Microsoft.Network virtualNetworkGateways template reference

Template format

To create a Microsoft.Network/virtualNetworkGateways resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2018-12-01",
  "location": "string",
  "tags": {},
  "properties": {
    "ipConfigurations": [
      {
        "id": "string",
        "properties": {
          "privateIPAllocationMethod": "string",
          "subnet": {
            "id": "string"
          },
          "publicIPAddress": {
            "id": "string"
          }
        },
        "name": "string"
      }
    ],
    "gatewayType": "string",
    "vpnType": "string",
    "enableBgp": "boolean",
    "activeActive": "boolean",
    "gatewayDefaultSite": {
      "id": "string"
    },
    "sku": {
      "name": "string",
      "tier": "string",
      "capacity": "integer"
    },
    "vpnClientConfiguration": {
      "vpnClientAddressPool": {
        "addressPrefixes": [
          "string"
        ]
      },
      "vpnClientRootCertificates": [
        {
          "id": "string",
          "properties": {
            "publicCertData": "string"
          },
          "name": "string"
        }
      ],
      "vpnClientRevokedCertificates": [
        {
          "id": "string",
          "properties": {
            "thumbprint": "string"
          },
          "name": "string"
        }
      ],
      "vpnClientProtocols": [
        "string"
      ],
      "vpnClientIpsecPolicies": [
        {
          "saLifeTimeSeconds": "integer",
          "saDataSizeKilobytes": "integer",
          "ipsecEncryption": "string",
          "ipsecIntegrity": "string",
          "ikeEncryption": "string",
          "ikeIntegrity": "string",
          "dhGroup": "string",
          "pfsGroup": "string"
        }
      ],
      "radiusServerAddress": "string",
      "radiusServerSecret": "string"
    },
    "bgpSettings": {
      "asn": "integer",
      "bgpPeeringAddress": "string",
      "peerWeight": "integer"
    },
    "resourceGuid": "string"
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/virtualNetworkGateways object

Name Type Required Value
name string Yes The name of the virtual network gateway.
type enum Yes Microsoft.Network/virtualNetworkGateways
apiVersion enum Yes 2018-12-01
location string No Resource location.
tags object No Resource tags.
properties object Yes Properties of the virtual network gateway. - VirtualNetworkGatewayPropertiesFormat object

VirtualNetworkGatewayPropertiesFormat object

Name Type Required Value
ipConfigurations array No IP configurations for virtual network gateway. - VirtualNetworkGatewayIPConfiguration object
gatewayType enum No The type of this virtual network gateway. Possible values are: 'Vpn' and 'ExpressRoute'. - Vpn or ExpressRoute
vpnType enum No The type of this virtual network gateway. Possible values are: 'PolicyBased' and 'RouteBased'. - PolicyBased or RouteBased
enableBgp boolean No Whether BGP is enabled for this virtual network gateway or not.
activeActive boolean No ActiveActive flag
gatewayDefaultSite object No The reference of the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. - SubResource object
sku object No The reference of the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. - VirtualNetworkGatewaySku object
vpnClientConfiguration object No The reference of the VpnClientConfiguration resource which represents the P2S VpnClient configurations. - VpnClientConfiguration object
bgpSettings object No Virtual network gateway's BGP speaker settings. - BgpSettings object
resourceGuid string No The resource GUID property of the VirtualNetworkGateway resource.

VirtualNetworkGatewayIPConfiguration object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the virtual network gateway ip configuration. - VirtualNetworkGatewayIPConfigurationPropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

SubResource object

Name Type Required Value
id string No Resource ID.

VirtualNetworkGatewaySku object

Name Type Required Value
name enum No Gateway SKU name. - Basic, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, ErGw1AZ, ErGw2AZ, ErGw3AZ
tier enum No Gateway SKU tier. - Basic, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw2, VpnGw3, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, ErGw1AZ, ErGw2AZ, ErGw3AZ
capacity integer No The capacity.

VpnClientConfiguration object

Name Type Required Value
vpnClientAddressPool object No The reference of the address space resource which represents Address space for P2S VpnClient. - AddressSpace object
vpnClientRootCertificates array No VpnClientRootCertificate for virtual network gateway. - VpnClientRootCertificate object
vpnClientRevokedCertificates array No VpnClientRevokedCertificate for Virtual network gateway. - VpnClientRevokedCertificate object
vpnClientProtocols array No VpnClientProtocols for Virtual network gateway. - IkeV2, SSTP, OpenVPN
vpnClientIpsecPolicies array No VpnClientIpsecPolicies for virtual network gateway P2S client. - IpsecPolicy object
radiusServerAddress string No The radius server address property of the VirtualNetworkGateway resource for vpn client connection.
radiusServerSecret string No The radius secret property of the VirtualNetworkGateway resource for vpn client connection.

BgpSettings object

Name Type Required Value
asn integer No The BGP speaker's ASN.
bgpPeeringAddress string No The BGP peering address and BGP identifier of this BGP speaker.
peerWeight integer No The weight added to routes learned from this BGP speaker.

VirtualNetworkGatewayIPConfigurationPropertiesFormat object

Name Type Required Value
privateIPAllocationMethod enum No The private IP allocation method. Possible values are: 'Static' and 'Dynamic'. - Static or Dynamic
subnet object No The reference of the subnet resource. - SubResource object
publicIPAddress object No The reference of the public IP resource. - SubResource object

AddressSpace object

Name Type Required Value
addressPrefixes array No A list of address blocks reserved for this virtual network in CIDR notation. - string

VpnClientRootCertificate object

Name Type Required Value
id string No Resource ID.
properties object Yes Properties of the vpn client root certificate. - VpnClientRootCertificatePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

VpnClientRevokedCertificate object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the vpn client revoked certificate. - VpnClientRevokedCertificatePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

IpsecPolicy object

Name Type Required Value
saLifeTimeSeconds integer Yes The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel.
saDataSizeKilobytes integer Yes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel.
ipsecEncryption enum Yes The IPSec encryption algorithm (IKE phase 1). - None, DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES192, GCMAES256
ipsecIntegrity enum Yes The IPSec integrity algorithm (IKE phase 1). - MD5, SHA1, SHA256, GCMAES128, GCMAES192, GCMAES256
ikeEncryption enum Yes The IKE encryption algorithm (IKE phase 2). - DES, DES3, AES128, AES192, AES256, GCMAES256, GCMAES128
ikeIntegrity enum Yes The IKE integrity algorithm (IKE phase 2). - MD5, SHA1, SHA256, SHA384, GCMAES256, GCMAES128
dhGroup enum Yes The DH Groups used in IKE Phase 1 for initial SA. - None, DHGroup1, DHGroup2, DHGroup14, DHGroup2048, ECP256, ECP384, DHGroup24
pfsGroup enum Yes The Pfs Groups used in IKE Phase 2 for new child SA. - None, PFS1, PFS2, PFS2048, ECP256, ECP384, PFS24, PFS14, PFSMM

VpnClientRootCertificatePropertiesFormat object

Name Type Required Value
publicCertData string Yes The certificate public data.

VpnClientRevokedCertificatePropertiesFormat object

Name Type Required Value
thumbprint string No The revoked VPN client certificate thumbprint.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
ExpressRoute circuit with private peering and Azure VNet

Deploy to Azure
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute gateway and link the VNet to the ExpressRoute circuit
Deploy HBase geo replication

Deploy to Azure
This template allows you to configure an Azure environment for HBase replication across two different regions with VPN vnet-to-vnet connection.
Deploy a Hub and Spoke topology sandbox

Deploy to Azure
This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes.
Create a Point-to-Site Gateway

Deploy to Azure
This template allows you to create a Point-to-Site connection using VirtualNetworkGateways
Create a Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Extend an existing Azure VNET to a Multi-VNET Configuration

Deploy to Azure
This template allows you to extend an existing single VNET environment to a Multi-VNET environment that extends across two datacenter regions using VNET-to-VNET gateways
Create a Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Create SQL MI with point-to-site connection configured

Deploy to Azure
Deploy Azure Sql Database Managed Instance (SQL MI) and Virtual network gateway configured for point-to-site connection inside the new virtual network.
Create a VNET to VNET connection across two regions

Deploy to Azure
This template allows you to connect two VNETs in different regions using Virtual Network Gateways
Create a BGP VNET to VNET connection

Deploy to Azure
This template allows you to connect two VNETs using Virtual Network Gateways and BGP
Create three vNets to demonstrate transitive BGP connections

Deploy to Azure
This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections
Zerto Cloud Appliance with Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Zerto Cloud Appliance with a VPN
Connect an ExpressRoute circuit to a VNET

Deploy to Azure
This template creates a VNET, an ExpresRoute Gateway and a connection to a provisioned and enabled ExpressRoute circuit with AzurePrivatePeering configured.
Create VNet with two Subnets, local network, and gateway

Deploy to Azure
This template creates a VNet, 2 subnets, and a gateway
BOSH CF Cross Region

Deploy to Azure
This template helps you setup the resources needed to deploy BOSH and Cloud Foundry across two regions on Azure.
Create a DevTest environment with P2S VPN and IIS

Deploy to Azure
This template creates a simple DevTest environment with a Point-to-Site VPN and IIS on a Windows server which is a great way to get started.