다음을 통해 공유


Microsoft.Network virtualNetworkGateways 2024-03-01

Bicep resource definition

The virtualNetworkGateways resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/virtualNetworkGateways resource, add the following Bicep to your template.

resource symbolicname 'Microsoft.Network/virtualNetworkGateways@2024-03-01' = {
  extendedLocation: {
    name: 'string'
    type: 'string'
  }
  identity: {
    type: 'string'
    userAssignedIdentities: {
      {customized property}: {}
    }
  }
  location: 'string'
  name: 'string'
  properties: {
    activeActive: bool
    adminState: 'string'
    allowRemoteVnetTraffic: bool
    allowVirtualWanTraffic: bool
    autoScaleConfiguration: {
      bounds: {
        max: int
        min: int
      }
    }
    bgpSettings: {
      asn: int
      bgpPeeringAddress: 'string'
      bgpPeeringAddresses: [
        {
          customBgpIpAddresses: [
            'string'
          ]
          ipconfigurationId: 'string'
        }
      ]
      peerWeight: int
    }
    customRoutes: {
      addressPrefixes: [
        'string'
      ]
    }
    disableIPSecReplayProtection: bool
    enableBgp: bool
    enableBgpRouteTranslationForNat: bool
    enableDnsForwarding: bool
    enablePrivateIpAddress: bool
    gatewayDefaultSite: {
      id: 'string'
    }
    gatewayType: 'string'
    ipConfigurations: [
      {
        id: 'string'
        name: 'string'
        properties: {
          privateIPAllocationMethod: 'string'
          publicIPAddress: {
            id: 'string'
          }
          subnet: {
            id: 'string'
          }
        }
      }
    ]
    natRules: [
      {
        id: 'string'
        name: 'string'
        properties: {
          externalMappings: [
            {
              addressSpace: 'string'
              portRange: 'string'
            }
          ]
          internalMappings: [
            {
              addressSpace: 'string'
              portRange: 'string'
            }
          ]
          ipConfigurationId: 'string'
          mode: 'string'
          type: 'string'
        }
      }
    ]
    resiliencyModel: 'string'
    sku: {
      name: 'string'
      tier: 'string'
    }
    virtualNetworkGatewayPolicyGroups: [
      {
        id: 'string'
        name: 'string'
        properties: {
          isDefault: bool
          policyMembers: [
            {
              attributeType: 'string'
              attributeValue: 'string'
              name: 'string'
            }
          ]
          priority: int
        }
      }
    ]
    vNetExtendedLocationResourceId: 'string'
    vpnClientConfiguration: {
      aadAudience: 'string'
      aadIssuer: 'string'
      aadTenant: 'string'
      radiusServerAddress: 'string'
      radiusServers: [
        {
          radiusServerAddress: 'string'
          radiusServerScore: int
          radiusServerSecret: 'string'
        }
      ]
      radiusServerSecret: 'string'
      vngClientConnectionConfigurations: [
        {
          id: 'string'
          name: 'string'
          properties: {
            virtualNetworkGatewayPolicyGroups: [
              {
                id: 'string'
              }
            ]
            vpnClientAddressPool: {
              addressPrefixes: [
                'string'
              ]
            }
          }
        }
      ]
      vpnAuthenticationTypes: [
        'string'
      ]
      vpnClientAddressPool: {
        addressPrefixes: [
          'string'
        ]
      }
      vpnClientIpsecPolicies: [
        {
          dhGroup: 'string'
          ikeEncryption: 'string'
          ikeIntegrity: 'string'
          ipsecEncryption: 'string'
          ipsecIntegrity: 'string'
          pfsGroup: 'string'
          saDataSizeKilobytes: int
          saLifeTimeSeconds: int
        }
      ]
      vpnClientProtocols: [
        'string'
      ]
      vpnClientRevokedCertificates: [
        {
          id: 'string'
          name: 'string'
          properties: {
            thumbprint: 'string'
          }
        }
      ]
      vpnClientRootCertificates: [
        {
          id: 'string'
          name: 'string'
          properties: {
            publicCertData: 'string'
          }
        }
      ]
    }
    vpnGatewayGeneration: 'string'
    vpnType: 'string'
  }
  tags: {
    {customized property}: 'string'
  }
}

Property values

AddressSpace

Name Description Value
addressPrefixes A list of address blocks reserved for this virtual network in CIDR notation. string[]

BgpSettings

Name Description Value
asn The BGP speaker's ASN. int

Constraints:
Min value = 0
Max value = 4294967295
bgpPeeringAddress The BGP peering address and BGP identifier of this BGP speaker. string
bgpPeeringAddresses BGP peering address with IP configuration ID for virtual network gateway. IPConfigurationBgpPeeringAddress[]
peerWeight The weight added to routes learned from this BGP speaker. int

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

IPConfigurationBgpPeeringAddress

Name Description Value
customBgpIpAddresses The list of custom BGP peering addresses which belong to IP configuration. string[]
ipconfigurationId The ID of IP configuration which belongs to gateway. string

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

Microsoft.Network/virtualNetworkGateways

Name Description Value
extendedLocation The extended location of type local virtual network gateway. ExtendedLocation
identity The identity of the virtual network gateway, if configured. ManagedServiceIdentity
location Resource location. string
name The resource name string (required)
properties Properties of the virtual network gateway. VirtualNetworkGatewayPropertiesFormat (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates

RadiusServer

Name Description Value
radiusServerAddress The address of this radius server. string (required)
radiusServerScore The initial score assigned to this radius server. int
radiusServerSecret The secret used for this radius server. string

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

VirtualNetworkGatewayAutoScaleBounds

Name Description Value
max Maximum Scale Units for Autoscale configuration int
min Minimum scale Units for Autoscale configuration int

VirtualNetworkGatewayAutoScaleConfiguration

Name Description Value
bounds The bounds of the autoscale configuration VirtualNetworkGatewayAutoScaleBounds

VirtualNetworkGatewayIPConfiguration

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the virtual network gateway ip configuration. VirtualNetworkGatewayIPConfigurationPropertiesFormat

VirtualNetworkGatewayIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod The private IP address allocation method. 'Dynamic'
'Static'
publicIPAddress The reference to the public IP resource. SubResource
subnet The reference to the subnet resource. SubResource

VirtualNetworkGatewayNatRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the Virtual Network Gateway NAT rule. VirtualNetworkGatewayNatRuleProperties

VirtualNetworkGatewayNatRuleProperties

Name Description Value
externalMappings The private IP address external mapping for NAT. VpnNatRuleMapping[]
internalMappings The private IP address internal mapping for NAT. VpnNatRuleMapping[]
ipConfigurationId The IP Configuration ID this NAT rule applies to. string
mode The Source NAT direction of a VPN NAT. 'EgressSnat'
'IngressSnat'
type The type of NAT rule for VPN NAT. 'Dynamic'
'Static'

VirtualNetworkGatewayPolicyGroup

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of tVirtualNetworkGatewayPolicyGroup. VirtualNetworkGatewayPolicyGroupProperties

VirtualNetworkGatewayPolicyGroupMember

Name Description Value
attributeType The Vpn Policy member attribute type. 'AADGroupId'
'CertificateGroupId'
'RadiusAzureGroupId'
attributeValue The value of Attribute used for this VirtualNetworkGatewayPolicyGroupMember. string
name Name of the VirtualNetworkGatewayPolicyGroupMember. string

VirtualNetworkGatewayPolicyGroupProperties

Name Description Value
isDefault Shows if this is a Default VirtualNetworkGatewayPolicyGroup or not. bool (required)
policyMembers Multiple PolicyMembers for VirtualNetworkGatewayPolicyGroup. VirtualNetworkGatewayPolicyGroupMember[] (required)
priority Priority for VirtualNetworkGatewayPolicyGroup. int (required)

VirtualNetworkGatewayPropertiesFormat

Name Description Value
activeActive ActiveActive flag. bool
adminState Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet 'Disabled'
'Enabled'
allowRemoteVnetTraffic Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. bool
allowVirtualWanTraffic Configures this gateway to accept traffic from remote Virtual WAN networks. bool
autoScaleConfiguration Autoscale configuration for virutal network gateway VirtualNetworkGatewayAutoScaleConfiguration
bgpSettings Virtual network gateway's BGP speaker settings. BgpSettings
customRoutes The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. AddressSpace
disableIPSecReplayProtection disableIPSecReplayProtection flag. bool
enableBgp Whether BGP is enabled for this virtual network gateway or not. bool
enableBgpRouteTranslationForNat EnableBgpRouteTranslationForNat flag. bool
enableDnsForwarding Whether dns forwarding is enabled or not. bool
enablePrivateIpAddress Whether private IP needs to be enabled on this gateway for connections or not. bool
gatewayDefaultSite The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. SubResource
gatewayType The type of this virtual network gateway. 'ExpressRoute'
'LocalGateway'
'Vpn'
ipConfigurations IP configurations for virtual network gateway. VirtualNetworkGatewayIPConfiguration[]
natRules NatRules for virtual network gateway. VirtualNetworkGatewayNatRule[]
resiliencyModel Property to indicate if the Express Route Gateway has resiliency model of MultiHomed or SingleHomed 'MultiHomed'
'SingleHomed'
sku The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. VirtualNetworkGatewaySku
virtualNetworkGatewayPolicyGroups The reference to the VirtualNetworkGatewayPolicyGroup resource which represents the available VirtualNetworkGatewayPolicyGroup for the gateway. VirtualNetworkGatewayPolicyGroup[]
vNetExtendedLocationResourceId Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. string
vpnClientConfiguration The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. VpnClientConfiguration
vpnGatewayGeneration The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. 'Generation1'
'Generation2'
'None'
vpnType The type of this virtual network gateway. 'PolicyBased'
'RouteBased'

VirtualNetworkGatewaySku

Name Description Value
name Gateway SKU name. 'Basic'
'ErGw1AZ'
'ErGw2AZ'
'ErGw3AZ'
'ErGwScale'
'HighPerformance'
'Standard'
'UltraPerformance'
'VpnGw1'
'VpnGw1AZ'
'VpnGw2'
'VpnGw2AZ'
'VpnGw3'
'VpnGw3AZ'
'VpnGw4'
'VpnGw4AZ'
'VpnGw5'
'VpnGw5AZ'
tier Gateway SKU tier. 'Basic'
'ErGw1AZ'
'ErGw2AZ'
'ErGw3AZ'
'ErGwScale'
'HighPerformance'
'Standard'
'UltraPerformance'
'VpnGw1'
'VpnGw1AZ'
'VpnGw2'
'VpnGw2AZ'
'VpnGw3'
'VpnGw3AZ'
'VpnGw4'
'VpnGw4AZ'
'VpnGw5'
'VpnGw5AZ'

VngClientConnectionConfiguration

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client root certificate. VngClientConnectionConfigurationProperties

VngClientConnectionConfigurationProperties

Name Description Value
virtualNetworkGatewayPolicyGroups List of references to virtualNetworkGatewayPolicyGroups SubResource[] (required)
vpnClientAddressPool The reference to the address space resource which represents Address space for P2S VpnClient. AddressSpace (required)

VpnClientConfiguration

Name Description Value
aadAudience The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
aadIssuer The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
aadTenant The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
radiusServerAddress The radius server address property of the VirtualNetworkGateway resource for vpn client connection. string
radiusServers The radiusServers property for multiple radius server configuration. RadiusServer[]
radiusServerSecret The radius secret property of the VirtualNetworkGateway resource for vpn client connection. string
vngClientConnectionConfigurations per ip address pool connection policy for virtual network gateway P2S client. VngClientConnectionConfiguration[]
vpnAuthenticationTypes VPN authentication types for the virtual network gateway.. String array containing any of:
'AAD'
'Certificate'
'Radius'
vpnClientAddressPool The reference to the address space resource which represents Address space for P2S VpnClient. AddressSpace
vpnClientIpsecPolicies VpnClientIpsecPolicies for virtual network gateway P2S client. IpsecPolicy[]
vpnClientProtocols VpnClientProtocols for Virtual network gateway. String array containing any of:
'IkeV2'
'OpenVPN'
'SSTP'
vpnClientRevokedCertificates VpnClientRevokedCertificate for Virtual network gateway. VpnClientRevokedCertificate[]
vpnClientRootCertificates VpnClientRootCertificate for virtual network gateway. VpnClientRootCertificate[]

VpnClientRevokedCertificate

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client revoked certificate. VpnClientRevokedCertificatePropertiesFormat

VpnClientRevokedCertificatePropertiesFormat

Name Description Value
thumbprint The revoked VPN client certificate thumbprint. string

VpnClientRootCertificate

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client root certificate. VpnClientRootCertificatePropertiesFormat (required)

VpnClientRootCertificatePropertiesFormat

Name Description Value
publicCertData The certificate public data. string (required)

VpnNatRuleMapping

Name Description Value
addressSpace Address space for Vpn NatRule mapping. string
portRange Port range for Vpn NatRule mapping. string

Quickstart samples

The following quickstart samples deploy this resource type.

Bicep File Description
Create a BGP VNET to VNET connection This template allows you to connect two VNETs using Virtual Network Gateways and BGP
Create a Point-to-Site Gateway with Azure AD This template deploys a VPN Virtual Network Gateway configured with an Azure Active Directory Point-to-Site connection
ExpressRoute circuit with private peering and Azure VNet This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit
Site-to-Site VPN with active-active VPN Gateways with BGP This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones.
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

ARM template resource definition

The virtualNetworkGateways resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/virtualNetworkGateways resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2024-03-01",
  "name": "string",
  "extendedLocation": {
    "name": "string",
    "type": "string"
  },
  "identity": {
    "type": "string",
    "userAssignedIdentities": {
      "{customized property}": {
      }
    }
  },
  "location": "string",
  "properties": {
    "activeActive": "bool",
    "adminState": "string",
    "allowRemoteVnetTraffic": "bool",
    "allowVirtualWanTraffic": "bool",
    "autoScaleConfiguration": {
      "bounds": {
        "max": "int",
        "min": "int"
      }
    },
    "bgpSettings": {
      "asn": "int",
      "bgpPeeringAddress": "string",
      "bgpPeeringAddresses": [
        {
          "customBgpIpAddresses": [ "string" ],
          "ipconfigurationId": "string"
        }
      ],
      "peerWeight": "int"
    },
    "customRoutes": {
      "addressPrefixes": [ "string" ]
    },
    "disableIPSecReplayProtection": "bool",
    "enableBgp": "bool",
    "enableBgpRouteTranslationForNat": "bool",
    "enableDnsForwarding": "bool",
    "enablePrivateIpAddress": "bool",
    "gatewayDefaultSite": {
      "id": "string"
    },
    "gatewayType": "string",
    "ipConfigurations": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "privateIPAllocationMethod": "string",
          "publicIPAddress": {
            "id": "string"
          },
          "subnet": {
            "id": "string"
          }
        }
      }
    ],
    "natRules": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "externalMappings": [
            {
              "addressSpace": "string",
              "portRange": "string"
            }
          ],
          "internalMappings": [
            {
              "addressSpace": "string",
              "portRange": "string"
            }
          ],
          "ipConfigurationId": "string",
          "mode": "string",
          "type": "string"
        }
      }
    ],
    "resiliencyModel": "string",
    "sku": {
      "name": "string",
      "tier": "string"
    },
    "virtualNetworkGatewayPolicyGroups": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "isDefault": "bool",
          "policyMembers": [
            {
              "attributeType": "string",
              "attributeValue": "string",
              "name": "string"
            }
          ],
          "priority": "int"
        }
      }
    ],
    "vNetExtendedLocationResourceId": "string",
    "vpnClientConfiguration": {
      "aadAudience": "string",
      "aadIssuer": "string",
      "aadTenant": "string",
      "radiusServerAddress": "string",
      "radiusServers": [
        {
          "radiusServerAddress": "string",
          "radiusServerScore": "int",
          "radiusServerSecret": "string"
        }
      ],
      "radiusServerSecret": "string",
      "vngClientConnectionConfigurations": [
        {
          "id": "string",
          "name": "string",
          "properties": {
            "virtualNetworkGatewayPolicyGroups": [
              {
                "id": "string"
              }
            ],
            "vpnClientAddressPool": {
              "addressPrefixes": [ "string" ]
            }
          }
        }
      ],
      "vpnAuthenticationTypes": [ "string" ],
      "vpnClientAddressPool": {
        "addressPrefixes": [ "string" ]
      },
      "vpnClientIpsecPolicies": [
        {
          "dhGroup": "string",
          "ikeEncryption": "string",
          "ikeIntegrity": "string",
          "ipsecEncryption": "string",
          "ipsecIntegrity": "string",
          "pfsGroup": "string",
          "saDataSizeKilobytes": "int",
          "saLifeTimeSeconds": "int"
        }
      ],
      "vpnClientProtocols": [ "string" ],
      "vpnClientRevokedCertificates": [
        {
          "id": "string",
          "name": "string",
          "properties": {
            "thumbprint": "string"
          }
        }
      ],
      "vpnClientRootCertificates": [
        {
          "id": "string",
          "name": "string",
          "properties": {
            "publicCertData": "string"
          }
        }
      ]
    },
    "vpnGatewayGeneration": "string",
    "vpnType": "string"
  },
  "tags": {
    "{customized property}": "string"
  }
}

Property values

AddressSpace

Name Description Value
addressPrefixes A list of address blocks reserved for this virtual network in CIDR notation. string[]

BgpSettings

Name Description Value
asn The BGP speaker's ASN. int

Constraints:
Min value = 0
Max value = 4294967295
bgpPeeringAddress The BGP peering address and BGP identifier of this BGP speaker. string
bgpPeeringAddresses BGP peering address with IP configuration ID for virtual network gateway. IPConfigurationBgpPeeringAddress[]
peerWeight The weight added to routes learned from this BGP speaker. int

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

IPConfigurationBgpPeeringAddress

Name Description Value
customBgpIpAddresses The list of custom BGP peering addresses which belong to IP configuration. string[]
ipconfigurationId The ID of IP configuration which belongs to gateway. string

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

Microsoft.Network/virtualNetworkGateways

Name Description Value
apiVersion The api version '2024-03-01'
extendedLocation The extended location of type local virtual network gateway. ExtendedLocation
identity The identity of the virtual network gateway, if configured. ManagedServiceIdentity
location Resource location. string
name The resource name string (required)
properties Properties of the virtual network gateway. VirtualNetworkGatewayPropertiesFormat (required)
tags Resource tags Dictionary of tag names and values. See Tags in templates
type The resource type 'Microsoft.Network/virtualNetworkGateways'

RadiusServer

Name Description Value
radiusServerAddress The address of this radius server. string (required)
radiusServerScore The initial score assigned to this radius server. int
radiusServerSecret The secret used for this radius server. string

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

VirtualNetworkGatewayAutoScaleBounds

Name Description Value
max Maximum Scale Units for Autoscale configuration int
min Minimum scale Units for Autoscale configuration int

VirtualNetworkGatewayAutoScaleConfiguration

Name Description Value
bounds The bounds of the autoscale configuration VirtualNetworkGatewayAutoScaleBounds

VirtualNetworkGatewayIPConfiguration

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the virtual network gateway ip configuration. VirtualNetworkGatewayIPConfigurationPropertiesFormat

VirtualNetworkGatewayIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod The private IP address allocation method. 'Dynamic'
'Static'
publicIPAddress The reference to the public IP resource. SubResource
subnet The reference to the subnet resource. SubResource

VirtualNetworkGatewayNatRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the Virtual Network Gateway NAT rule. VirtualNetworkGatewayNatRuleProperties

VirtualNetworkGatewayNatRuleProperties

Name Description Value
externalMappings The private IP address external mapping for NAT. VpnNatRuleMapping[]
internalMappings The private IP address internal mapping for NAT. VpnNatRuleMapping[]
ipConfigurationId The IP Configuration ID this NAT rule applies to. string
mode The Source NAT direction of a VPN NAT. 'EgressSnat'
'IngressSnat'
type The type of NAT rule for VPN NAT. 'Dynamic'
'Static'

VirtualNetworkGatewayPolicyGroup

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of tVirtualNetworkGatewayPolicyGroup. VirtualNetworkGatewayPolicyGroupProperties

VirtualNetworkGatewayPolicyGroupMember

Name Description Value
attributeType The Vpn Policy member attribute type. 'AADGroupId'
'CertificateGroupId'
'RadiusAzureGroupId'
attributeValue The value of Attribute used for this VirtualNetworkGatewayPolicyGroupMember. string
name Name of the VirtualNetworkGatewayPolicyGroupMember. string

VirtualNetworkGatewayPolicyGroupProperties

Name Description Value
isDefault Shows if this is a Default VirtualNetworkGatewayPolicyGroup or not. bool (required)
policyMembers Multiple PolicyMembers for VirtualNetworkGatewayPolicyGroup. VirtualNetworkGatewayPolicyGroupMember[] (required)
priority Priority for VirtualNetworkGatewayPolicyGroup. int (required)

VirtualNetworkGatewayPropertiesFormat

Name Description Value
activeActive ActiveActive flag. bool
adminState Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet 'Disabled'
'Enabled'
allowRemoteVnetTraffic Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. bool
allowVirtualWanTraffic Configures this gateway to accept traffic from remote Virtual WAN networks. bool
autoScaleConfiguration Autoscale configuration for virutal network gateway VirtualNetworkGatewayAutoScaleConfiguration
bgpSettings Virtual network gateway's BGP speaker settings. BgpSettings
customRoutes The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. AddressSpace
disableIPSecReplayProtection disableIPSecReplayProtection flag. bool
enableBgp Whether BGP is enabled for this virtual network gateway or not. bool
enableBgpRouteTranslationForNat EnableBgpRouteTranslationForNat flag. bool
enableDnsForwarding Whether dns forwarding is enabled or not. bool
enablePrivateIpAddress Whether private IP needs to be enabled on this gateway for connections or not. bool
gatewayDefaultSite The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. SubResource
gatewayType The type of this virtual network gateway. 'ExpressRoute'
'LocalGateway'
'Vpn'
ipConfigurations IP configurations for virtual network gateway. VirtualNetworkGatewayIPConfiguration[]
natRules NatRules for virtual network gateway. VirtualNetworkGatewayNatRule[]
resiliencyModel Property to indicate if the Express Route Gateway has resiliency model of MultiHomed or SingleHomed 'MultiHomed'
'SingleHomed'
sku The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. VirtualNetworkGatewaySku
virtualNetworkGatewayPolicyGroups The reference to the VirtualNetworkGatewayPolicyGroup resource which represents the available VirtualNetworkGatewayPolicyGroup for the gateway. VirtualNetworkGatewayPolicyGroup[]
vNetExtendedLocationResourceId Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. string
vpnClientConfiguration The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. VpnClientConfiguration
vpnGatewayGeneration The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. 'Generation1'
'Generation2'
'None'
vpnType The type of this virtual network gateway. 'PolicyBased'
'RouteBased'

VirtualNetworkGatewaySku

Name Description Value
name Gateway SKU name. 'Basic'
'ErGw1AZ'
'ErGw2AZ'
'ErGw3AZ'
'ErGwScale'
'HighPerformance'
'Standard'
'UltraPerformance'
'VpnGw1'
'VpnGw1AZ'
'VpnGw2'
'VpnGw2AZ'
'VpnGw3'
'VpnGw3AZ'
'VpnGw4'
'VpnGw4AZ'
'VpnGw5'
'VpnGw5AZ'
tier Gateway SKU tier. 'Basic'
'ErGw1AZ'
'ErGw2AZ'
'ErGw3AZ'
'ErGwScale'
'HighPerformance'
'Standard'
'UltraPerformance'
'VpnGw1'
'VpnGw1AZ'
'VpnGw2'
'VpnGw2AZ'
'VpnGw3'
'VpnGw3AZ'
'VpnGw4'
'VpnGw4AZ'
'VpnGw5'
'VpnGw5AZ'

VngClientConnectionConfiguration

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client root certificate. VngClientConnectionConfigurationProperties

VngClientConnectionConfigurationProperties

Name Description Value
virtualNetworkGatewayPolicyGroups List of references to virtualNetworkGatewayPolicyGroups SubResource[] (required)
vpnClientAddressPool The reference to the address space resource which represents Address space for P2S VpnClient. AddressSpace (required)

VpnClientConfiguration

Name Description Value
aadAudience The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
aadIssuer The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
aadTenant The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
radiusServerAddress The radius server address property of the VirtualNetworkGateway resource for vpn client connection. string
radiusServers The radiusServers property for multiple radius server configuration. RadiusServer[]
radiusServerSecret The radius secret property of the VirtualNetworkGateway resource for vpn client connection. string
vngClientConnectionConfigurations per ip address pool connection policy for virtual network gateway P2S client. VngClientConnectionConfiguration[]
vpnAuthenticationTypes VPN authentication types for the virtual network gateway.. String array containing any of:
'AAD'
'Certificate'
'Radius'
vpnClientAddressPool The reference to the address space resource which represents Address space for P2S VpnClient. AddressSpace
vpnClientIpsecPolicies VpnClientIpsecPolicies for virtual network gateway P2S client. IpsecPolicy[]
vpnClientProtocols VpnClientProtocols for Virtual network gateway. String array containing any of:
'IkeV2'
'OpenVPN'
'SSTP'
vpnClientRevokedCertificates VpnClientRevokedCertificate for Virtual network gateway. VpnClientRevokedCertificate[]
vpnClientRootCertificates VpnClientRootCertificate for virtual network gateway. VpnClientRootCertificate[]

VpnClientRevokedCertificate

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client revoked certificate. VpnClientRevokedCertificatePropertiesFormat

VpnClientRevokedCertificatePropertiesFormat

Name Description Value
thumbprint The revoked VPN client certificate thumbprint. string

VpnClientRootCertificate

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client root certificate. VpnClientRootCertificatePropertiesFormat (required)

VpnClientRootCertificatePropertiesFormat

Name Description Value
publicCertData The certificate public data. string (required)

VpnNatRuleMapping

Name Description Value
addressSpace Address space for Vpn NatRule mapping. string
portRange Port range for Vpn NatRule mapping. string

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
App Service Environment with Azure SQL backend

Deploy to Azure
This template creates an App Service Environment with an Azure SQL backend along with private endpoints along with associated resources typically used in an private/isolated environment.
BOSH CF Cross Region

Deploy to Azure
This template helps you setup the resources needed to deploy BOSH and Cloud Foundry across two regions on Azure.
Connect an ExpressRoute circuit to a VNET

Deploy to Azure
This template creates a VNET, an ExpresRoute Gateway and a connection to a provisioned and enabled ExpressRoute circuit with AzurePrivatePeering configured.
Create a BGP VNET to VNET connection

Deploy to Azure
This template allows you to connect two VNETs using Virtual Network Gateways and BGP
Create a DevTest environment with P2S VPN and IIS

Deploy to Azure
This template creates a simple DevTest environment with a Point-to-Site VPN and IIS on a Windows server which is a great way to get started.
Create a Point-to-Site Gateway

Deploy to Azure
This template allows you to create a Point-to-Site connection using VirtualNetworkGateways
Create a Point-to-Site Gateway with Azure AD

Deploy to Azure
This template deploys a VPN Virtual Network Gateway configured with an Azure Active Directory Point-to-Site connection
Create a Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Create a Site-to-Site VPN Connection with VM

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Create a VNET to VNET connection across two regions

Deploy to Azure
This template allows you to connect two VNETs in different regions using Virtual Network Gateways
Create SQL MI with point-to-site connection configured

Deploy to Azure
Deploy Azure Sql Database Managed Instance (SQL MI) and Virtual network gateway configured for point-to-site connection inside the new virtual network.
Create three vNets to demonstrate transitive BGP connections

Deploy to Azure
This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections
Create VNet with two Subnets, local network, and gateway

Deploy to Azure
This template creates a VNet, 2 subnets, and a gateway
Deploy a Hub and Spoke topology sandbox

Deploy to Azure
This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes.
Deploy HBase geo replication

Deploy to Azure
This template allows you to configure an Azure environment for HBase replication across two different regions with VPN vnet-to-vnet connection.
ExpressRoute circuit with private peering and Azure VNet

Deploy to Azure
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit
Extend an existing Azure VNET to a Multi-VNET Configuration

Deploy to Azure
This template allows you to extend an existing single VNET environment to a Multi-VNET environment that extends across two datacenter regions using VNET-to-VNET gateways
Site-to-Site VPN with active-active VPN Gateways with BGP

Deploy to Azure
This template allows you to deploy a site-to-site VPN between two VNets with VPN Gateways in configuration active-active with BGP. Each Azure VPN Gateway resolves the FQDN of the remote peers to determine the public IP of the remote VPN Gateway. Template runs as expected in Azure regions with availability zones.
Use Azure Firewall as a DNS Proxy in a Hub & Spoke topology

Deploy to Azure
This sample show how to deploy a hub-spoke topology in Azure using the Azure Firewall. The hub virtual network acts as a central point of connectivity to many spoke virtual networks that are connected to hub virtual network via virtual network peering.

Terraform (AzAPI provider) resource definition

The virtualNetworkGateways resource type can be deployed with operations that target:

  • Resource groups

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/virtualNetworkGateways resource, add the following Terraform to your template.

resource "azapi_resource" "symbolicname" {
  type = "Microsoft.Network/virtualNetworkGateways@2024-03-01"
  name = "string"
  identity = {
    type = "string"
    userAssignedIdentities = {
      {customized property} = {
      }
    }
  }
  location = "string"
  tags = {
    {customized property} = "string"
  }
  body = jsonencode({
    extendedLocation = {
      name = "string"
      type = "string"
    }
    properties = {
      activeActive = bool
      adminState = "string"
      allowRemoteVnetTraffic = bool
      allowVirtualWanTraffic = bool
      autoScaleConfiguration = {
        bounds = {
          max = int
          min = int
        }
      }
      bgpSettings = {
        asn = int
        bgpPeeringAddress = "string"
        bgpPeeringAddresses = [
          {
            customBgpIpAddresses = [
              "string"
            ]
            ipconfigurationId = "string"
          }
        ]
        peerWeight = int
      }
      customRoutes = {
        addressPrefixes = [
          "string"
        ]
      }
      disableIPSecReplayProtection = bool
      enableBgp = bool
      enableBgpRouteTranslationForNat = bool
      enableDnsForwarding = bool
      enablePrivateIpAddress = bool
      gatewayDefaultSite = {
        id = "string"
      }
      gatewayType = "string"
      ipConfigurations = [
        {
          id = "string"
          name = "string"
          properties = {
            privateIPAllocationMethod = "string"
            publicIPAddress = {
              id = "string"
            }
            subnet = {
              id = "string"
            }
          }
        }
      ]
      natRules = [
        {
          id = "string"
          name = "string"
          properties = {
            externalMappings = [
              {
                addressSpace = "string"
                portRange = "string"
              }
            ]
            internalMappings = [
              {
                addressSpace = "string"
                portRange = "string"
              }
            ]
            ipConfigurationId = "string"
            mode = "string"
            type = "string"
          }
        }
      ]
      resiliencyModel = "string"
      sku = {
        name = "string"
        tier = "string"
      }
      virtualNetworkGatewayPolicyGroups = [
        {
          id = "string"
          name = "string"
          properties = {
            isDefault = bool
            policyMembers = [
              {
                attributeType = "string"
                attributeValue = "string"
                name = "string"
              }
            ]
            priority = int
          }
        }
      ]
      vNetExtendedLocationResourceId = "string"
      vpnClientConfiguration = {
        aadAudience = "string"
        aadIssuer = "string"
        aadTenant = "string"
        radiusServerAddress = "string"
        radiusServers = [
          {
            radiusServerAddress = "string"
            radiusServerScore = int
            radiusServerSecret = "string"
          }
        ]
        radiusServerSecret = "string"
        vngClientConnectionConfigurations = [
          {
            id = "string"
            name = "string"
            properties = {
              virtualNetworkGatewayPolicyGroups = [
                {
                  id = "string"
                }
              ]
              vpnClientAddressPool = {
                addressPrefixes = [
                  "string"
                ]
              }
            }
          }
        ]
        vpnAuthenticationTypes = [
          "string"
        ]
        vpnClientAddressPool = {
          addressPrefixes = [
            "string"
          ]
        }
        vpnClientIpsecPolicies = [
          {
            dhGroup = "string"
            ikeEncryption = "string"
            ikeIntegrity = "string"
            ipsecEncryption = "string"
            ipsecIntegrity = "string"
            pfsGroup = "string"
            saDataSizeKilobytes = int
            saLifeTimeSeconds = int
          }
        ]
        vpnClientProtocols = [
          "string"
        ]
        vpnClientRevokedCertificates = [
          {
            id = "string"
            name = "string"
            properties = {
              thumbprint = "string"
            }
          }
        ]
        vpnClientRootCertificates = [
          {
            id = "string"
            name = "string"
            properties = {
              publicCertData = "string"
            }
          }
        ]
      }
      vpnGatewayGeneration = "string"
      vpnType = "string"
    }
  })
}

Property values

AddressSpace

Name Description Value
addressPrefixes A list of address blocks reserved for this virtual network in CIDR notation. string[]

BgpSettings

Name Description Value
asn The BGP speaker's ASN. int

Constraints:
Min value = 0
Max value = 4294967295
bgpPeeringAddress The BGP peering address and BGP identifier of this BGP speaker. string
bgpPeeringAddresses BGP peering address with IP configuration ID for virtual network gateway. IPConfigurationBgpPeeringAddress[]
peerWeight The weight added to routes learned from this BGP speaker. int

Components1Jq1T4ISchemasManagedserviceidentityPropertiesUserassignedidentitiesAdditionalproperties

Name Description Value

ExtendedLocation

Name Description Value
name The name of the extended location. string
type The type of the extended location. 'EdgeZone'

IPConfigurationBgpPeeringAddress

Name Description Value
customBgpIpAddresses The list of custom BGP peering addresses which belong to IP configuration. string[]
ipconfigurationId The ID of IP configuration which belongs to gateway. string

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)
ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

ManagedServiceIdentity

Name Description Value
type The type of identity used for the resource. The type 'SystemAssigned, UserAssigned' includes both an implicitly created identity and a set of user assigned identities. The type 'None' will remove any identities from the virtual machine. 'None'
'SystemAssigned'
'SystemAssigned, UserAssigned'
'UserAssigned'
userAssignedIdentities The list of user identities associated with resource. The user identity dictionary key references will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}'. ManagedServiceIdentityUserAssignedIdentities

ManagedServiceIdentityUserAssignedIdentities

Name Description Value

Microsoft.Network/virtualNetworkGateways

Name Description Value
extendedLocation The extended location of type local virtual network gateway. ExtendedLocation
identity The identity of the virtual network gateway, if configured. ManagedServiceIdentity
location Resource location. string
name The resource name string (required)
properties Properties of the virtual network gateway. VirtualNetworkGatewayPropertiesFormat (required)
tags Resource tags Dictionary of tag names and values.
type The resource type "Microsoft.Network/virtualNetworkGateways@2024-03-01"

RadiusServer

Name Description Value
radiusServerAddress The address of this radius server. string (required)
radiusServerScore The initial score assigned to this radius server. int
radiusServerSecret The secret used for this radius server. string

ResourceTags

Name Description Value

SubResource

Name Description Value
id Resource ID. string

VirtualNetworkGatewayAutoScaleBounds

Name Description Value
max Maximum Scale Units for Autoscale configuration int
min Minimum scale Units for Autoscale configuration int

VirtualNetworkGatewayAutoScaleConfiguration

Name Description Value
bounds The bounds of the autoscale configuration VirtualNetworkGatewayAutoScaleBounds

VirtualNetworkGatewayIPConfiguration

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the virtual network gateway ip configuration. VirtualNetworkGatewayIPConfigurationPropertiesFormat

VirtualNetworkGatewayIPConfigurationPropertiesFormat

Name Description Value
privateIPAllocationMethod The private IP address allocation method. 'Dynamic'
'Static'
publicIPAddress The reference to the public IP resource. SubResource
subnet The reference to the subnet resource. SubResource

VirtualNetworkGatewayNatRule

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the Virtual Network Gateway NAT rule. VirtualNetworkGatewayNatRuleProperties

VirtualNetworkGatewayNatRuleProperties

Name Description Value
externalMappings The private IP address external mapping for NAT. VpnNatRuleMapping[]
internalMappings The private IP address internal mapping for NAT. VpnNatRuleMapping[]
ipConfigurationId The IP Configuration ID this NAT rule applies to. string
mode The Source NAT direction of a VPN NAT. 'EgressSnat'
'IngressSnat'
type The type of NAT rule for VPN NAT. 'Dynamic'
'Static'

VirtualNetworkGatewayPolicyGroup

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of tVirtualNetworkGatewayPolicyGroup. VirtualNetworkGatewayPolicyGroupProperties

VirtualNetworkGatewayPolicyGroupMember

Name Description Value
attributeType The Vpn Policy member attribute type. 'AADGroupId'
'CertificateGroupId'
'RadiusAzureGroupId'
attributeValue The value of Attribute used for this VirtualNetworkGatewayPolicyGroupMember. string
name Name of the VirtualNetworkGatewayPolicyGroupMember. string

VirtualNetworkGatewayPolicyGroupProperties

Name Description Value
isDefault Shows if this is a Default VirtualNetworkGatewayPolicyGroup or not. bool (required)
policyMembers Multiple PolicyMembers for VirtualNetworkGatewayPolicyGroup. VirtualNetworkGatewayPolicyGroupMember[] (required)
priority Priority for VirtualNetworkGatewayPolicyGroup. int (required)

VirtualNetworkGatewayPropertiesFormat

Name Description Value
activeActive ActiveActive flag. bool
adminState Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet 'Disabled'
'Enabled'
allowRemoteVnetTraffic Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. bool
allowVirtualWanTraffic Configures this gateway to accept traffic from remote Virtual WAN networks. bool
autoScaleConfiguration Autoscale configuration for virutal network gateway VirtualNetworkGatewayAutoScaleConfiguration
bgpSettings Virtual network gateway's BGP speaker settings. BgpSettings
customRoutes The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. AddressSpace
disableIPSecReplayProtection disableIPSecReplayProtection flag. bool
enableBgp Whether BGP is enabled for this virtual network gateway or not. bool
enableBgpRouteTranslationForNat EnableBgpRouteTranslationForNat flag. bool
enableDnsForwarding Whether dns forwarding is enabled or not. bool
enablePrivateIpAddress Whether private IP needs to be enabled on this gateway for connections or not. bool
gatewayDefaultSite The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. SubResource
gatewayType The type of this virtual network gateway. 'ExpressRoute'
'LocalGateway'
'Vpn'
ipConfigurations IP configurations for virtual network gateway. VirtualNetworkGatewayIPConfiguration[]
natRules NatRules for virtual network gateway. VirtualNetworkGatewayNatRule[]
resiliencyModel Property to indicate if the Express Route Gateway has resiliency model of MultiHomed or SingleHomed 'MultiHomed'
'SingleHomed'
sku The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. VirtualNetworkGatewaySku
virtualNetworkGatewayPolicyGroups The reference to the VirtualNetworkGatewayPolicyGroup resource which represents the available VirtualNetworkGatewayPolicyGroup for the gateway. VirtualNetworkGatewayPolicyGroup[]
vNetExtendedLocationResourceId Customer vnet resource id. VirtualNetworkGateway of type local gateway is associated with the customer vnet. string
vpnClientConfiguration The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. VpnClientConfiguration
vpnGatewayGeneration The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. 'Generation1'
'Generation2'
'None'
vpnType The type of this virtual network gateway. 'PolicyBased'
'RouteBased'

VirtualNetworkGatewaySku

Name Description Value
name Gateway SKU name. 'Basic'
'ErGw1AZ'
'ErGw2AZ'
'ErGw3AZ'
'ErGwScale'
'HighPerformance'
'Standard'
'UltraPerformance'
'VpnGw1'
'VpnGw1AZ'
'VpnGw2'
'VpnGw2AZ'
'VpnGw3'
'VpnGw3AZ'
'VpnGw4'
'VpnGw4AZ'
'VpnGw5'
'VpnGw5AZ'
tier Gateway SKU tier. 'Basic'
'ErGw1AZ'
'ErGw2AZ'
'ErGw3AZ'
'ErGwScale'
'HighPerformance'
'Standard'
'UltraPerformance'
'VpnGw1'
'VpnGw1AZ'
'VpnGw2'
'VpnGw2AZ'
'VpnGw3'
'VpnGw3AZ'
'VpnGw4'
'VpnGw4AZ'
'VpnGw5'
'VpnGw5AZ'

VngClientConnectionConfiguration

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client root certificate. VngClientConnectionConfigurationProperties

VngClientConnectionConfigurationProperties

Name Description Value
virtualNetworkGatewayPolicyGroups List of references to virtualNetworkGatewayPolicyGroups SubResource[] (required)
vpnClientAddressPool The reference to the address space resource which represents Address space for P2S VpnClient. AddressSpace (required)

VpnClientConfiguration

Name Description Value
aadAudience The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
aadIssuer The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
aadTenant The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. string
radiusServerAddress The radius server address property of the VirtualNetworkGateway resource for vpn client connection. string
radiusServers The radiusServers property for multiple radius server configuration. RadiusServer[]
radiusServerSecret The radius secret property of the VirtualNetworkGateway resource for vpn client connection. string
vngClientConnectionConfigurations per ip address pool connection policy for virtual network gateway P2S client. VngClientConnectionConfiguration[]
vpnAuthenticationTypes VPN authentication types for the virtual network gateway.. String array containing any of:
'AAD'
'Certificate'
'Radius'
vpnClientAddressPool The reference to the address space resource which represents Address space for P2S VpnClient. AddressSpace
vpnClientIpsecPolicies VpnClientIpsecPolicies for virtual network gateway P2S client. IpsecPolicy[]
vpnClientProtocols VpnClientProtocols for Virtual network gateway. String array containing any of:
'IkeV2'
'OpenVPN'
'SSTP'
vpnClientRevokedCertificates VpnClientRevokedCertificate for Virtual network gateway. VpnClientRevokedCertificate[]
vpnClientRootCertificates VpnClientRootCertificate for virtual network gateway. VpnClientRootCertificate[]

VpnClientRevokedCertificate

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client revoked certificate. VpnClientRevokedCertificatePropertiesFormat

VpnClientRevokedCertificatePropertiesFormat

Name Description Value
thumbprint The revoked VPN client certificate thumbprint. string

VpnClientRootCertificate

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the vpn client root certificate. VpnClientRootCertificatePropertiesFormat (required)

VpnClientRootCertificatePropertiesFormat

Name Description Value
publicCertData The certificate public data. string (required)

VpnNatRuleMapping

Name Description Value
addressSpace Address space for Vpn NatRule mapping. string
portRange Port range for Vpn NatRule mapping. string