VPN scenario
Approx. cost: ~$327 / month (VpnGw2AZ).
What you get
Section titled “What you get”Everything in baseline plus:
- VPN public IP (Standard, zonal)
azurerm_virtual_network_gateway(Vpn/RouteBased/VpnGw2AZ/ Generation 2)- Hub ↔ Spoke VNet peering with gateway transit enabled (spoke uses the hub’s gateway)
NAT Gateway on the spoke is kept for outbound internet (only the firewall scenarios disable it).
What’s intentionally deferred
Section titled “What’s intentionally deferred”To keep the module deployable without customer-side info, the following are not created automatically:
azurerm_local_network_gateway— needs the customer’s on-premises peer IP + CIDR(s)azurerm_virtual_network_gateway_connection— needs the shared key (PSK)
Add them in a small post-deploy file once those values are known. Example template:
resource "azurerm_local_network_gateway" "onprem" { name = "lng-onprem-${local.suffix}" resource_group_name = azurerm_resource_group.this["hub"].name location = var.location gateway_address = "<customer-public-ip>" address_space = var.on_premises_address_space}
resource "azurerm_virtual_network_gateway_connection" "s2s" { name = "cn-s2s-${local.suffix}" resource_group_name = azurerm_resource_group.this["hub"].name location = var.location type = "IPsec" virtual_network_gateway_id = azurerm_virtual_network_gateway.vpn[0].id local_network_gateway_id = azurerm_local_network_gateway.onprem.id shared_key = var.vpn_shared_key # mark sensitive}When to choose it
Section titled “When to choose it”- The customer needs hybrid connectivity (file shares, AD DS, monitoring agents)
- No requirement for centralized egress inspection
- Cost-sensitive (no firewall)
Deploy
Section titled “Deploy”Use the configuration generator and choose site-to-site connectivity. Its commands preview, deploy, and verify the gateway; then continue with Post-deploy VPN connection.