Microsoft.Network virtualNetworkGateways 2019-12-01

Template format

To create a Microsoft.Network/virtualNetworkGateways resource, add the following JSON to the resources section of your template.

{
  "name": "string",
  "type": "Microsoft.Network/virtualNetworkGateways",
  "apiVersion": "2019-12-01",
  "location": "string",
  "tags": {},
  "properties": {
    "ipConfigurations": [
      {
        "id": "string",
        "properties": {
          "privateIPAllocationMethod": "string",
          "subnet": {
            "id": "string"
          },
          "publicIPAddress": {
            "id": "string"
          }
        },
        "name": "string"
      }
    ],
    "gatewayType": "string",
    "vpnType": "string",
    "vpnGatewayGeneration": "string",
    "enableBgp": "boolean",
    "enablePrivateIpAddress": "boolean",
    "activeActive": "boolean",
    "gatewayDefaultSite": {
      "id": "string"
    },
    "sku": {
      "name": "string",
      "tier": "string"
    },
    "vpnClientConfiguration": {
      "vpnClientAddressPool": {
        "addressPrefixes": [
          "string"
        ]
      },
      "vpnClientRootCertificates": [
        {
          "id": "string",
          "properties": {
            "publicCertData": "string"
          },
          "name": "string"
        }
      ],
      "vpnClientRevokedCertificates": [
        {
          "id": "string",
          "properties": {
            "thumbprint": "string"
          },
          "name": "string"
        }
      ],
      "vpnClientProtocols": [
        "string"
      ],
      "vpnClientIpsecPolicies": [
        {
          "saLifeTimeSeconds": "integer",
          "saDataSizeKilobytes": "integer",
          "ipsecEncryption": "string",
          "ipsecIntegrity": "string",
          "ikeEncryption": "string",
          "ikeIntegrity": "string",
          "dhGroup": "string",
          "pfsGroup": "string"
        }
      ],
      "radiusServerAddress": "string",
      "radiusServerSecret": "string",
      "aadTenant": "string",
      "aadAudience": "string",
      "aadIssuer": "string"
    },
    "bgpSettings": {
      "asn": "integer",
      "bgpPeeringAddress": "string",
      "peerWeight": "integer",
      "bgpPeeringAddresses": [
        {
          "ipconfigurationId": "string",
          "customBgpIpAddresses": [
            "string"
          ]
        }
      ]
    },
    "customRoutes": {
      "addressPrefixes": [
        "string"
      ]
    },
    "enableDnsForwarding": "boolean"
  }
}

Property values

The following tables describe the values you need to set in the schema.

Microsoft.Network/virtualNetworkGateways object

Name Type Required Value
name string Yes The name of the virtual network gateway.
type enum Yes Microsoft.Network/virtualNetworkGateways
apiVersion enum Yes 2019-12-01
location string Yes Resource location.
tags object No Resource tags.
properties object Yes Properties of the virtual network gateway. - VirtualNetworkGatewayPropertiesFormat object

VirtualNetworkGatewayPropertiesFormat object

Name Type Required Value
ipConfigurations array No IP configurations for virtual network gateway. - VirtualNetworkGatewayIPConfiguration object
gatewayType enum No The type of this virtual network gateway. - Vpn or ExpressRoute
vpnType enum No The type of this virtual network gateway. - PolicyBased or RouteBased
vpnGatewayGeneration enum No The generation for this VirtualNetworkGateway. Must be None if gatewayType is not VPN. - None, Generation1, Generation2
enableBgp boolean No Whether BGP is enabled for this virtual network gateway or not.
enablePrivateIpAddress boolean No Whether private IP needs to be enabled on this gateway for connections or not.
activeActive boolean No ActiveActive flag.
gatewayDefaultSite object No The reference to the LocalNetworkGateway resource which represents local network site having default routes. Assign Null value in case of removing existing default site setting. - SubResource object
sku object No The reference to the VirtualNetworkGatewaySku resource which represents the SKU selected for Virtual network gateway. - VirtualNetworkGatewaySku object
vpnClientConfiguration object No The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. - VpnClientConfiguration object
bgpSettings object No Virtual network gateway's BGP speaker settings. - BgpSettings object
customRoutes object No The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. - AddressSpace object
enableDnsForwarding boolean No Whether dns forwarding is enabled or not.

VirtualNetworkGatewayIPConfiguration object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the virtual network gateway ip configuration. - VirtualNetworkGatewayIPConfigurationPropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

SubResource object

Name Type Required Value
id string No Resource ID.

VirtualNetworkGatewaySku object

Name Type Required Value
name enum No Gateway SKU name. - Basic, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ, ErGw1AZ, ErGw2AZ, ErGw3AZ
tier enum No Gateway SKU tier. - Basic, HighPerformance, Standard, UltraPerformance, VpnGw1, VpnGw2, VpnGw3, VpnGw4, VpnGw5, VpnGw1AZ, VpnGw2AZ, VpnGw3AZ, VpnGw4AZ, VpnGw5AZ, ErGw1AZ, ErGw2AZ, ErGw3AZ

VpnClientConfiguration object

Name Type Required Value
vpnClientAddressPool object No The reference to the address space resource which represents Address space for P2S VpnClient. - AddressSpace object
vpnClientRootCertificates array No VpnClientRootCertificate for virtual network gateway. - VpnClientRootCertificate object
vpnClientRevokedCertificates array No VpnClientRevokedCertificate for Virtual network gateway. - VpnClientRevokedCertificate object
vpnClientProtocols array No VpnClientProtocols for Virtual network gateway. - IkeV2, SSTP, OpenVPN
vpnClientIpsecPolicies array No VpnClientIpsecPolicies for virtual network gateway P2S client. - IpsecPolicy object
radiusServerAddress string No The radius server address property of the VirtualNetworkGateway resource for vpn client connection.
radiusServerSecret string No The radius secret property of the VirtualNetworkGateway resource for vpn client connection.
aadTenant string No The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.
aadAudience string No The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.
aadIssuer string No The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication.

BgpSettings object

Name Type Required Value
asn integer No The BGP speaker's ASN.
bgpPeeringAddress string No The BGP peering address and BGP identifier of this BGP speaker.
peerWeight integer No The weight added to routes learned from this BGP speaker.
bgpPeeringAddresses array No BGP peering address with IP configuration ID for virtual network gateway. - IPConfigurationBgpPeeringAddress object

AddressSpace object

Name Type Required Value
addressPrefixes array No A list of address blocks reserved for this virtual network in CIDR notation. - string

VirtualNetworkGatewayIPConfigurationPropertiesFormat object

Name Type Required Value
privateIPAllocationMethod enum No The private IP address allocation method. - Static or Dynamic
subnet object No The reference to the subnet resource. - SubResource object
publicIPAddress object No The reference to the public IP resource. - SubResource object

VpnClientRootCertificate object

Name Type Required Value
id string No Resource ID.
properties object Yes Properties of the vpn client root certificate. - VpnClientRootCertificatePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

VpnClientRevokedCertificate object

Name Type Required Value
id string No Resource ID.
properties object No Properties of the vpn client revoked certificate. - VpnClientRevokedCertificatePropertiesFormat object
name string No The name of the resource that is unique within a resource group. This name can be used to access the resource.

IpsecPolicy object

Name Type Required Value
saLifeTimeSeconds integer Yes The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel.
saDataSizeKilobytes integer Yes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel.
ipsecEncryption enum Yes The IPSec encryption algorithm (IKE phase 1). - None, DES, DES3, AES128, AES192, AES256, GCMAES128, GCMAES192, GCMAES256
ipsecIntegrity enum Yes The IPSec integrity algorithm (IKE phase 1). - MD5, SHA1, SHA256, GCMAES128, GCMAES192, GCMAES256
ikeEncryption enum Yes The IKE encryption algorithm (IKE phase 2). - DES, DES3, AES128, AES192, AES256, GCMAES256, GCMAES128
ikeIntegrity enum Yes The IKE integrity algorithm (IKE phase 2). - MD5, SHA1, SHA256, SHA384, GCMAES256, GCMAES128
dhGroup enum Yes The DH Group used in IKE Phase 1 for initial SA. - None, DHGroup1, DHGroup2, DHGroup14, DHGroup2048, ECP256, ECP384, DHGroup24
pfsGroup enum Yes The Pfs Group used in IKE Phase 2 for new child SA. - None, PFS1, PFS2, PFS2048, ECP256, ECP384, PFS24, PFS14, PFSMM

IPConfigurationBgpPeeringAddress object

Name Type Required Value
ipconfigurationId string No The ID of IP configuration which belongs to gateway.
customBgpIpAddresses array No The list of custom BGP peering addresses which belong to IP configuration. - string

VpnClientRootCertificatePropertiesFormat object

Name Type Required Value
publicCertData string Yes The certificate public data.

VpnClientRevokedCertificatePropertiesFormat object

Name Type Required Value
thumbprint string No The revoked VPN client certificate thumbprint.

Quickstart templates

The following quickstart templates deploy this resource type.

Template Description
ExpressRoute circuit with private peering and Azure VNet

Deploy to Azure
This template configure ExpressRoute Microsoft peering, deploy an Azure VNet with Expressroute Gateway and link the VNet to the ExpressRoute circuit
Deploy HBase geo replication

Deploy to Azure
This template allows you to configure an Azure environment for HBase replication across two different regions with VPN vnet-to-vnet connection.
Deploy a Hub and Spoke topology sandbox

Deploy to Azure
This template creates a basic hub-and-spoke topology setup. It creates a Hub VNet with subnets DMZ, Management, Shared and Gateway (optionally), with two Spoke VNets (development and production) containing a workload subnet each. It also deploys a Windows Jump-Host on the Management subnet of the HUB, and establishes VNet peerings between the Hub and the two spokes.
Create a Point-to-Site Gateway

Deploy to Azure
This template allows you to create a Point-to-Site connection using VirtualNetworkGateways
Create a Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Extend an existing Azure VNET to a Multi-VNET Configuration

Deploy to Azure
This template allows you to extend an existing single VNET environment to a Multi-VNET environment that extends across two datacenter regions using VNET-to-VNET gateways
Create a Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Site-to-Site VPN Connection using Virtual Network Gateways
Create SQL MI with point-to-site connection configured

Deploy to Azure
Deploy Azure Sql Database Managed Instance (SQL MI) and Virtual network gateway configured for point-to-site connection inside the new virtual network.
Create a VNET to VNET connection across two regions

Deploy to Azure
This template allows you to connect two VNETs in different regions using Virtual Network Gateways
Create a BGP VNET to VNET connection

Deploy to Azure
This template allows you to connect two VNETs using Virtual Network Gateways and BGP
Create three vNets to demonstrate transitive BGP connections

Deploy to Azure
This template deploys three vNets connected using Virtual Network Gateways and BGP-enabled connections
Zerto Cloud Appliance with Site-to-Site VPN Connection

Deploy to Azure
This template allows you to create a Zerto Cloud Appliance with a VPN
Connect an ExpressRoute circuit to a VNET

Deploy to Azure
This template creates a VNET, an ExpresRoute Gateway and a connection to a provisioned and enabled ExpressRoute circuit with AzurePrivatePeering configured.
Create VNet with two Subnets, local network, and gateway

Deploy to Azure
This template creates a VNet, 2 subnets, and a gateway
BOSH CF Cross Region

Deploy to Azure
This template helps you setup the resources needed to deploy BOSH and Cloud Foundry across two regions on Azure.
Create a DevTest environment with P2S VPN and IIS

Deploy to Azure
This template creates a simple DevTest environment with a Point-to-Site VPN and IIS on a Windows server which is a great way to get started.