Microsoft.Network vpnGateways/vpnConnections

ARM template resource definition

The vpnGateways/vpnConnections resource type can be deployed with operations that target:

For a list of changed properties in each API version, see change log.

Resource format

To create a Microsoft.Network/vpnGateways/vpnConnections resource, add the following JSON to your template.

{
  "type": "Microsoft.Network/vpnGateways/vpnConnections",
  "apiVersion": "2023-04-01",
  "name": "string",
  "properties": {
    "connectionBandwidth": "int",
    "dpdTimeoutSeconds": "int",
    "enableBgp": "bool",
    "enableInternetSecurity": "bool",
    "enableRateLimiting": "bool",
    "ipsecPolicies": [
      {
        "dhGroup": "string",
        "ikeEncryption": "string",
        "ikeIntegrity": "string",
        "ipsecEncryption": "string",
        "ipsecIntegrity": "string",
        "pfsGroup": "string",
        "saDataSizeKilobytes": "int",
        "saLifeTimeSeconds": "int"
      }
    ],
    "remoteVpnSite": {
      "id": "string"
    },
    "routingConfiguration": {
      "associatedRouteTable": {
        "id": "string"
      },
      "inboundRouteMap": {
        "id": "string"
      },
      "outboundRouteMap": {
        "id": "string"
      },
      "propagatedRouteTables": {
        "ids": [
          {
            "id": "string"
          }
        ],
        "labels": [ "string" ]
      },
      "vnetRoutes": {
        "staticRoutes": [
          {
            "addressPrefixes": [ "string" ],
            "name": "string",
            "nextHopIpAddress": "string"
          }
        ],
        "staticRoutesConfig": {
          "vnetLocalRouteOverrideCriteria": "string"
        }
      }
    },
    "routingWeight": "int",
    "sharedKey": "string",
    "trafficSelectorPolicies": [
      {
        "localAddressRanges": [ "string" ],
        "remoteAddressRanges": [ "string" ]
      }
    ],
    "useLocalAzureIpAddress": "bool",
    "usePolicyBasedTrafficSelectors": "bool",
    "vpnConnectionProtocolType": "string",
    "vpnLinkConnections": [
      {
        "id": "string",
        "name": "string",
        "properties": {
          "connectionBandwidth": "int",
          "egressNatRules": [
            {
              "id": "string"
            }
          ],
          "enableBgp": "bool",
          "enableRateLimiting": "bool",
          "ingressNatRules": [
            {
              "id": "string"
            }
          ],
          "ipsecPolicies": [
            {
              "dhGroup": "string",
              "ikeEncryption": "string",
              "ikeIntegrity": "string",
              "ipsecEncryption": "string",
              "ipsecIntegrity": "string",
              "pfsGroup": "string",
              "saDataSizeKilobytes": "int",
              "saLifeTimeSeconds": "int"
            }
          ],
          "routingWeight": "int",
          "sharedKey": "string",
          "useLocalAzureIpAddress": "bool",
          "usePolicyBasedTrafficSelectors": "bool",
          "vpnConnectionProtocolType": "string",
          "vpnGatewayCustomBgpAddresses": [
            {
              "customBgpIpAddress": "string",
              "ipConfigurationId": "string"
            }
          ],
          "vpnLinkConnectionMode": "string",
          "vpnSiteLink": {
            "id": "string"
          }
        }
      }
    ]
  }
}

Property values

vpnGateways/vpnConnections

Name Description Value
type The resource type 'Microsoft.Network/vpnGateways/vpnConnections'
apiVersion The resource api version '2023-04-01'
name The resource name

See how to set names and types for child resources in JSON ARM templates.
string (required)

Character limit: 1-80

Valid characters:
Alphanumerics, underscores, periods, and hyphens.

Start with alphanumeric. End alphanumeric or underscore.
properties Properties of the VPN connection. VpnConnectionProperties

VpnConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
dpdTimeoutSeconds DPD timeout in seconds for vpn connection. int
enableBgp EnableBgp flag. bool
enableInternetSecurity Enable internet security. bool
enableRateLimiting EnableBgp flag. bool
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
remoteVpnSite Id of the connected vpn site. SubResource
routingConfiguration The Routing Configuration indicating the associated and propagated route tables on this connection. RoutingConfiguration
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
trafficSelectorPolicies The Traffic Selector Policies to be considered by this connection. TrafficSelectorPolicy[]
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnLinkConnections List of all vpn site link connections to the gateway. VpnSiteLinkConnection[]

IpsecPolicy

Name Description Value
dhGroup The DH Group used in IKE Phase 1 for initial SA. 'DHGroup1'
'DHGroup14'
'DHGroup2'
'DHGroup2048'
'DHGroup24'
'ECP256'
'ECP384'
'None' (required)





ikeEncryption The IKE encryption algorithm (IKE phase 2). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES256' (required)
ikeIntegrity The IKE integrity algorithm (IKE phase 2). 'GCMAES128'
'GCMAES256'
'MD5'
'SHA1'
'SHA256'
'SHA384' (required)
ipsecEncryption The IPSec encryption algorithm (IKE phase 1). 'AES128'
'AES192'
'AES256'
'DES'
'DES3'
'GCMAES128'
'GCMAES192'
'GCMAES256'
'None' (required)
ipsecIntegrity The IPSec integrity algorithm (IKE phase 1). 'GCMAES128'
'GCMAES192'
'GCMAES256'
'MD5'
'SHA1'
'SHA256' (required)
pfsGroup The Pfs Group used in IKE Phase 2 for new child SA. 'ECP256'
'ECP384'
'None'
'PFS1'
'PFS14'
'PFS2'
'PFS2048'
'PFS24'
'PFSMM' (required)
saDataSizeKilobytes The IPSec Security Association (also called Quick Mode or Phase 2 SA) payload size in KB for a site to site VPN tunnel. int (required)
saLifeTimeSeconds The IPSec Security Association (also called Quick Mode or Phase 2 SA) lifetime in seconds for a site to site VPN tunnel. int (required)

SubResource

Name Description Value
id Resource ID. string

RoutingConfiguration

Name Description Value
associatedRouteTable The resource id RouteTable associated with this RoutingConfiguration. SubResource
inboundRouteMap The resource id of the RouteMap associated with this RoutingConfiguration for inbound learned routes. SubResource
outboundRouteMap The resource id of theRouteMap associated with this RoutingConfiguration for outbound advertised routes. SubResource
propagatedRouteTables The list of RouteTables to advertise the routes to. PropagatedRouteTable
vnetRoutes List of routes that control routing from VirtualHub into a virtual network connection. VnetRoute

PropagatedRouteTable

Name Description Value
ids The list of resource ids of all the RouteTables. SubResource[]
labels The list of labels. string[]

VnetRoute

Name Description Value
staticRoutes List of all Static Routes. StaticRoute[]
staticRoutesConfig Configuration for static routes on this HubVnetConnection. StaticRoutesConfig

StaticRoute

Name Description Value
addressPrefixes List of all address prefixes. string[]
name The name of the StaticRoute that is unique within a VnetRoute. string
nextHopIpAddress The ip address of the next hop. string

StaticRoutesConfig

Name Description Value
vnetLocalRouteOverrideCriteria Parameter determining whether NVA in spoke vnet is bypassed for traffic with destination in spoke. 'Contains'
'Equal'

TrafficSelectorPolicy

Name Description Value
localAddressRanges A collection of local address spaces in CIDR format. string[] (required)
remoteAddressRanges A collection of remote address spaces in CIDR format. string[] (required)

VpnSiteLinkConnection

Name Description Value
id Resource ID. string
name The name of the resource that is unique within a resource group. This name can be used to access the resource. string
properties Properties of the VPN site link connection. VpnSiteLinkConnectionProperties

VpnSiteLinkConnectionProperties

Name Description Value
connectionBandwidth Expected bandwidth in MBPS. int
egressNatRules List of egress NatRules. SubResource[]
enableBgp EnableBgp flag. bool
enableRateLimiting EnableBgp flag. bool
ingressNatRules List of ingress NatRules. SubResource[]
ipsecPolicies The IPSec Policies to be considered by this connection. IpsecPolicy[]
routingWeight Routing weight for vpn connection. int
sharedKey SharedKey for the vpn connection. string
useLocalAzureIpAddress Use local azure ip to initiate connection. bool
usePolicyBasedTrafficSelectors Enable policy-based traffic selectors. bool
vpnConnectionProtocolType Connection protocol used for this connection. 'IKEv1'
'IKEv2'
vpnGatewayCustomBgpAddresses vpnGatewayCustomBgpAddresses used by this connection. GatewayCustomBgpIpAddressIpConfiguration[]
vpnLinkConnectionMode Vpn link connection mode. 'Default'
'InitiatorOnly'
'ResponderOnly'
vpnSiteLink Id of the connected vpn site link. SubResource

GatewayCustomBgpIpAddressIpConfiguration

Name Description Value
customBgpIpAddress The custom BgpPeeringAddress which belongs to IpconfigurationId. string (required)
ipConfigurationId The IpconfigurationId of ipconfiguration which belongs to gateway. string (required)