Azure: How to configure Point-to-Site using Terraform?

OneDeveloper
December 1, 2022
298 views
0 votes
2 Answers

I followed the article https://www.ais.com/how-to-configure-point-to-site-vpn-connection-using-azure-certificate-authentication/ and configured Point-to-Site.

In summary: I have created the Root & Client Certificate and configured the Virtual Gateway

Here we are generating the root certificate

$cert = New-SelfSignedCertificate -Type Custom -KeySpec Signature  -Subject "CN=VPNRoot" -KeyExportPolicy Exportable  -HashAlgorithm sha256 -KeyLength 2048  -CertStoreLocation "Cert:CurrentUserMy" -KeyUsageProperty Sign -KeyUsage CertSign

Here we are generating the client certificate from the root certificate

New-SelfSignedCertificate -Type Custom -DnsName VPNCert -KeySpec Signature  -Subject "CN=VPNCert" -KeyExportPolicy Exportable  -HashAlgorithm sha256 -KeyLength 2048  -CertStoreLocation "Cert:CurrentUserMy" -Signer $cert -TextExtension @("2.5.29.37={text}1.3.6.1.5.5.7.3.2")

Is there a way configure the Point-to-Site using Terraform?

Tags: azure azure-vpn

Answers

Chosen as BEST ANSWER

I was able to configure the Point to Site using the below Terraform code.

resource "azurerm_virtual_network_gateway" "azunetgateway" {
  name                = "azunetgateway"
  location            = azurerm_resource_group.ipz12-dat-np-connection-rg.location
  resource_group_name = azurerm_resource_group.ipz12-dat-np-connection-rg.name
  
  type     = "Vpn"
  vpn_type = "RouteBased"
  active_active = false
  enable_bgp    = false
  sku           = "VpnGw1"

  ip_configuration {
    name                          = "vnetGatewayConfig"
    public_ip_address_id          = azurerm_public_ip.azunetgwpip.id
    private_ip_address_allocation = "Dynamic"
    subnet_id                     = azurerm_subnet.appgateway_subnet.id
  }

  # Client configuration for Point-to-Site VPN Gateway connections
  vpn_client_configuration {
    address_space = ["172.16.0.0/16"]
    root_certificate {
      name = "ROOTCERT"
      public_cert_data  = <<EOF
MIIC3zCCAcegAwIBAgIQJdWvUysG/oxPlBZu2cCi1DANBgkqhkiG9w0BAQsFADAS
MRAwDgYDVQQDDAdWUE5Sb290MB4XDTIyMTEyMzE3MTUxOFoXDTIzMTEyMzE3MzUx
OFowEjEQMA4GA1UEAwwHVlBOUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAMYijaT3al0QQypT+vTOnyWepDqwlvFC8liwRKxUvs33qAI+G5INtPeH
0/XCcvng7ClUvs09Ui7u3ZiyRpemnHCuAd0Fqb5DwFYhVus/dpFju5nw2Cw2VLuf
ldhAcbhAXfAtkPsSqL9zgRWjxQ==
EOF   
    }
  }

  depends_on = [
    azurerm_public_ip.azunetgwpip,
    azurerm_subnet.appgateway_subnet
  ]
}

(Edit)

I tried to create the Point site VPN connection using terraform in my environment and got the below results

I have followed the below script to create the Point to site VPN using terraform

I have take this sample script from this url and made the changes as per requirement

provider "azurerm" {
  features {}
}
resource "azurerm_resource_group" "ex123" {
  name     = "XXXXXX"
  location = "West Europe"
}

resource "azurerm_virtual_wan" "ex123" {
  name                = "XXXXXX"
  resource_group_name = azurerm_resource_group.ex123.name
  location            = azurerm_resource_group.ex123.location
}

resource "azurerm_virtual_hub" "ex123" {
  name                = "XXXXXX"
  resource_group_name = azurerm_resource_group.ex123.name
  location            = azurerm_resource_group.ex123.location
  virtual_wan_id      = azurerm_virtual_wan.ex123.id
  address_prefix      = "10.0.0.0/23"
}

resource "azurerm_vpn_server_configuration" "ex123" {
  name                     = "example-config"
  resource_group_name      = azurerm_resource_group.ex123.name
  location                 = azurerm_resource_group.ex123.location
  vpn_authentication_types = ["Certificate"]

  client_root_certificate {
    name             = "DigiCert-Federated-ID-Root-CA"
    public_cert_data = <<EOF
MIIDuzCCAqOgAwIBAgIQCHTZWCM+IlfFIRXIvyKSrjANBgkqhkiG9w0BAQsFADBn
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSYwJAYDVQQDEx1EaWdpQ2VydCBGZWRlcmF0ZWQgSUQg
Um9vdCBDQTAeFw0xMzAxMTUxMjAwMDBaFw0zMzAxMTUxMjAwMDBaMGcxCzAJBgNV
BAYTAlVTMRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdp
Y2VydC5jb20xJjAkBgNVBAMTHURpZ2lDZXJ0IEZlZGVyYXRlZCBJRCBSb290IENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvAEB4pcCqnNNOWE6Ur5j
QPUH+1y1F9KdHTRSza6k5iDlXq1kGS1qAkuKtw9JsiNRrjltmFnzMZRBbX8Tlfl8
zAhBmb6dDduDGED01kBsTkgywYPxXVTKec0WxYEEF0oMn4wSYNl0lt2eJAKHXjNf
GTwiibdP8CUR2ghSM2sUTI8Nt1Omfc4SMHhGhYD64uJMbX98THQ/4LMGuYegou+d
GTiahfHtjn7AboSEknwAMJHCh5RlYZZ6B1O4QbKJ+34Q0eKgnI3X6Vc9u0zf6DH8
Dk+4zQDYRRTqTnVO3VT8jzqDlCRuNtq6YvryOWN74/dq8LQhUnXHvFyrsdMaE1X2
DwIDAQABo2MwYTAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNV
HQ4EFgQUGRdkFnbGt1EWjKwbUne+5OaZvRYwHwYDVR0jBBgwFoAUGRdkFnbGt1EW
jKwbUne+5OaZvRYwDQYJKoZIhvcNAQELBQADggEBAHcqsHkrjpESqfuVTRiptJfP
9JbdtWqRTmOf6uJi2c8YVqI6XlKXsD8C1dUUaaHKLUJzvKiazibVuBwMIT84AyqR
QELn3e0BtgEymEygMU569b01ZPxoFSnNXc7qDZBDef8WfqAV/sxkTi8L9BkmFYfL
uGLOhRJOFprPdoDIUBB+tmCl3oDcBy3vnUeOEioz8zAkprcb3GHwHAK+vHmmfgcn
WsfMLH4JCLa/tRYL+Rw/N3ybCkDp00s0WUZ+AoDywSl0Q/ZEnNY0MsFiw6LyIdbq
M/s/1JRtO3bDSzD9TazRVzn2oBqzSa8VgIo5C1nOnoAKJTlsClJKvIhnRlaLQqk=
EOF
  }
}

resource "azurerm_point_to_site_vpn_gateway" "ex123" {
  name                        = "example-vpn-gateway"
  location                    = azurerm_resource_group.example.location
  resource_group_name         = azurerm_resource_group.example.name
  virtual_hub_id              = azurerm_virtual_hub.ex123.id
  vpn_server_configuration_id = azurerm_vpn_server_configuration.ex123.id
  scale_unit                  = 1
  connection_configuration {
    name = "example-gateway-config"

    vpn_client_address_pool {
      address_prefixes = [
        "10.0.1.0/24"
      ]
    }
  }
}

To run the script follow the below steps