Skip to content

VPN scenario

Approx. cost: ~$327 / month (VpnGw2AZ).

Everything in baseline plus:

  • VPN public IP (Standard, zonal)
  • azurerm_virtual_network_gateway (Vpn / RouteBased / VpnGw2AZ / Generation 2)
  • Hub ↔ Spoke VNet peering with gateway transit enabled (spoke uses the hub’s gateway)

NAT Gateway on the spoke is kept for outbound internet (only the firewall scenarios disable it).

To keep the module deployable without customer-side info, the following are not created automatically:

  • azurerm_local_network_gateway — needs the customer’s on-premises peer IP + CIDR(s)
  • azurerm_virtual_network_gateway_connection — needs the shared key (PSK)

Add them in a small post-deploy file once those values are known. Example template:

resource "azurerm_local_network_gateway" "onprem" {
name = "lng-onprem-${local.suffix}"
resource_group_name = azurerm_resource_group.this["hub"].name
location = var.location
gateway_address = "<customer-public-ip>"
address_space = var.on_premises_address_space
}
resource "azurerm_virtual_network_gateway_connection" "s2s" {
name = "cn-s2s-${local.suffix}"
resource_group_name = azurerm_resource_group.this["hub"].name
location = var.location
type = "IPsec"
virtual_network_gateway_id = azurerm_virtual_network_gateway.vpn[0].id
local_network_gateway_id = azurerm_local_network_gateway.onprem.id
shared_key = var.vpn_shared_key # mark sensitive
}
  • The customer needs hybrid connectivity (file shares, AD DS, monitoring agents)
  • No requirement for centralized egress inspection
  • Cost-sensitive (no firewall)

Use the configuration generator and choose site-to-site connectivity. Its commands preview, deploy, and verify the gateway; then continue with Post-deploy VPN connection.