | The certificate public data. | string (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
BOSH CF Cross Region |
This template helps you setup the resources needed to deploy BOSH and Cloud Foundry across two regions on Azure. |
| Deploy HBase geo replication |
This template allows you to configure an Azure environment for HBase replication across two different regions with VPN vnet-to-vnet connection. |
| Connect an ExpressRoute circuit to a VNET |
This template creates a VNET, an ExpresRoute Gateway and a connection to a provisioned and enabled ExpressRoute circuit with AzurePrivatePeering configured. |
| Extend an existing Azure VNET to a Multi-VNET Configuration |
This template allows you to extend an existing single VNET environment to a Multi-VNET environment that extends across two datacenter regions using VNET-to-VNET gateways |
| Create a Site-to-Site VPN Connection with VM |
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways |
| Create a Site-to-Site VPN Connection |
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways |
| Site-to-Site VPN with active-active VPN Gateways with BGP |
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones. |
| Create a VNET to VNET connection across two regions |
This template allows you to connect two VNETs in different regions using Virtual Network Gateways |
| Create a BGP VNET to VNET connection |
This template allows you to connect two VNETs using Virtual Network Gateways and BGP |
| Create three vNets to demonstrate transitive BGP connections |
This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections |
| VPN Custom IPSec Policy |
This custom IPSec Policy allows more granular configuration of the IKE Parameters. This allows you to deploy a site-to-site VPN Policy to support specific settings on your VPN Endpoit Device. |
ARM template resource definition
The connections resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/connections resource, add the following JSON to your template.
{
"type": "Microsoft.Network/connections",
"apiVersion": "2021-03-01",
"name": "string",
"location": "string",
"tags": {
"tagName1": "tagValue1",
"tagName2": "tagValue2"
},
"properties": {
"authorizationKey": "string",
"connectionMode": "string",
"connectionProtocol": "string",
"connectionType": "string",
"dpdTimeoutSeconds": "int",
"egressNatRules": [
{
"id": "string"
}
],
"enableBgp": "bool",
"expressRouteGatewayBypass": "bool",
"ingressNatRules": [
{
"id": "string"
}
],
"ipsecPolicies": [
{
"dhGroup": "string",
"ikeEncryption": "string",
"ikeIntegrity": "string",
"ipsecEncryption": "string",
"ipsecIntegrity": "string",
"pfsGroup": "string",
"saDataSizeKilobytes": "int",
"saLifeTimeSeconds": "int"
}
],
"localNetworkGateway2": {
"id": "string",
"location": "string",
"properties": {
"bgpSettings": {
"asn": "int",
"bgpPeeringAddress": "string",
"bgpPeeringAddresses": [
{
"customBgpIpAddresses": [ "string" ],
"ipconfigurationId": "string"
}
],
"peerWeight": "int"
},
"fqdn": "string",
"gatewayIpAddress": "string",
"localNetworkAddressSpace": {
"addressPrefixes": [ "string" ]
}
},
"tags": {}
},
"peer": {
"id": "string"
},
"routingWeight": "int",
"sharedKey": "string",
"trafficSelectorPolicies": [
{
"localAddressRanges": [ "string" ],
"remoteAddressRanges": [ "string" ]
}
],
"useLocalAzureIpAddress": "bool",
"usePolicyBasedTrafficSelectors": "bool",
"virtualNetworkGateway1": {
"extendedLocation": {
"name": "string",
"type": "EdgeZone"
},
"id": "string",
"location": "string",
"properties": {
"activeActive": "bool",
"bgpSettings": {
"asn": "int",
"bgpPeeringAddress": "string",
"bgpPeeringAddresses": [
{
"customBgpIpAddresses": [ "string" ],
"ipconfigurationId": "string"
}
],
"peerWeight": "int"
},
"customRoutes": {
"addressPrefixes": [ "string" ]
},
"enableBgp": "bool",
"enableBgpRouteTranslationForNat": "bool",
"enableDnsForwarding": "bool",
"enablePrivateIpAddress": "bool",
"gatewayDefaultSite": {
"id": "string"
},
"gatewayType": "string",
"ipConfigurations": [
{
"id": "string",
"name": "string",
"properties": {
"privateIPAllocationMethod": "string",
"publicIPAddress": {
"id": "string"
},
"subnet": {
"id": "string"
}
}
}
],
"natRules": [
{
"id": "string",
"name": "string",
"properties": {
"externalMappings": [
{
"addressSpace": "string"
}
],
"internalMappings": [
{
"addressSpace": "string"
}
],
"ipConfigurationId": "string",
"mode": "string",
"type": "string"
}
}
],
"sku": {
"name": "string",
"tier": "string"
},
"vNetExtendedLocationResourceId": "string",
"vpnClientConfiguration": {
"aadAudience": "string",
"aadIssuer": "string",
"aadTenant": "string",
"radiusServerAddress": "string",
"radiusServers": [
{
"radiusServerAddress": "string",
"radiusServerScore": "int",
"radiusServerSecret": "string"
}
],
"radiusServerSecret": "string",
"vpnAuthenticationTypes": [ "string" ],
"vpnClientAddressPool": {
"addressPrefixes": [ "string" ]
},
"vpnClientIpsecPolicies": [
{
"dhGroup": "string",
"ikeEncryption": "string",
"ikeIntegrity": "string",
"ipsecEncryption": "string",
"ipsecIntegrity": "string",
"pfsGroup": "string",
"saDataSizeKilobytes": "int",
"saLifeTimeSeconds": "int"
}
],
"vpnClientProtocols": [ "string" ],
"vpnClientRevokedCertificates": [
{
"id": "string",
"name": "string",
"properties": {
"thumbprint": "string"
}
}
],
"vpnClientRootCertificates": [
{
"id": "string",
"name": "string",
"properties": {
"publicCertData": "string"
}
}
]
},
"vpnGatewayGeneration": "string",
"vpnType": "string"
},
"tags": {}
},
"virtualNetworkGateway2": {
"extendedLocation": {
"name": "string",
"type": "EdgeZone"
},
"id": "string",
"location": "string",
"properties": {
"activeActive": "bool",
"bgpSettings": {
"asn": "int",
"bgpPeeringAddress": "string",
"bgpPeeringAddresses": [
{
"customBgpIpAddresses": [ "string" ],
"ipconfigurationId": "string"
}
],
"peerWeight": "int"
},
"customRoutes": {
"addressPrefixes": [ "string" ]
},
"enableBgp": "bool",
"enableBgpRouteTranslationForNat": "bool",
"enableDnsForwarding": "bool",
"enablePrivateIpAddress": "bool",
"gatewayDefaultSite": {
"id": "string"
},
"gatewayType": "string",
"ipConfigurations": [
{
"id": "string",
"name": "string",
"properties": {
"privateIPAllocationMethod": "string",
"publicIPAddress": {
"id": "string"
},
"subnet": {
"id": "string"
}
}
}
],
"natRules": [
{
"id": "string",
"name": "string",
"properties": {
"externalMappings": [
{
"addressSpace": "string"
}
],
"internalMappings": [
{
"addressSpace": "string"
}
],
"ipConfigurationId": "string",
"mode": "string",
"type": "string"
}
}
],
"sku": {
"name": "string",
"tier": "string"
},
"vNetExtendedLocationResourceId": "string",
"vpnClientConfiguration": {
"aadAudience": "string",
"aadIssuer": "string",
"aadTenant": "string",
"radiusServerAddress": "string",
"radiusServers": [
{
"radiusServerAddress": "string",
"radiusServerScore": "int",
"radiusServerSecret": "string"
}
],
"radiusServerSecret": "string",
"vpnAuthenticationTypes": [ "string" ],
"vpnClientAddressPool": {
"addressPrefixes": [ "string" ]
},
"vpnClientIpsecPolicies": [
{
"dhGroup": "string",
"ikeEncryption": "string",
"ikeIntegrity": "string",
"ipsecEncryption": "string",
"ipsecIntegrity": "string",
"pfsGroup": "string",
"saDataSizeKilobytes": "int",
"saLifeTimeSeconds": "int"
}
],
"vpnClientProtocols": [ "string" ],
"vpnClientRevokedCertificates": [
{
"id": "string",
"name": "string",
"properties": {
"thumbprint": "string"
}
}
],
"vpnClientRootCertificates": [
{
"id": "string",
"name": "string",
"properties": {
"publicCertData": "string"
}
}
]
},
"vpnGatewayGeneration": "string",
"vpnType": "string"
},
"tags": {}
}
}
}
Property values
connections
| Name | Description | Value |
|---|---|---|
| type | The resource type | 'Microsoft.Network/connections' |
| apiVersion | The resource api version | '2021-03-01' |
| name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| properties | Properties of the virtual network gateway connection. | VirtualNetworkGatewayConnectionPropertiesFormat (required) |
VirtualNetworkGatewayConnectionPropertiesFormat
| Name | Description | Value |
|---|---|---|
| authorizationKey | The authorizationKey. | string |
| connectionMode | The connection mode for this connection. | 'Default' 'InitiatorOnly' 'ResponderOnly' |
| connectionProtocol | Connection protocol used for this connection. | 'IKEv1' 'IKEv2' |
| connectionType | Gateway connection type. | 'ExpressRoute' 'IPsec' 'VPNClient' 'Vnet2Vnet' (required) |
| dpdTimeoutSeconds | The dead peer detection timeout of this connection in seconds. | int |
| egressNatRules | List of egress NatRules. | SubResource[] |
| enableBgp | EnableBgp flag. | bool |
| expressRouteGatewayBypass | Bypass ExpressRoute Gateway for data forwarding. | bool |
| ingressNatRules | List of ingress NatRules. | SubResource[] |
| ipsecPolicies | The IPSec Policies to be considered by this connection. | IpsecPolicy[] |
| localNetworkGateway2 | The reference to local network gateway resource. | LocalNetworkGateway |
| peer | The reference to peerings resource. | SubResource |
| routingWeight | The routing weight. | int |
| sharedKey | The IPSec shared key. | string |
| trafficSelectorPolicies | The Traffic Selector Policies to be considered by this connection. | TrafficSelectorPolicy[] |
| useLocalAzureIpAddress | Use private local Azure IP for the connection. | bool |
| usePolicyBasedTrafficSelectors | Enable policy-based traffic selectors. | bool |
| virtualNetworkGateway1 | The reference to virtual network gateway resource. | VirtualNetworkGateway (required) |
| virtualNetworkGateway2 | The reference to virtual network gateway resource. | VirtualNetworkGateway |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
IpsecPolicy
| Name | Description | Value |
|---|---|---|
| dhGroup | The DH Group used in IKE Phase 1 for initial SA. | 'DHGroup1' 'DHGroup14' 'DHGroup2' 'DHGroup2048' 'DHGroup24' 'ECP256' 'ECP384' 'None' (required) |
| ikeEncryption | The IKE encryption algorithm (IKE phase 2). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES256' (required) |
| ikeIntegrity | The IKE integrity algorithm (IKE phase 2). | 'GCMAES128' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' 'SHA384' (required) |
| ipsecEncryption | The IPSec encryption algorithm (IKE phase 1). | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES192' 'GCMAES256' 'None' (required) |
| ipsecIntegrity | The IPSec integrity algorithm (IKE phase 1). | 'GCMAES128' 'GCMAES192' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' (required) |
| pfsGroup | The Pfs Group used in IKE Phase 2 for new child SA. | 'ECP256' 'ECP384' 'None' 'PFS1' 'PFS14' 'PFS2' 'PFS2048' 'PFS24' 'PFSMM' (required) |
| saDataSizeKilobytes | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. | int (required) |
| saLifeTimeSeconds | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. | int (required) |
LocalNetworkGateway
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Properties of the local network gateway. | LocalNetworkGatewayPropertiesFormat (required) |
| tags | Resource tags. | object |
LocalNetworkGatewayPropertiesFormat
| Name | Description | Value |
|---|---|---|
| bgpSettings | Local network gateway's BGP speaker settings. | BgpSettings |
| fqdn | FQDN of local network gateway. | string |
| gatewayIpAddress | IP address of local network gateway. | string |
| localNetworkAddressSpace | Local network site address space. | AddressSpace |
BgpSettings
| Name | Description | Value |
|---|---|---|
| asn | The BGP speaker's ASN. | int |
| bgpPeeringAddress | The BGP peering address and BGP identifier of this BGP speaker. | string |
| bgpPeeringAddresses | BGP peering address with IP configuration ID for virtual network gateway. | IPConfigurationBgpPeeringAddress[] |
| peerWeight | The weight added to routes learned from this BGP speaker. | int |
IPConfigurationBgpPeeringAddress
| Name | Description | Value |
|---|---|---|
| customBgpIpAddresses | The list of custom BGP peering addresses which belong to IP configuration. | string[] |
| ipconfigurationId | The ID of IP configuration which belongs to gateway. | string |
AddressSpace
| Name | Description | Value |
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] |
TrafficSelectorPolicy
| Name | Description | Value |
|---|---|---|
| localAddressRanges | A collection of local address spaces in CIDR format. | string[] (required) |
| remoteAddressRanges | A collection of remote address spaces in CIDR format. | string[] (required) |
VirtualNetworkGateway
| Name | Description | Value |
|---|---|---|
| extendedLocation | The extended location of type local virtual network gateway. | ExtendedLocation |
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Properties of the virtual network gateway. | VirtualNetworkGatewayPropertiesFormat (required) |
| tags | Resource tags. | object |
ExtendedLocation
| Name | Description | Value |
|---|---|---|
| name | The name of the extended location. | string |
| type | The type of the extended location. | 'EdgeZone' |
VirtualNetworkGatewayPropertiesFormat
| Name | Description | Value |
|---|---|---|
| activeActive | ActiveActive flag. | bool |
| bgpSettings | Virtual network gateway's BGP speaker settings. | BgpSettings |
| customRoutes | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. | AddressSpace |
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. | bool |
| enableBgpRouteTranslationForNat | EnableBgpRouteTranslationForNat flag. | bool |
| enableDnsForwarding | Whether dns forwarding is enabled or not. | bool |
| enablePrivateIpAddress | Whether private IP needs to be enabled on this gateway for connections or not. | bool |
| gatewayDefaultSite | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | SubResource |
| gatewayType | The type of this virtual network gateway. | 'ExpressRoute' 'LocalGateway' 'Vpn' |
| ipConfigurations | IP configurations for virtual network gateway. | VirtualNetworkGatewayIPConfiguration[] |
| natRules | NatRules for virtual network gateway. | VirtualNetworkGatewayNatRule[] |
| sku | The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. | VirtualNetworkGatewaySku |
| vNetExtendedLocationResourceId | Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. | string |
| vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. | VpnClientConfiguration |
| vpnGatewayGeneration | The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. | 'Generation1' 'Generation2' 'None' |
| vpnType | The type of this virtual network gateway. | 'PolicyBased' 'RouteBased' |
VirtualNetworkGatewayIPConfiguration
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the virtual network gateway ip configuration. | VirtualNetworkGatewayIPConfigurationPropertiesFormat |
VirtualNetworkGatewayIPConfigurationPropertiesFormat
| Name | Description | Value |
|---|---|---|
| privateIPAllocationMethod | The private IP address allocation method. | 'Dynamic' 'Static' |
| publicIPAddress | The reference to the public IP resource. | SubResource |
| subnet | The reference to the subnet resource. | SubResource |
VirtualNetworkGatewayNatRule
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the Virtual Network Gateway NAT rule. | VirtualNetworkGatewayNatRuleProperties |
VirtualNetworkGatewayNatRuleProperties
| Name | Description | Value |
|---|---|---|
| externalMappings | The private IP address external mapping for NAT. | VpnNatRuleMapping[] |
| internalMappings | The private IP address internal mapping for NAT. | VpnNatRuleMapping[] |
| ipConfigurationId | The IP Configuration ID this NAT rule applies to. | string |
| mode | The Source NAT direction of a VPN NAT. | 'EgressSnat' 'IngressSnat' |
| type | The type of NAT rule for VPN NAT. | 'Dynamic' 'Static' |
VpnNatRuleMapping
| Name | Description | Value |
|---|---|---|
| addressSpace | Address space for Vpn NatRule mapping. | string |
VirtualNetworkGatewaySku
| Name | Description | Value |
|---|---|---|
| name | Gateway SKU name. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' |
| tier | Gateway SKU tier. | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' |
VpnClientConfiguration
| Name | Description | Value |
|---|---|---|
| aadAudience | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| aadIssuer | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| aadTenant | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| radiusServerAddress | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. | string |
| radiusServers | The radiusServers property for multiple radius server configuration. | RadiusServer[] |
| radiusServerSecret | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. | string |
| vpnAuthenticationTypes | VPN authentication types for the virtual network gateway.. | String array containing any of: 'AAD' 'Certificate' 'Radius' |
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace |
| vpnClientIpsecPolicies | VpnClientIpsecPolicies for virtual network gateway P2S client. | IpsecPolicy[] |
| vpnClientProtocols | VpnClientProtocols for Virtual network gateway. | String array containing any of: 'IkeV2' 'OpenVPN' 'SSTP' |
| vpnClientRevokedCertificates | VpnClientRevokedCertificate for Virtual network gateway. | VpnClientRevokedCertificate[] |
| vpnClientRootCertificates | VpnClientRootCertificate for virtual network gateway. | VpnClientRootCertificate[] |
RadiusServer
| Name | Description | Value |
|---|---|---|
| radiusServerAddress | The address of this radius server. | string (required) |
| radiusServerScore | The initial score assigned to this radius server. | int |
| radiusServerSecret | The secret used for this radius server. | string |
VpnClientRevokedCertificate
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the vpn client revoked certificate. | VpnClientRevokedCertificatePropertiesFormat |
VpnClientRevokedCertificatePropertiesFormat
| Name | Description | Value |
|---|---|---|
| thumbprint | The revoked VPN client certificate thumbprint. | string |
VpnClientRootCertificate
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the vpn client root certificate. | VpnClientRootCertificatePropertiesFormat (required) |
VpnClientRootCertificatePropertiesFormat
| Name | Description | Value |
|---|---|---|
| publicCertData | The certificate public data. | string (required) |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| BOSH CF Cross Region |
This template helps you setup the resources needed to deploy BOSH and Cloud Foundry across two regions on Azure. |
| Deploy HBase geo replication |
This template allows you to configure an Azure environment for HBase replication across two different regions with VPN vnet-to-vnet connection. |
| Connect an ExpressRoute circuit to a VNET |
This template creates a VNET, an ExpresRoute Gateway and a connection to a provisioned and enabled ExpressRoute circuit with AzurePrivatePeering configured. |
| Extend an existing Azure VNET to a Multi-VNET Configuration |
This template allows you to extend an existing single VNET environment to a Multi-VNET environment that extends across two datacenter regions using VNET-to-VNET gateways |
| Create a Site-to-Site VPN Connection with VM |
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways |
| Create a Site-to-Site VPN Connection |
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways |
| Site-to-Site VPN with active-active VPN Gateways with BGP |
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones. |
| Create a VNET to VNET connection across two regions |
This template allows you to connect two VNETs in different regions using Virtual Network Gateways |
| Create a BGP VNET to VNET connection |
This template allows you to connect two VNETs using Virtual Network Gateways and BGP |
| Create three vNets to demonstrate transitive BGP connections |
This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections |
| VPN Custom IPSec Policy |
This custom IPSec Policy allows more granular configuration of the IKE Parameters. This allows you to deploy a site-to-site VPN Policy to support specific settings on your VPN Endpoit Device. |
Terraform (AzAPI provider) resource definition
The connections resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.Network/connections resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.Network/connections@2021-03-01"
name = "string"
location = "string"
parent_id = "string"
tags = {
tagName1 = "tagValue1"
tagName2 = "tagValue2"
}
body = jsonencode({
properties = {
authorizationKey = "string"
connectionMode = "string"
connectionProtocol = "string"
connectionType = "string"
dpdTimeoutSeconds = int
egressNatRules = [
{
id = "string"
}
]
enableBgp = bool
expressRouteGatewayBypass = bool
ingressNatRules = [
{
id = "string"
}
]
ipsecPolicies = [
{
dhGroup = "string"
ikeEncryption = "string"
ikeIntegrity = "string"
ipsecEncryption = "string"
ipsecIntegrity = "string"
pfsGroup = "string"
saDataSizeKilobytes = int
saLifeTimeSeconds = int
}
]
localNetworkGateway2 = {
id = "string"
location = "string"
properties = {
bgpSettings = {
asn = int
bgpPeeringAddress = "string"
bgpPeeringAddresses = [
{
customBgpIpAddresses = [
"string"
]
ipconfigurationId = "string"
}
]
peerWeight = int
}
fqdn = "string"
gatewayIpAddress = "string"
localNetworkAddressSpace = {
addressPrefixes = [
"string"
]
}
}
tags = {}
}
peer = {
id = "string"
}
routingWeight = int
sharedKey = "string"
trafficSelectorPolicies = [
{
localAddressRanges = [
"string"
]
remoteAddressRanges = [
"string"
]
}
]
useLocalAzureIpAddress = bool
usePolicyBasedTrafficSelectors = bool
virtualNetworkGateway1 = {
extendedLocation = {
name = "string"
type = "EdgeZone"
}
id = "string"
location = "string"
properties = {
activeActive = bool
bgpSettings = {
asn = int
bgpPeeringAddress = "string"
bgpPeeringAddresses = [
{
customBgpIpAddresses = [
"string"
]
ipconfigurationId = "string"
}
]
peerWeight = int
}
customRoutes = {
addressPrefixes = [
"string"
]
}
enableBgp = bool
enableBgpRouteTranslationForNat = bool
enableDnsForwarding = bool
enablePrivateIpAddress = bool
gatewayDefaultSite = {
id = "string"
}
gatewayType = "string"
ipConfigurations = [
{
id = "string"
name = "string"
properties = {
privateIPAllocationMethod = "string"
publicIPAddress = {
id = "string"
}
subnet = {
id = "string"
}
}
}
]
natRules = [
{
id = "string"
name = "string"
properties = {
externalMappings = [
{
addressSpace = "string"
}
]
internalMappings = [
{
addressSpace = "string"
}
]
ipConfigurationId = "string"
mode = "string"
type = "string"
}
}
]
sku = {
name = "string"
tier = "string"
}
vNetExtendedLocationResourceId = "string"
vpnClientConfiguration = {
aadAudience = "string"
aadIssuer = "string"
aadTenant = "string"
radiusServerAddress = "string"
radiusServers = [
{
radiusServerAddress = "string"
radiusServerScore = int
radiusServerSecret = "string"
}
]
radiusServerSecret = "string"
vpnAuthenticationTypes = [
"string"
]
vpnClientAddressPool = {
addressPrefixes = [
"string"
]
}
vpnClientIpsecPolicies = [
{
dhGroup = "string"
ikeEncryption = "string"
ikeIntegrity = "string"
ipsecEncryption = "string"
ipsecIntegrity = "string"
pfsGroup = "string"
saDataSizeKilobytes = int
saLifeTimeSeconds = int
}
]
vpnClientProtocols = [
"string"
]
vpnClientRevokedCertificates = [
{
id = "string"
name = "string"
properties = {
thumbprint = "string"
}
}
]
vpnClientRootCertificates = [
{
id = "string"
name = "string"
properties = {
publicCertData = "string"
}
}
]
}
vpnGatewayGeneration = "string"
vpnType = "string"
}
tags = {}
}
virtualNetworkGateway2 = {
extendedLocation = {
name = "string"
type = "EdgeZone"
}
id = "string"
location = "string"
properties = {
activeActive = bool
bgpSettings = {
asn = int
bgpPeeringAddress = "string"
bgpPeeringAddresses = [
{
customBgpIpAddresses = [
"string"
]
ipconfigurationId = "string"
}
]
peerWeight = int
}
customRoutes = {
addressPrefixes = [
"string"
]
}
enableBgp = bool
enableBgpRouteTranslationForNat = bool
enableDnsForwarding = bool
enablePrivateIpAddress = bool
gatewayDefaultSite = {
id = "string"
}
gatewayType = "string"
ipConfigurations = [
{
id = "string"
name = "string"
properties = {
privateIPAllocationMethod = "string"
publicIPAddress = {
id = "string"
}
subnet = {
id = "string"
}
}
}
]
natRules = [
{
id = "string"
name = "string"
properties = {
externalMappings = [
{
addressSpace = "string"
}
]
internalMappings = [
{
addressSpace = "string"
}
]
ipConfigurationId = "string"
mode = "string"
type = "string"
}
}
]
sku = {
name = "string"
tier = "string"
}
vNetExtendedLocationResourceId = "string"
vpnClientConfiguration = {
aadAudience = "string"
aadIssuer = "string"
aadTenant = "string"
radiusServerAddress = "string"
radiusServers = [
{
radiusServerAddress = "string"
radiusServerScore = int
radiusServerSecret = "string"
}
]
radiusServerSecret = "string"
vpnAuthenticationTypes = [
"string"
]
vpnClientAddressPool = {
addressPrefixes = [
"string"
]
}
vpnClientIpsecPolicies = [
{
dhGroup = "string"
ikeEncryption = "string"
ikeIntegrity = "string"
ipsecEncryption = "string"
ipsecIntegrity = "string"
pfsGroup = "string"
saDataSizeKilobytes = int
saLifeTimeSeconds = int
}
]
vpnClientProtocols = [
"string"
]
vpnClientRevokedCertificates = [
{
id = "string"
name = "string"
properties = {
thumbprint = "string"
}
}
]
vpnClientRootCertificates = [
{
id = "string"
name = "string"
properties = {
publicCertData = "string"
}
}
]
}
vpnGatewayGeneration = "string"
vpnType = "string"
}
tags = {}
}
}
})
}
Property values
connections
| Name | Description | Value |
|---|---|---|
| type | The resource type | "Microsoft.Network/connections@2021-03-01" |
| name | The resource name | string (required) Character limit: 1-80 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
| location | Resource location. | string |
| parent_id | To deploy to a resource group, use the ID of that resource group. | string (required) |
| tags | Resource tags. | Dictionary of tag names and values. |
| properties | Properties of the virtual network gateway connection. | VirtualNetworkGatewayConnectionPropertiesFormat (required) |
VirtualNetworkGatewayConnectionPropertiesFormat
| Name | Description | Value |
|---|---|---|
| authorizationKey | The authorizationKey. | string |
| connectionMode | The connection mode for this connection. | "Default" "InitiatorOnly" "ResponderOnly" |
| connectionProtocol | Connection protocol used for this connection. | "IKEv1" "IKEv2" |
| connectionType | Gateway connection type. | "ExpressRoute" "IPsec" "VPNClient" "Vnet2Vnet" (required) |
| dpdTimeoutSeconds | The dead peer detection timeout of this connection in seconds. | int |
| egressNatRules | List of egress NatRules. | SubResource[] |
| enableBgp | EnableBgp flag. | bool |
| expressRouteGatewayBypass | Bypass ExpressRoute Gateway for data forwarding. | bool |
| ingressNatRules | List of ingress NatRules. | SubResource[] |
| ipsecPolicies | The IPSec Policies to be considered by this connection. | IpsecPolicy[] |
| localNetworkGateway2 | The reference to local network gateway resource. | LocalNetworkGateway |
| peer | The reference to peerings resource. | SubResource |
| routingWeight | The routing weight. | int |
| sharedKey | The IPSec shared key. | string |
| trafficSelectorPolicies | The Traffic Selector Policies to be considered by this connection. | TrafficSelectorPolicy[] |
| useLocalAzureIpAddress | Use private local Azure IP for the connection. | bool |
| usePolicyBasedTrafficSelectors | Enable policy-based traffic selectors. | bool |
| virtualNetworkGateway1 | The reference to virtual network gateway resource. | VirtualNetworkGateway (required) |
| virtualNetworkGateway2 | The reference to virtual network gateway resource. | VirtualNetworkGateway |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
IpsecPolicy
| Name | Description | Value |
|---|---|---|
| dhGroup | The DH Group used in IKE Phase 1 for initial SA. | "DHGroup1" "DHGroup14" "DHGroup2" "DHGroup2048" "DHGroup24" "ECP256" "ECP384" "None" (required) |
| ikeEncryption | The IKE encryption algorithm (IKE phase 2). | "AES128" "AES192" "AES256" "DES" "DES3" "GCMAES128" "GCMAES256" (required) |
| ikeIntegrity | The IKE integrity algorithm (IKE phase 2). | "GCMAES128" "GCMAES256" "MD5" "SHA1" "SHA256" "SHA384" (required) |
| ipsecEncryption | The IPSec encryption algorithm (IKE phase 1). | "AES128" "AES192" "AES256" "DES" "DES3" "GCMAES128" "GCMAES192" "GCMAES256" "None" (required) |
| ipsecIntegrity | The IPSec integrity algorithm (IKE phase 1). | "GCMAES128" "GCMAES192" "GCMAES256" "MD5" "SHA1" "SHA256" (required) |
| pfsGroup | The Pfs Group used in IKE Phase 2 for new child SA. | "ECP256" "ECP384" "None" "PFS1" "PFS14" "PFS2" "PFS2048" "PFS24" "PFSMM" (required) |
| saDataSizeKilobytes | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. | int (required) |
| saLifeTimeSeconds | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. | int (required) |
LocalNetworkGateway
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Properties of the local network gateway. | LocalNetworkGatewayPropertiesFormat (required) |
| tags | Resource tags. | object |
LocalNetworkGatewayPropertiesFormat
| Name | Description | Value |
|---|---|---|
| bgpSettings | Local network gateway's BGP speaker settings. | BgpSettings |
| fqdn | FQDN of local network gateway. | string |
| gatewayIpAddress | IP address of local network gateway. | string |
| localNetworkAddressSpace | Local network site address space. | AddressSpace |
BgpSettings
| Name | Description | Value |
|---|---|---|
| asn | The BGP speaker's ASN. | int |
| bgpPeeringAddress | The BGP peering address and BGP identifier of this BGP speaker. | string |
| bgpPeeringAddresses | BGP peering address with IP configuration ID for virtual network gateway. | IPConfigurationBgpPeeringAddress[] |
| peerWeight | The weight added to routes learned from this BGP speaker. | int |
IPConfigurationBgpPeeringAddress
| Name | Description | Value |
|---|---|---|
| customBgpIpAddresses | The list of custom BGP peering addresses which belong to IP configuration. | string[] |
| ipconfigurationId | The ID of IP configuration which belongs to gateway. | string |
AddressSpace
| Name | Description | Value |
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] |
TrafficSelectorPolicy
| Name | Description | Value |
|---|---|---|
| localAddressRanges | A collection of local address spaces in CIDR format. | string[] (required) |
| remoteAddressRanges | A collection of remote address spaces in CIDR format. | string[] (required) |
VirtualNetworkGateway
| Name | Description | Value |
|---|---|---|
| extendedLocation | The extended location of type local virtual network gateway. | ExtendedLocation |
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Properties of the virtual network gateway. | VirtualNetworkGatewayPropertiesFormat (required) |
| tags | Resource tags. | object |
ExtendedLocation
| Name | Description | Value |
|---|---|---|
| name | The name of the extended location. | string |
| type | The type of the extended location. | "EdgeZone" |
VirtualNetworkGatewayPropertiesFormat
| Name | Description | Value |
|---|---|---|
| activeActive | ActiveActive flag. | bool |
| bgpSettings | Virtual network gateway's BGP speaker settings. | BgpSettings |
| customRoutes | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. | AddressSpace |
| enableBgp | Whether BGP is enabled for this virtual network gateway or not. | bool |
| enableBgpRouteTranslationForNat | EnableBgpRouteTranslationForNat flag. | bool |
| enableDnsForwarding | Whether dns forwarding is enabled or not. | bool |
| enablePrivateIpAddress | Whether private IP needs to be enabled on this gateway for connections or not. | bool |
| gatewayDefaultSite | The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. | SubResource |
| gatewayType | The type of this virtual network gateway. | "ExpressRoute" "LocalGateway" "Vpn" |
| ipConfigurations | IP configurations for virtual network gateway. | VirtualNetworkGatewayIPConfiguration[] |
| natRules | NatRules for virtual network gateway. | VirtualNetworkGatewayNatRule[] |
| sku | The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. | VirtualNetworkGatewaySku |
| vNetExtendedLocationResourceId | Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. | string |
| vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. | VpnClientConfiguration |
| vpnGatewayGeneration | The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. | "Generation1" "Generation2" "None" |
| vpnType | The type of this virtual network gateway. | "PolicyBased" "RouteBased" |
VirtualNetworkGatewayIPConfiguration
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the virtual network gateway ip configuration. | VirtualNetworkGatewayIPConfigurationPropertiesFormat |
VirtualNetworkGatewayIPConfigurationPropertiesFormat
| Name | Description | Value |
|---|---|---|
| privateIPAllocationMethod | The private IP address allocation method. | "Dynamic" "Static" |
| publicIPAddress | The reference to the public IP resource. | SubResource |
| subnet | The reference to the subnet resource. | SubResource |
VirtualNetworkGatewayNatRule
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the Virtual Network Gateway NAT rule. | VirtualNetworkGatewayNatRuleProperties |
VirtualNetworkGatewayNatRuleProperties
| Name | Description | Value |
|---|---|---|
| externalMappings | The private IP address external mapping for NAT. | VpnNatRuleMapping[] |
| internalMappings | The private IP address internal mapping for NAT. | VpnNatRuleMapping[] |
| ipConfigurationId | The IP Configuration ID this NAT rule applies to. | string |
| mode | The Source NAT direction of a VPN NAT. | "EgressSnat" "IngressSnat" |
| type | The type of NAT rule for VPN NAT. | "Dynamic" "Static" |
VpnNatRuleMapping
| Name | Description | Value |
|---|---|---|
| addressSpace | Address space for Vpn NatRule mapping. | string |
VirtualNetworkGatewaySku
| Name | Description | Value |
|---|---|---|
| name | Gateway SKU name. | "Basic" "ErGw1AZ" "ErGw2AZ" "ErGw3AZ" "HighPerformance" "Standard" "UltraPerformance" "VpnGw1" "VpnGw1AZ" "VpnGw2" "VpnGw2AZ" "VpnGw3" "VpnGw3AZ" "VpnGw4" "VpnGw4AZ" "VpnGw5" "VpnGw5AZ" |
| tier | Gateway SKU tier. | "Basic" "ErGw1AZ" "ErGw2AZ" "ErGw3AZ" "HighPerformance" "Standard" "UltraPerformance" "VpnGw1" "VpnGw1AZ" "VpnGw2" "VpnGw2AZ" "VpnGw3" "VpnGw3AZ" "VpnGw4" "VpnGw4AZ" "VpnGw5" "VpnGw5AZ" |
VpnClientConfiguration
| Name | Description | Value |
|---|---|---|
| aadAudience | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| aadIssuer | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| aadTenant | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. | string |
| radiusServerAddress | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. | string |
| radiusServers | The radiusServers property for multiple radius server configuration. | RadiusServer[] |
| radiusServerSecret | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. | string |
| vpnAuthenticationTypes | VPN authentication types for the virtual network gateway.. | String array containing any of: "AAD" "Certificate" "Radius" |
| vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. | AddressSpace |
| vpnClientIpsecPolicies | VpnClientIpsecPolicies for virtual network gateway P2S client. | IpsecPolicy[] |
| vpnClientProtocols | VpnClientProtocols for Virtual network gateway. | String array containing any of: "IkeV2" "OpenVPN" "SSTP" |
| vpnClientRevokedCertificates | VpnClientRevokedCertificate for Virtual network gateway. | VpnClientRevokedCertificate[] |
| vpnClientRootCertificates | VpnClientRootCertificate for virtual network gateway. | VpnClientRootCertificate[] |
RadiusServer
| Name | Description | Value |
|---|---|---|
| radiusServerAddress | The address of this radius server. | string (required) |
| radiusServerScore | The initial score assigned to this radius server. | int |
| radiusServerSecret | The secret used for this radius server. | string |
VpnClientRevokedCertificate
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the vpn client revoked certificate. | VpnClientRevokedCertificatePropertiesFormat |
VpnClientRevokedCertificatePropertiesFormat
| Name | Description | Value |
|---|---|---|
| thumbprint | The revoked VPN client certificate thumbprint. | string |
VpnClientRootCertificate
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the vpn client root certificate. | VpnClientRootCertificatePropertiesFormat (required) |
VpnClientRootCertificatePropertiesFormat
| Name | Description | Value |
|---|---|---|
| publicCertData | The certificate public data. | string (required) |
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for