import * as pulumi from "@pulumi/pulumi"; import * as inputs from "../types/input"; import * as outputs from "../types/output"; /** * Manages a Virtual Network Gateway to establish secure, cross-premises connectivity. * * > **Note:** Please be aware that provisioning a Virtual Network Gateway takes a long time (between 30 minutes and 1 hour) * * ## Example Usage * * ```typescript * import * as pulumi from "@pulumi/pulumi"; * import * as azure from "@pulumi/azure"; * * const example = new azure.core.ResourceGroup("example", { * name: "test", * location: "West Europe", * }); * const exampleVirtualNetwork = new azure.network.VirtualNetwork("example", { * name: "test", * location: example.location, * resourceGroupName: example.name, * addressSpaces: ["10.0.0.0/16"], * }); * const exampleSubnet = new azure.network.Subnet("example", { * name: "GatewaySubnet", * resourceGroupName: example.name, * virtualNetworkName: exampleVirtualNetwork.name, * addressPrefixes: ["10.0.1.0/24"], * }); * const examplePublicIp = new azure.network.PublicIp("example", { * name: "test", * location: example.location, * resourceGroupName: example.name, * allocationMethod: "Dynamic", * }); * const exampleVirtualNetworkGateway = new azure.network.VirtualNetworkGateway("example", { * name: "test", * location: example.location, * resourceGroupName: example.name, * type: "Vpn", * vpnType: "RouteBased", * activeActive: false, * bgpEnabled: false, * sku: "Basic", * ipConfigurations: [{ * name: "vnetGatewayConfig", * publicIpAddressId: examplePublicIp.id, * privateIpAddressAllocation: "Dynamic", * subnetId: exampleSubnet.id, * }], * vpnClientConfiguration: { * addressSpaces: ["10.2.0.0/24"], * rootCertificates: [{ * name: "DigiCert-Federated-ID-Root-CA", * publicCertData: `MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn * MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3 * d3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg * Um9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV * BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp * Y2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB * MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j * QPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8 * zAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf * GTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d * GTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8 * Dk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2 * DwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV * HQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW * jKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP * 9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR * QELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL * uGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn * WsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq * M/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk= * `, * }], * revokedCertificates: [{ * name: "Verizon-Global-Root-CA", * thumbprint: "912198EEF23DCAC40939312FEE97DD560BAE49B1", * }], * }, * }); * ``` * * ## API Providers * * * This resource uses the following Azure API Providers: * * * `Microsoft.Network` - 2025-01-01 * * ## Import * * Virtual Network Gateways can be imported using the `resource id`, e.g. * * ```sh * $ pulumi import azure:network/virtualNetworkGateway:VirtualNetworkGateway exampleGateway /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myGroup1/providers/Microsoft.Network/virtualNetworkGateways/myGateway1 * ``` */ export declare class VirtualNetworkGateway extends pulumi.CustomResource { /** * Get an existing VirtualNetworkGateway resource's state with the given name, ID, and optional extra * properties used to qualify the lookup. * * @param name The _unique_ name of the resulting resource. * @param id The _unique_ provider ID of the resource to lookup. * @param state Any extra arguments used during the lookup. * @param opts Optional settings to control the behavior of the CustomResource. */ static get(name: string, id: pulumi.Input, state?: VirtualNetworkGatewayState, opts?: pulumi.CustomResourceOptions): VirtualNetworkGateway; /** * Returns true if the given object is an instance of VirtualNetworkGateway. This is designed to work even * when multiple copies of the Pulumi SDK have been loaded into the same process. */ static isInstance(obj: any): obj is VirtualNetworkGateway; /** * If `true`, an active-active Virtual Network Gateway will be created. An active-active gateway requires a `HighPerformance` or an `UltraPerformance` SKU. If `false`, an active-standby gateway will be created. Defaults to `false`. */ readonly activeActive: pulumi.Output; /** * If `true`, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to `false`. */ readonly bgpEnabled: pulumi.Output; /** * Is BGP Route Translation for NAT enabled? Defaults to `false`. */ readonly bgpRouteTranslationForNatEnabled: pulumi.Output; /** * A `bgpSettings` block which is documented below. In this block the BGP specific settings can be defined. */ readonly bgpSettings: pulumi.Output; /** * A `customRoute` block as defined below. Specifies a custom routes address space for a virtual network gateway and a VpnClient. */ readonly customRoute: pulumi.Output; /** * The ID of the local network gateway through which outbound Internet traffic from the virtual network in which the gateway is created will be routed (*forced tunnelling*). Refer to the [Azure documentation on forced tunnelling](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm). If not specified, forced tunnelling is disabled. */ readonly defaultLocalNetworkGatewayId: pulumi.Output; /** * Is DNS forwarding enabled? */ readonly dnsForwardingEnabled: pulumi.Output; /** * Specifies the Edge Zone within the Azure Region where this Virtual Network Gateway should exist. Changing this forces a new Virtual Network Gateway to be created. */ readonly edgeZone: pulumi.Output; /** * @deprecated the `enableBgp` property has been deprecated in favour of the `bgpEnabled` property and will be removed in v5.0 of the AzureRM Provider */ readonly enableBgp: pulumi.Output; /** * The Generation of the Virtual Network gateway. Possible values include `Generation1`, `Generation2` or `None`. Changing this forces a new resource to be created. * * > **Note:** The available values depend on the `type` and `sku` arguments - where `Generation2` is only value for a `sku` larger than `VpnGw2` or `VpnGw2AZ`. */ readonly generation: pulumi.Output; /** * One or more (up to 3) `ipConfiguration` blocks documented below. Changing this forces a new resource to be created. An active-standby gateway requires exactly one `ipConfiguration` block, an active-active gateway requires exactly two `ipConfiguration` blocks whereas an active-active zone redundant gateway with P2S configuration requires exactly three `ipConfiguration` blocks. */ readonly ipConfigurations: pulumi.Output; /** * Is IP Sec Replay Protection enabled? Defaults to `true`. */ readonly ipSecReplayProtectionEnabled: pulumi.Output; /** * The location/region where the Virtual Network Gateway is located. Changing this forces a new resource to be created. */ readonly location: pulumi.Output; /** * The name of the Virtual Network Gateway. Changing this forces a new resource to be created. */ readonly name: pulumi.Output; /** * One or more `policyGroup` blocks as defined below. */ readonly policyGroups: pulumi.Output; /** * Should private IP be enabled on this gateway for connections? Changing this forces a new resource to be created. */ readonly privateIpAddressEnabled: pulumi.Output; /** * Is remote vnet traffic that is used to configure this gateway to accept traffic from other Azure Virtual Networks enabled? Defaults to `false`. */ readonly remoteVnetTrafficEnabled: pulumi.Output; /** * The name of the resource group in which to create the Virtual Network Gateway. Changing this forces a new resource to be created. */ readonly resourceGroupName: pulumi.Output; /** * Configuration of the size and capacity of the virtual network gateway. Valid options are `Basic`, `Standard`, `HighPerformance`, `UltraPerformance`, `ErGwScale`, `ErGw1AZ`, `ErGw2AZ`, `ErGw3AZ`, `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw4`,`VpnGw5`, `VpnGw1AZ`, `VpnGw2AZ`, `VpnGw3AZ`,`VpnGw4AZ` and `VpnGw5AZ` and depend on the `type`, `vpnType` and `generation` arguments. A `PolicyBased` gateway only supports the `Basic` SKU. Further, the `UltraPerformance` and `ErGwScale` SKU is only supported by an `ExpressRoute` gateway. * * > **Note:** To build a UltraPerformance ExpressRoute Virtual Network gateway, the associated Public IP needs to be SKU "Basic" not "Standard" * * > **Note:** Not all SKUs (e.g. `ErGw1AZ`) are available in all regions. If you see `StatusCode=400 -- Original Error: Code="InvalidGatewaySkuSpecifiedForGatewayDeploymentType"` please try another region. */ readonly sku: pulumi.Output; /** * A mapping of tags to assign to the resource. */ readonly tags: pulumi.Output<{ [key: string]: string; } | undefined>; /** * The type of the Virtual Network Gateway. Valid options are `Vpn` or `ExpressRoute`. Changing the type forces a new resource to be created. */ readonly type: pulumi.Output; /** * Is remote vnet traffic that is used to configure this gateway to accept traffic from remote Virtual WAN networks enabled? Defaults to `false`. */ readonly virtualWanTrafficEnabled: pulumi.Output; /** * A `vpnClientConfiguration` block which is documented below. In this block the Virtual Network Gateway can be configured to accept IPSec point-to-site connections. */ readonly vpnClientConfiguration: pulumi.Output; /** * The routing type of the Virtual Network Gateway. Valid options are `RouteBased` or `PolicyBased`. Defaults to `RouteBased`. Changing this forces a new resource to be created. */ readonly vpnType: pulumi.Output; /** * Create a VirtualNetworkGateway resource with the given unique name, arguments, and options. * * @param name The _unique_ name of the resource. * @param args The arguments to use to populate this resource's properties. * @param opts A bag of options that control this resource's behavior. */ constructor(name: string, args: VirtualNetworkGatewayArgs, opts?: pulumi.CustomResourceOptions); } /** * Input properties used for looking up and filtering VirtualNetworkGateway resources. */ export interface VirtualNetworkGatewayState { /** * If `true`, an active-active Virtual Network Gateway will be created. An active-active gateway requires a `HighPerformance` or an `UltraPerformance` SKU. If `false`, an active-standby gateway will be created. Defaults to `false`. */ activeActive?: pulumi.Input; /** * If `true`, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to `false`. */ bgpEnabled?: pulumi.Input; /** * Is BGP Route Translation for NAT enabled? Defaults to `false`. */ bgpRouteTranslationForNatEnabled?: pulumi.Input; /** * A `bgpSettings` block which is documented below. In this block the BGP specific settings can be defined. */ bgpSettings?: pulumi.Input; /** * A `customRoute` block as defined below. Specifies a custom routes address space for a virtual network gateway and a VpnClient. */ customRoute?: pulumi.Input; /** * The ID of the local network gateway through which outbound Internet traffic from the virtual network in which the gateway is created will be routed (*forced tunnelling*). Refer to the [Azure documentation on forced tunnelling](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm). If not specified, forced tunnelling is disabled. */ defaultLocalNetworkGatewayId?: pulumi.Input; /** * Is DNS forwarding enabled? */ dnsForwardingEnabled?: pulumi.Input; /** * Specifies the Edge Zone within the Azure Region where this Virtual Network Gateway should exist. Changing this forces a new Virtual Network Gateway to be created. */ edgeZone?: pulumi.Input; /** * @deprecated the `enableBgp` property has been deprecated in favour of the `bgpEnabled` property and will be removed in v5.0 of the AzureRM Provider */ enableBgp?: pulumi.Input; /** * The Generation of the Virtual Network gateway. Possible values include `Generation1`, `Generation2` or `None`. Changing this forces a new resource to be created. * * > **Note:** The available values depend on the `type` and `sku` arguments - where `Generation2` is only value for a `sku` larger than `VpnGw2` or `VpnGw2AZ`. */ generation?: pulumi.Input; /** * One or more (up to 3) `ipConfiguration` blocks documented below. Changing this forces a new resource to be created. An active-standby gateway requires exactly one `ipConfiguration` block, an active-active gateway requires exactly two `ipConfiguration` blocks whereas an active-active zone redundant gateway with P2S configuration requires exactly three `ipConfiguration` blocks. */ ipConfigurations?: pulumi.Input[]>; /** * Is IP Sec Replay Protection enabled? Defaults to `true`. */ ipSecReplayProtectionEnabled?: pulumi.Input; /** * The location/region where the Virtual Network Gateway is located. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * The name of the Virtual Network Gateway. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * One or more `policyGroup` blocks as defined below. */ policyGroups?: pulumi.Input[]>; /** * Should private IP be enabled on this gateway for connections? Changing this forces a new resource to be created. */ privateIpAddressEnabled?: pulumi.Input; /** * Is remote vnet traffic that is used to configure this gateway to accept traffic from other Azure Virtual Networks enabled? Defaults to `false`. */ remoteVnetTrafficEnabled?: pulumi.Input; /** * The name of the resource group in which to create the Virtual Network Gateway. Changing this forces a new resource to be created. */ resourceGroupName?: pulumi.Input; /** * Configuration of the size and capacity of the virtual network gateway. Valid options are `Basic`, `Standard`, `HighPerformance`, `UltraPerformance`, `ErGwScale`, `ErGw1AZ`, `ErGw2AZ`, `ErGw3AZ`, `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw4`,`VpnGw5`, `VpnGw1AZ`, `VpnGw2AZ`, `VpnGw3AZ`,`VpnGw4AZ` and `VpnGw5AZ` and depend on the `type`, `vpnType` and `generation` arguments. A `PolicyBased` gateway only supports the `Basic` SKU. Further, the `UltraPerformance` and `ErGwScale` SKU is only supported by an `ExpressRoute` gateway. * * > **Note:** To build a UltraPerformance ExpressRoute Virtual Network gateway, the associated Public IP needs to be SKU "Basic" not "Standard" * * > **Note:** Not all SKUs (e.g. `ErGw1AZ`) are available in all regions. If you see `StatusCode=400 -- Original Error: Code="InvalidGatewaySkuSpecifiedForGatewayDeploymentType"` please try another region. */ sku?: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The type of the Virtual Network Gateway. Valid options are `Vpn` or `ExpressRoute`. Changing the type forces a new resource to be created. */ type?: pulumi.Input; /** * Is remote vnet traffic that is used to configure this gateway to accept traffic from remote Virtual WAN networks enabled? Defaults to `false`. */ virtualWanTrafficEnabled?: pulumi.Input; /** * A `vpnClientConfiguration` block which is documented below. In this block the Virtual Network Gateway can be configured to accept IPSec point-to-site connections. */ vpnClientConfiguration?: pulumi.Input; /** * The routing type of the Virtual Network Gateway. Valid options are `RouteBased` or `PolicyBased`. Defaults to `RouteBased`. Changing this forces a new resource to be created. */ vpnType?: pulumi.Input; } /** * The set of arguments for constructing a VirtualNetworkGateway resource. */ export interface VirtualNetworkGatewayArgs { /** * If `true`, an active-active Virtual Network Gateway will be created. An active-active gateway requires a `HighPerformance` or an `UltraPerformance` SKU. If `false`, an active-standby gateway will be created. Defaults to `false`. */ activeActive?: pulumi.Input; /** * If `true`, BGP (Border Gateway Protocol) will be enabled for this Virtual Network Gateway. Defaults to `false`. */ bgpEnabled?: pulumi.Input; /** * Is BGP Route Translation for NAT enabled? Defaults to `false`. */ bgpRouteTranslationForNatEnabled?: pulumi.Input; /** * A `bgpSettings` block which is documented below. In this block the BGP specific settings can be defined. */ bgpSettings?: pulumi.Input; /** * A `customRoute` block as defined below. Specifies a custom routes address space for a virtual network gateway and a VpnClient. */ customRoute?: pulumi.Input; /** * The ID of the local network gateway through which outbound Internet traffic from the virtual network in which the gateway is created will be routed (*forced tunnelling*). Refer to the [Azure documentation on forced tunnelling](https://docs.microsoft.com/azure/vpn-gateway/vpn-gateway-forced-tunneling-rm). If not specified, forced tunnelling is disabled. */ defaultLocalNetworkGatewayId?: pulumi.Input; /** * Is DNS forwarding enabled? */ dnsForwardingEnabled?: pulumi.Input; /** * Specifies the Edge Zone within the Azure Region where this Virtual Network Gateway should exist. Changing this forces a new Virtual Network Gateway to be created. */ edgeZone?: pulumi.Input; /** * @deprecated the `enableBgp` property has been deprecated in favour of the `bgpEnabled` property and will be removed in v5.0 of the AzureRM Provider */ enableBgp?: pulumi.Input; /** * The Generation of the Virtual Network gateway. Possible values include `Generation1`, `Generation2` or `None`. Changing this forces a new resource to be created. * * > **Note:** The available values depend on the `type` and `sku` arguments - where `Generation2` is only value for a `sku` larger than `VpnGw2` or `VpnGw2AZ`. */ generation?: pulumi.Input; /** * One or more (up to 3) `ipConfiguration` blocks documented below. Changing this forces a new resource to be created. An active-standby gateway requires exactly one `ipConfiguration` block, an active-active gateway requires exactly two `ipConfiguration` blocks whereas an active-active zone redundant gateway with P2S configuration requires exactly three `ipConfiguration` blocks. */ ipConfigurations: pulumi.Input[]>; /** * Is IP Sec Replay Protection enabled? Defaults to `true`. */ ipSecReplayProtectionEnabled?: pulumi.Input; /** * The location/region where the Virtual Network Gateway is located. Changing this forces a new resource to be created. */ location?: pulumi.Input; /** * The name of the Virtual Network Gateway. Changing this forces a new resource to be created. */ name?: pulumi.Input; /** * One or more `policyGroup` blocks as defined below. */ policyGroups?: pulumi.Input[]>; /** * Should private IP be enabled on this gateway for connections? Changing this forces a new resource to be created. */ privateIpAddressEnabled?: pulumi.Input; /** * Is remote vnet traffic that is used to configure this gateway to accept traffic from other Azure Virtual Networks enabled? Defaults to `false`. */ remoteVnetTrafficEnabled?: pulumi.Input; /** * The name of the resource group in which to create the Virtual Network Gateway. Changing this forces a new resource to be created. */ resourceGroupName: pulumi.Input; /** * Configuration of the size and capacity of the virtual network gateway. Valid options are `Basic`, `Standard`, `HighPerformance`, `UltraPerformance`, `ErGwScale`, `ErGw1AZ`, `ErGw2AZ`, `ErGw3AZ`, `VpnGw1`, `VpnGw2`, `VpnGw3`, `VpnGw4`,`VpnGw5`, `VpnGw1AZ`, `VpnGw2AZ`, `VpnGw3AZ`,`VpnGw4AZ` and `VpnGw5AZ` and depend on the `type`, `vpnType` and `generation` arguments. A `PolicyBased` gateway only supports the `Basic` SKU. Further, the `UltraPerformance` and `ErGwScale` SKU is only supported by an `ExpressRoute` gateway. * * > **Note:** To build a UltraPerformance ExpressRoute Virtual Network gateway, the associated Public IP needs to be SKU "Basic" not "Standard" * * > **Note:** Not all SKUs (e.g. `ErGw1AZ`) are available in all regions. If you see `StatusCode=400 -- Original Error: Code="InvalidGatewaySkuSpecifiedForGatewayDeploymentType"` please try another region. */ sku: pulumi.Input; /** * A mapping of tags to assign to the resource. */ tags?: pulumi.Input<{ [key: string]: pulumi.Input; }>; /** * The type of the Virtual Network Gateway. Valid options are `Vpn` or `ExpressRoute`. Changing the type forces a new resource to be created. */ type: pulumi.Input; /** * Is remote vnet traffic that is used to configure this gateway to accept traffic from remote Virtual WAN networks enabled? Defaults to `false`. */ virtualWanTrafficEnabled?: pulumi.Input; /** * A `vpnClientConfiguration` block which is documented below. In this block the Virtual Network Gateway can be configured to accept IPSec point-to-site connections. */ vpnClientConfiguration?: pulumi.Input; /** * The routing type of the Virtual Network Gateway. Valid options are `RouteBased` or `PolicyBased`. Defaults to `RouteBased`. Changing this forces a new resource to be created. */ vpnType?: pulumi.Input; }