Bicep Module Documentation
← Back to Overview
Module virtual-network-gateway
virtualNetworkGateway
| Property | Value | Description |
|---|---|---|
| general (required) | general | |
| activeActive | bool | ActiveActive flag. (default: false) |
| publicIPAddressNaming | naming | Naming of the public IP. |
| ddosProtectionMode | 'Disabled' 'Enabled' 'VirtualNetworkInherited' |
DDoS Protection plan for public IP, Enabled = configure per IP. (default = VirtualNetworkInherited) |
| adminState | 'Disabled' 'Enabled' |
Property to indicate if the Express Route Gateway serves traffic when there are multiple Express Route Gateways in the vnet. |
| allowRemoteVnetTraffic | bool | Configure this gateway to accept traffic from other Azure Virtual Networks. This configuration does not support connectivity to Azure Virtual WAN. (default: false) |
| allowVirtualWanTraffic | bool | Configures this gateway to accept traffic from remote Virtual WAN networks. (default: false) |
| bgpSettings | bgpSettings | Virtual network gateway BGP speaker settings. |
| customRoutesAddressPrefixes | string[] | The reference to the address space resource which represents the custom routes address space specified by the customer for virtual network gateway and VpnClient. |
| disableIPSecReplayProtection | bool | A way to disable IPSec replay protection. |
| enableBgp | bool | Whether BGP is enabled for this virtual network gateway or not. |
| enableBgpRouteTranslationForNat | bool | Enable BGP route translation for NAT. |
| enableDnsForwarding | bool | Whether dns forwarding is enabled or not. |
| enablePrivateIpAddress | bool | Whether private IP needs to be enabled on this gateway for connections or not. |
| gatewayDefaultSiteId | string | The id of the local network gateway which represents the local network [ResourceId]. |
| gatewayType | 'ExpressRoute' 'LocalGateway' 'Vpn' |
The type of the virtual network gateway. (default: Vpn) |
| sku (required) | 'Basic' 'ErGw1AZ' 'ErGw2AZ' 'ErGw3AZ' 'HighPerformance' 'Standard' 'UltraPerformance' 'VpnGw1' 'VpnGw1AZ' 'VpnGw2' 'VpnGw2AZ' 'VpnGw3' 'VpnGw3AZ' 'VpnGw4' 'VpnGw4AZ' 'VpnGw5' 'VpnGw5AZ' |
The sku of the virtual network gateway. |
| vpnGatewayGeneration | 'Generation1' 'Generation2' 'None' |
The generation for this VirtualNetworkGateway, must be None if gatewayType is not VPN. |
| vpnType | 'PolicyBased' 'RouteBased' |
The type of this virtual network gateway (default: RouteBased) |
| vpnClientConfiguration | vpnClientConfiguration | The reference to the VpnClientConfiguration resource which represents the P2S VpnClient configurations. |
| subnetId (required) | string | Subnet to associate with the virtual network gateway must be called GatewaySubnet which is atleast a /27 or bigger and can only be defined once! [ResourceId] |
| privateIPAllocationMethod | 'Dynamic' 'Static' |
Determine how IP addresses are assigned in the GatewaySubnet. (default: Dynamic) |
| connections | connection[] | List of connections to be made from this gateway. |
| keyVaultId | string | Insert the resource ID of the key vault in which the PSK of connections are located. |
bgpSettings
| Property | Value | Description |
|---|---|---|
| asn (required) | int | The BGP speaker ASN. |
| bgpPeeringAddress (required) | string | The BGP peering address and BGP identifier of this BGP speaker. |
| bgpPeeringAddresses (required) | virtualNetworkGatewayBGPPeeringAddress[] | BGP peering address with IP configuration ID for virtual network gateway. |
| peerWeight (required) | int | The weight added to routes learned from this BGP speaker. |
vpnClientConfiguration
| Property | Value | Description |
|---|---|---|
| aadAudience | string | The AADAudience property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. |
| aadIssuer | string | The AADIssuer property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. |
| aadTenant | string | The AADTenant property of the VirtualNetworkGateway resource for vpn client connection used for AAD authentication. |
| radiusServerAddress | string | The radius server address property of the VirtualNetworkGateway resource for vpn client connection. |
| radiusServers | radiusServers[] | The radiusServers property for multiple radius server configuration. |
| radiusServerSecret | string | The radius secret property of the VirtualNetworkGateway resource for vpn client connection. |
| vngClientConnectionConfigurations | vngClientConnectionConfigurations[] | Per IP address pool connection policy for virtual network gateway P2S client. |
| vpnAuthenticationTypes (required) | Array containing any of: 'AAD' 'Certificate' 'Radius' |
VPN authentication types for the virtual network gateway. |
| vpnClientAddressPool | vpnClientAddressPool | The reference to the address space resource which represents Address space for P2S VpnClient. |
| vpnClientIpsecPolicies | ipsecPolicy[] | IPsecPolicies for virtual network gateway P2S client. |
| vpnClientProtocols (required) | Array containing any of: 'IkeV2' 'OpenVPN' 'SSTP' |
Client protocols for Virtual network gateway. |
| vpnClientRevokedCertificates | vpnClientRevokedCertificates[] | Revoked certificates. |
| vpnClientRootCertificates | vpnClientRootCertificates[] | Root certificates. |
radiusServers
| Property | Value | Description |
|---|---|---|
| radiusServerAddress (required) | string | The address of this radius server. |
| radiusServerScore | int | The initial score assigned to this radius server. |
| radiusServerSecret | string | The secret used for this radius server. |
virtualNetworkGatewayPolicyGroups
| Property | Value | Description |
|---|---|---|
| id (required) | string | Resource ID. |
vpnClientAddressPool
| Property | Value | Description |
|---|---|---|
| addressPrefixes (required) | string[] | A list of address blocks reserved for this virtual network in CIDR notation. |
properties
| Property | Value | Description |
|---|---|---|
| publicCertData (required) | string | The certificate public data. |
vngClientConnectionConfigurations
| Property | Value | Description |
|---|---|---|
| id | string | Resource ID. |
| name | string | The name of the resource that is unique within a resource group. This name can be used to access the resource. |
| properties (required) | properties | Properties of the vpn client root certificate. |
vpnClientRevokedCertificates
| Property | Value | Description |
|---|---|---|
| id | string | Resource ID. |
| name | string | The name of the resource that is unique within a resource group. This name can be used to access the resource. |
| properties (required) | properties |
vpnClientRootCertificates
| Property | Value | Description |
|---|---|---|
| id | string | Resource ID. |
| name | string | The name of the resource that is unique within a resource group. This name can be used to access the resource. |
| properties (required) | properties |
virtualNetworkGatewayBGPPeeringAddress
| Property | Value | Description |
|---|---|---|
| customBgpIpAddresses (required) | string[] | The list of custom BGP peering addresses which belong to IP configuration. |
| ipconfigurationId (required) | string | The ID of IP configuration which belongs to gateway. |
connection
| Property | Value | Description |
|---|---|---|
| naming (required) | naming | |
| authorizationKey | string | The authorization key. |
| connectionMode | 'Default' 'InitiatorOnly' 'ResponderOnly' |
The connection mode for this connection. |
| connectionProtocol | 'IKEv1' 'IKEv2' |
Connection protocol used for this connection. |
| connectionType (required) | 'ExpressRoute' 'IPsec' 'VPNClient' 'Vnet2Vnet' |
Gateway connection type. |
| dpdTimeoutSeconds | int | The dead peer detection timeout of this connection in seconds. |
| ingressNatRulesIds | string[] | List of ingress NatRules. |
| egressNatRulesIds | string[] | List of egress NatRules. |
| ipsecPolicies | ipsecPolicy[] | The IPSec Policies to be considered by this connection. |
| trafficSelectorPolicies | trafficSelectorPolicy[] | The Traffic Selector Policies to be considered by this connection. |
| enableBgp | bool | Whether BGP is enabled for this virtual network gateway or not. |
| enablePrivateLinkFastPath | bool | Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. |
| expressRouteGatewayBypass | bool | Bypass ExpressRoute Gateway for data forwarding. |
| gatewayCustomBgpIpAddresses | customBGPIPAddressConfiguration[] | GatewayCustomBgpIpAddresses to be used for virtual network gateway Connection. |
| localNetworkGatewayId | string | The reference to the local network gateway or on premises network. |
| virtualNetworkGateway2Id | string | For S2S you can fill in the ID of the second Virtual Network Gateway. |
| peer | string | The reference to peerings resource. |
| routingWeight | int | The routing weight. |
| useLocalAzureIpAddress | bool | Use private local Azure IP for the connection. |
| usePolicyBasedTrafficSelectors | bool | Enable policy-based traffic selectors. |
| keyVaultSecretName | string | Name of the key vault secret in the key vault. Mandatory for VPN, optional for ExpressRoute connection. |
ipsecPolicy
| Property | Value | Description |
|---|---|---|
| dhGroup (required) | 'DHGroup1' 'DHGroup14' 'DHGroup2' 'DHGroup2048' 'DHGroup24' 'ECP256' 'ECP384' 'None' |
The DH Group used in IKE Phase 1 for initial SA. |
| ikeEncryption (required) | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES256' |
The IKE encryption algorithm (IKE phase 2). |
| ikeIntegrity (required) | 'GCMAES128' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' 'SHA384' |
The IKE integrity algorithm (IKE phase 2). |
| ipsecEncryption (required) | 'AES128' 'AES192' 'AES256' 'DES' 'DES3' 'GCMAES128' 'GCMAES192' 'GCMAES256' 'None' |
The IPSec encryption algorithm (IKE phase 1). |
| ipsecIntegrity (required) | 'GCMAES128' 'GCMAES192' 'GCMAES256' 'MD5' 'SHA1' 'SHA256' |
The IPSec integrity algorithm (IKE phase 1). |
| pfsGroup (required) | 'ECP256' 'ECP384' 'None' 'PFS1' 'PFS14' 'PFS2' 'PFS2048' 'PFS24' 'PFSMM' |
The Pfs Group used in IKE Phase 2 for new child SA. |
| saDataSizeKilobytes (required) | int | The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. |
| saLifeTimeSeconds (required) | int | The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. |
trafficSelectorPolicy
| Property | Value | Description |
|---|---|---|
| localAddressRanges (required) | string[] | A collection of local address spaces in CIDR format. |
| remoteAddressRanges (required) | string[] | A collection of remote address spaces in CIDR format. |
customBGPIPAddressConfiguration
| Property | Value | Description |
|---|---|---|
| customBgpIpAddress (required) | string | The custom BgpPeeringAddress which belongs to IpconfigurationId. |
| ipConfigurationId (required) | string | The IpconfigurationId of ipconfiguration which belongs to gateway. |
resourceLock
| Property | Value | Description |
|---|---|---|
| name | string | Character limit: 1-90. Valid characters: Alphanumerics, periods, underscores, hyphens, and parenthesis. Can't end in period. |
| level (required) | 'CanNotDelete' 'ReadOnly' |
The level of the lock. Possible values are: CanNotDelete and ReadOnly. CanNotDelete means authorized users are able to read and modify the resources, but not delete. ReadOnly means authorized users can only read from a resource, but they can't modify or delete it. Read-Only locks must be commented to be able to deploy again |
| notes | string | Notes about the lock. Maximum of 512 characters. |
| owners | resourceLockOwner[] | The owners of the lock |
resourceLockOwner
| Property | Value | Description |
|---|---|---|
| applicationId (required) | string | The application ID of the lock owner. |
roleAssignment
| Property | Value | Description |
|---|---|---|
| principalId (required) | string | The principal ID |
| roleDefinitionId (required) | string | The role definition ID, data file can be used for this |
| condition | string | Condition on the role assignment |
| conditionVersion | string | Version of the condition. Currently the only accepted value is "2.0" |
| delegatedManagedIdentityResourceId | string | Id of the delegated managed identity resource |
| description | string | Description of role assignment |
general
| Property | Value | Description |
|---|---|---|
| tags | object | Tags of the resource [hashtable] |
| location (required) | string | Location of the resource |
| naming (required) | naming | Naming module of the resource |
| resourceGroupName (required) | string | Name of the resource group where the resource should be located |
| sharedNaming (required) | naming | Reference to the default naming |
| roleAssignments | roleAssignment[] | Role assignments on the resource |
| resourceLocks | resourceLock[] | Resource Locks on the resource |
naming
| Property | Value | Description |
|---|---|---|
| forceFunctionAsFullName | bool | Use the function value as the full name of the resource |
| abbreviation | string | Override the abbreviation of this resource with this parameter |
| environment | string | The resource environment (for example: dev, tst, acc, prd) |
| location | string | The resource location (for example: weu, we, westeurope) |
| customer | string | The name of the customer |
| delimiter | string | The delimiter between resources (default: -) |
| nameFormat | Array containing any of: 'abbreviation' 'customer' 'environment' 'function' 'location' 'param1' 'param2' 'param3' 'useCaseName' |
The order of the array defines the order of elements in the naming scheme |
| param1 | string | Extra parameter self defined |
| param2 | string | Extra parameter self defined |
| param3 | string | Extra parameter self defined |
| function (required) | string | Function of the resource [can be app, db, security,...] |
| useCaseName | string | Name of the use case [can be hub, spoke,...] |
| suffix | string | Suffix for the resource, if empty non will be appended, otherwise will be added to the end [can be index, ...] |
| forceDefaultNaming | bool | Force the CAF naming instead of default company naming |
Changelog
6.1.0 (2025-10-20)
Features
- update resource api versions
6.0.1 (2025-09-24)
Bug Fixes
- remove deployment name + cleanup
6.0.0 (2025-09-24)
⚠ BREAKING CHANGES
- remove deprecated outputs
Bug Fixes
- remove deprecated outputs
5.4.1 (2025-08-12)
Bug Fixes
- resolve naming issue when connecting multiple S2S VPNs
5.4.0 (2025-05-06)
Features
- revise descriptions
5.3.1 (2025-04-11)
Bug Fixes
- naming connected resources when forceFunctionAsFullName or forceDefaultNaming is true
5.3.0 (2025-03-26)
Features
- add resourceName output