Microsoft.Network virtualNetworks
The virtualNetworks resource type can be deployed to: Resource groups.
To learn about resource group deployments, see Bicep or ARM template.
Remarks
For guidance on creating virtual networks and subnets, see Create virtual network resources by using Bicep.
Template format
To create a Microsoft.Network/virtualNetworks resource, add the following Bicep or JSON to your template.
resource symbolicname 'Microsoft.Network/virtualNetworks@2021-08-01' = {
name: 'string'
location: 'string'
tags: {
tagName1: 'tagValue1'
tagName2: 'tagValue2'
}
extendedLocation: {
name: 'string'
type: 'EdgeZone'
}
properties: {
addressSpace: {
addressPrefixes: [
'string'
]
}
bgpCommunities: {
virtualNetworkCommunity: 'string'
}
ddosProtectionPlan: {
id: 'string'
}
dhcpOptions: {
dnsServers: [
'string'
]
}
enableDdosProtection: bool
enableVmProtection: bool
encryption: {
enabled: bool
enforcement: 'string'
}
flowTimeoutInMinutes: int
ipAllocations: [
{
id: 'string'
}
]
subnets: [
{
id: 'string'
name: 'string'
properties: {
addressPrefix: 'string'
addressPrefixes: [
'string'
]
applicationGatewayIpConfigurations: [
{
id: 'string'
name: 'string'
properties: {
subnet: {
id: 'string'
}
}
}
]
delegations: [
{
id: 'string'
name: 'string'
properties: {
serviceName: 'string'
}
type: 'string'
}
]
ipAllocations: [
{
id: 'string'
}
]
natGateway: {
id: 'string'
}
networkSecurityGroup: {
id: 'string'
location: 'string'
properties: {
securityRules: [
{
id: 'string'
name: 'string'
properties: {
access: 'string'
description: 'string'
destinationAddressPrefix: 'string'
destinationAddressPrefixes: [
'string'
]
destinationApplicationSecurityGroups: [
{
id: 'string'
location: 'string'
properties: {}
tags: {}
}
]
destinationPortRange: 'string'
destinationPortRanges: [
'string'
]
direction: 'string'
priority: int
protocol: 'string'
sourceAddressPrefix: 'string'
sourceAddressPrefixes: [
'string'
]
sourceApplicationSecurityGroups: [
{
id: 'string'
location: 'string'
properties: {}
tags: {}
}
]
sourcePortRange: 'string'
sourcePortRanges: [
'string'
]
}
type: 'string'
}
]
}
tags: {}
}
privateEndpointNetworkPolicies: 'string'
privateLinkServiceNetworkPolicies: 'string'
routeTable: {
id: 'string'
location: 'string'
properties: {
disableBgpRoutePropagation: bool
routes: [
{
id: 'string'
name: 'string'
properties: {
addressPrefix: 'string'
hasBgpOverride: bool
nextHopIpAddress: 'string'
nextHopType: 'string'
}
type: 'string'
}
]
}
tags: {}
}
serviceEndpointPolicies: [
{
id: 'string'
location: 'string'
properties: {
contextualServiceEndpointPolicies: [
'string'
]
serviceAlias: 'string'
serviceEndpointPolicyDefinitions: [
{
id: 'string'
name: 'string'
properties: {
description: 'string'
service: 'string'
serviceResources: [
'string'
]
}
type: 'string'
}
]
}
tags: {}
}
]
serviceEndpoints: [
{
locations: [
'string'
]
service: 'string'
}
]
}
type: 'string'
}
]
virtualNetworkPeerings: [
{
id: 'string'
name: 'string'
properties: {
allowForwardedTraffic: bool
allowGatewayTransit: bool
allowVirtualNetworkAccess: bool
doNotVerifyRemoteGateways: bool
peeringState: 'string'
peeringSyncLevel: 'string'
remoteAddressSpace: {
addressPrefixes: [
'string'
]
}
remoteBgpCommunities: {
virtualNetworkCommunity: 'string'
}
remoteVirtualNetwork: {
id: 'string'
}
remoteVirtualNetworkAddressSpace: {
addressPrefixes: [
'string'
]
}
useRemoteGateways: bool
}
type: 'string'
}
]
}
}
Property values
virtualNetworks
| Name | Description | Value |
|---|---|---|
| type | The resource type For Bicep, set this value in the resource declaration. |
'Microsoft.Network/virtualNetworks' |
| apiVersion | The resource api version For Bicep, set this value in the resource declaration. |
'2021-08-01' |
| name | The resource name | string (required) Character limit: 2-64 Valid characters: Alphanumerics, underscores, periods, and hyphens. Start with alphanumeric. End alphanumeric or underscore. |
| location | Resource location. | string |
| tags | Resource tags. | Dictionary of tag names and values. See Tags in templates |
| extendedLocation | ExtendedLocation complex type. | ExtendedLocation |
| properties | Properties of the virtual network. | VirtualNetworkPropertiesFormat |
ExtendedLocation
| Name | Description | Value |
|---|---|---|
| name | The name of the extended location. | string |
| type | The supported ExtendedLocation types. Currently only EdgeZone is supported in Microsoft.Network resources. | 'EdgeZone' |
VirtualNetworkPropertiesFormat
| Name | Description | Value |
|---|---|---|
| addressSpace | AddressSpace contains an array of IP address ranges that can be used by subnets of the virtual network. | AddressSpace |
| bgpCommunities | Bgp Communities sent over ExpressRoute with each route corresponding to a prefix in this VNET. | VirtualNetworkBgpCommunities |
| ddosProtectionPlan | Reference to another subresource. | SubResource |
| dhcpOptions | DhcpOptions contains an array of DNS servers available to VMs deployed in the virtual network. Standard DHCP option for a subnet overrides VNET DHCP options. | DhcpOptions |
| enableDdosProtection | Indicates if DDoS protection is enabled for all the protected resources in the virtual network. It requires a DDoS protection plan associated with the resource. | bool |
| enableVmProtection | Indicates if VM protection is enabled for all the subnets in the virtual network. | bool |
| encryption | Indicates if encryption is enabled on virtual network and if VM without encryption is allowed in encrypted VNet. | VirtualNetworkEncryption |
| flowTimeoutInMinutes | The FlowTimeout value (in minutes) for the Virtual Network | int |
| ipAllocations | Array of IpAllocation which reference this VNET. | SubResource[] |
| subnets | A list of subnets in a Virtual Network. | Subnet[] |
| virtualNetworkPeerings | A list of peerings in a Virtual Network. | VirtualNetworkPeering[] |
AddressSpace
| Name | Description | Value |
|---|---|---|
| addressPrefixes | A list of address blocks reserved for this virtual network in CIDR notation. | string[] |
VirtualNetworkBgpCommunities
| Name | Description | Value |
|---|---|---|
| virtualNetworkCommunity | The BGP community associated with the virtual network. | string (required) |
SubResource
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
DhcpOptions
| Name | Description | Value |
|---|---|---|
| dnsServers | The list of DNS servers IP addresses. | string[] |
VirtualNetworkEncryption
| Name | Description | Value |
|---|---|---|
| enabled | Indicates if encryption is enabled on the virtual network. | bool (required) |
| enforcement | If the encrypted VNet allows VM that does not support encryption | 'AllowUnencrypted' 'DropUnencrypted' |
Subnet
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the subnet. | SubnetPropertiesFormat |
| type | Resource type. | string |
SubnetPropertiesFormat
| Name | Description | Value |
|---|---|---|
| addressPrefix | The address prefix for the subnet. | string |
| addressPrefixes | List of address prefixes for the subnet. | string[] |
| applicationGatewayIpConfigurations | Application gateway IP configurations of virtual network resource. | ApplicationGatewayIPConfiguration[] |
| delegations | An array of references to the delegations on the subnet. | Delegation[] |
| ipAllocations | Array of IpAllocation which reference this subnet. | SubResource[] |
| natGateway | Reference to another subresource. | SubResource |
| networkSecurityGroup | NetworkSecurityGroup resource. | NetworkSecurityGroup |
| privateEndpointNetworkPolicies | Enable or Disable apply network policies on private end point in the subnet. | 'Disabled' 'Enabled' |
| privateLinkServiceNetworkPolicies | Enable or Disable apply network policies on private link service in the subnet. | 'Disabled' 'Enabled' |
| routeTable | Route table resource. | RouteTable |
| serviceEndpointPolicies | An array of service endpoint policies. | ServiceEndpointPolicy[] |
| serviceEndpoints | An array of service endpoints. | ServiceEndpointPropertiesFormat[] |
ApplicationGatewayIPConfiguration
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | Name of the IP configuration that is unique within an Application Gateway. | string |
| properties | Properties of IP configuration of an application gateway. | ApplicationGatewayIPConfigurationPropertiesFormat |
ApplicationGatewayIPConfigurationPropertiesFormat
| Name | Description | Value |
|---|---|---|
| subnet | Reference to another subresource. | SubResource |
Delegation
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a subnet. This name can be used to access the resource. | string |
| properties | Properties of a service delegation. | ServiceDelegationPropertiesFormat |
| type | Resource type. | string |
ServiceDelegationPropertiesFormat
| Name | Description | Value |
|---|---|---|
| serviceName | The name of the service to whom the subnet should be delegated (e.g. Microsoft.Sql/servers). | string |
NetworkSecurityGroup
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Network Security Group resource. | NetworkSecurityGroupPropertiesFormat |
| tags | Resource tags. | object |
NetworkSecurityGroupPropertiesFormat
| Name | Description | Value |
|---|---|---|
| securityRules | A collection of security rules of the network security group. | SecurityRule[] |
SecurityRule
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Security rule resource. | SecurityRulePropertiesFormat |
| type | The type of the resource. | string |
SecurityRulePropertiesFormat
| Name | Description | Value |
|---|---|---|
| access | Whether network traffic is allowed or denied. | 'Allow' 'Deny' |
| description | A description for this rule. Restricted to 140 chars. | string |
| destinationAddressPrefix | The destination address prefix. CIDR or destination IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. | string |
| destinationAddressPrefixes | The destination address prefixes. CIDR or destination IP ranges. | string[] |
| destinationApplicationSecurityGroups | The application security group specified as destination. | ApplicationSecurityGroup[] |
| destinationPortRange | The destination port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
| destinationPortRanges | The destination port ranges. | string[] |
| direction | The direction of the rule. The direction specifies if rule will be evaluated on incoming or outgoing traffic. | 'Inbound' 'Outbound' |
| priority | The priority of the rule. The value can be between 100 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule. | int |
| protocol | Network protocol this rule applies to. | '*' 'Ah' 'Esp' 'Icmp' 'Tcp' 'Udp' |
| sourceAddressPrefix | The CIDR or source IP range. Asterisk '*' can also be used to match all source IPs. Default tags such as 'VirtualNetwork', 'AzureLoadBalancer' and 'Internet' can also be used. If this is an ingress rule, specifies where network traffic originates from. | string |
| sourceAddressPrefixes | The CIDR or source IP ranges. | string[] |
| sourceApplicationSecurityGroups | The application security group specified as source. | ApplicationSecurityGroup[] |
| sourcePortRange | The source port or range. Integer or range between 0 and 65535. Asterisk '*' can also be used to match all ports. | string |
| sourcePortRanges | The source port ranges. | string[] |
ApplicationSecurityGroup
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Application security group properties. | ApplicationSecurityGroupPropertiesFormat |
| tags | Resource tags. | object |
ApplicationSecurityGroupPropertiesFormat
This object doesn't contain any properties to set during deployment. All properties are ReadOnly.
RouteTable
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Route Table resource. | RouteTablePropertiesFormat |
| tags | Resource tags. | object |
RouteTablePropertiesFormat
| Name | Description | Value |
|---|---|---|
| disableBgpRoutePropagation | Whether to disable the routes learned by BGP on that route table. True means disable. | bool |
| routes | Collection of routes contained within a route table. | Route[] |
Route
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Route resource. | RoutePropertiesFormat |
| type | The type of the resource. | string |
RoutePropertiesFormat
| Name | Description | Value |
|---|---|---|
| addressPrefix | The destination CIDR to which the route applies. | string |
| hasBgpOverride | A value indicating whether this route overrides overlapping BGP routes regardless of LPM. | bool |
| nextHopIpAddress | The IP address packets should be forwarded to. Next hop values are only allowed in routes where the next hop type is VirtualAppliance. | string |
| nextHopType | The type of Azure hop the packet should be sent to. | 'Internet' 'None' 'VirtualAppliance' 'VirtualNetworkGateway' 'VnetLocal' |
ServiceEndpointPolicy
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| location | Resource location. | string |
| properties | Service Endpoint Policy resource. | ServiceEndpointPolicyPropertiesFormat |
| tags | Resource tags. | object |
ServiceEndpointPolicyPropertiesFormat
| Name | Description | Value |
|---|---|---|
| contextualServiceEndpointPolicies | A collection of contextual service endpoint policy. | string[] |
| serviceAlias | The alias indicating if the policy belongs to a service | string |
| serviceEndpointPolicyDefinitions | A collection of service endpoint policy definitions of the service endpoint policy. | ServiceEndpointPolicyDefinition[] |
ServiceEndpointPolicyDefinition
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Service Endpoint policy definition resource. | ServiceEndpointPolicyDefinitionPropertiesFormat |
| type | The type of the resource. | string |
ServiceEndpointPolicyDefinitionPropertiesFormat
| Name | Description | Value |
|---|---|---|
| description | A description for this rule. Restricted to 140 chars. | string |
| service | Service endpoint name. | string |
| serviceResources | A list of service resources. | string[] |
ServiceEndpointPropertiesFormat
| Name | Description | Value |
|---|---|---|
| locations | A list of locations. | string[] |
| service | The type of the endpoint service. | string |
VirtualNetworkPeering
| Name | Description | Value |
|---|---|---|
| id | Resource ID. | string |
| name | The name of the resource that is unique within a resource group. This name can be used to access the resource. | string |
| properties | Properties of the virtual network peering. | VirtualNetworkPeeringPropertiesFormat |
| type | Resource type. | string |
VirtualNetworkPeeringPropertiesFormat
| Name | Description | Value |
|---|---|---|
| allowForwardedTraffic | Whether the forwarded traffic from the VMs in the local virtual network will be allowed/disallowed in remote virtual network. | bool |
| allowGatewayTransit | If gateway links can be used in remote virtual networking to link to this virtual network. | bool |
| allowVirtualNetworkAccess | Whether the VMs in the local virtual network space would be able to access the VMs in remote virtual network space. | bool |
| doNotVerifyRemoteGateways | If we need to verify the provisioning state of the remote gateway. | bool |
| peeringState | The status of the virtual network peering. | 'Connected' 'Disconnected' 'Initiated' |
| peeringSyncLevel | The peering sync status of the virtual network peering. | 'FullyInSync' 'LocalAndRemoteNotInSync' 'LocalNotInSync' 'RemoteNotInSync' |
| remoteAddressSpace | AddressSpace contains an array of IP address ranges that can be used by subnets of the virtual network. | AddressSpace |
| remoteBgpCommunities | Bgp Communities sent over ExpressRoute with each route corresponding to a prefix in this VNET. | VirtualNetworkBgpCommunities |
| remoteVirtualNetwork | Reference to another subresource. | SubResource |
| remoteVirtualNetworkAddressSpace | AddressSpace contains an array of IP address ranges that can be used by subnets of the virtual network. | AddressSpace |
| useRemoteGateways | If remote gateways can be used on this virtual network. If the flag is set to true, and allowGatewayTransit on remote peering is also true, virtual network will use gateways of remote virtual network for transit. Only one peering can have this flag set to true. This flag cannot be set if virtual network already has a gateway. | bool |
Quickstart templates
The following quickstart templates deploy this resource type.
| Template | Description |
|---|---|
201-vnet-2subnets-service-endpoints-storage-integration |
Creates 2 new VMs with a NIC each, in two different subnets within the same VNet. Sets service endpoint on one of the subnets and secures storage account to that subnet. |
| Virtual Network with diagnostic logs |
This template creates a Virtual Network with diagnostic logs and allows optional features to be added to each subnet |
| Create a VNET to VNET connection across two regions |
This template allows you to connect two VNETs in different regions using Virtual Network Gateways |
| Create a BGP VNET to VNET connection |
This template allows you to connect two VNETs using Virtual Network Gateways and BGP |
| Create a vNet to vNet connection using vNet Peering |
This template allows you to connect two vNets using vNet Peering |
| Create three vNets to demonstrate transitive BGP connections |
This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections |
| Create a Virtual Network with two Subnets |
This template allows you to create a Virtual Network with two subnets. |