Search code examples
terraformterraform-provider-azurevnet

How to set "use remote VNET gateway" on Azure network peering via Terraform

How can I set use remote VNET's gateway on a hub peer using terraform?

On the spoke, I'm trying to set the below highlighted "Use the remote virtual network's gateway or Route Server" via terraform:

I've tried setting the use_remote_gateways=true but as can see, it doesn't set it.

enter image description here

    resource "azurerm_virtual_network_peering" "peer_lz_to_connectivity" {
      provider                          = azurerm.lz
    
      name                              = local.peer_to_connectivity_name
      resource_group_name               = azurerm_resource_group.rg.name
      virtual_network_name              = azurerm_virtual_network.vnet.name
      remote_virtual_network_id         = data.azurerm_virtual_network.fw_vnet.id
      allow_forwarded_traffic           = true
      allow_gateway_transit             = true
      use_remote_gateways               = true
    }

More info: On the hub peer of course this is not set. It just needs to be set on the spoke peer.

Solution

  • You can configure spoke Vnets to use the hub Vnet VPN gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub and connect to remote networks, you must:

    • Configure the peering connection in the hub to allow gateway transit.
    • Configure the peering connection in each spoke to use remote gateways.
    • Configure all peering connections to allow forwarded traffic.

    Here are a couple of Hub and Spoke architectures for your reference :

    https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering

    https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit

    In your Terraform code block above, you have set all 3 options (allow_forwarded_traffic, allow_gateway_transit & use_remote_gateways) to True, which is not possible. "allow gateway transit" option is enabled on the Hub Vnet where the VPN gateway is deployed and "use_remote_gateways" option is enabled on the spoke Vnet which needs to use the hub VPN gateway for access.

    Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity

    Below is the Terraform code block for enabling "use_remote_gateways" option on a spoke Vnet:

    resource "azurerm_virtual_network_peering" "spoke1-hub-peer" {
name                      = "spoke1-hub-peer"
resource_group_name       = azurerm_resource_group.spoke1-vnet-rg.name
virtual_network_name      = azurerm_virtual_network.spoke1-vnet.name
remote_virtual_network_id = azurerm_virtual_network.hub-vnet.id

allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit   = false
use_remote_gateways     = true
depends_on = [azurerm_virtual_network.spoke1-vnet, azurerm_virtual_network.hub-vnet , azurerm_virtual_network_gateway.hub-vnet-gateway]}

    You can find the whole Terraform code block for hub & spoke topology in the below doc:

    https://learn.microsoft.com/en-us/azure/developer/terraform/hub-spoke-spoke-network