Deploying a Site-to-Site VPN in Azure Using Terraform
A Site-to-Site (S2S) VPN allows organizations to securely connect their on-premises networks to Microsoft Azure through an encrypted IPsec/IKE tunnel over the internet. This connectivity model is commonly used in hybrid cloud environments where existing datacenter resources must communicate securely with cloud workloads.
Terraform enables administrators to deploy Azure infrastructure consistently using Infrastructure as Code. Instead of manually configuring VPN gateways, networks, and connections in the Azure portal, Terraform allows the entire Site-to-Site VPN architecture to be defined in configuration files and deployed automatically.
This article explains how to deploy a complete Azure Site-to-Site VPN using Terraform, including architecture design, required components, configuration syntax, and deployment steps used in real-world environments.
1. Overview of Azure Site-to-Site VPN Architecture
In a hybrid environment, an Azure Site-to-Site VPN connects an on-premises VPN device or firewall to an Azure Virtual Network through an Azure VPN Gateway.
The architecture typically includes the following components:
- Azure Virtual Network
- Gateway Subnet
- Azure VPN Gateway
- Local Network Gateway
- VPN Connection
- Public IP Address
- Resource Group
Traffic between the on-premises network and Azure travels through an encrypted tunnel.
Typical architecture flow:
- On-Premises Network
- VPN Device or Firewall
- Internet
- Azure VPN Gateway
- Azure Virtual Network
- Azure Workloads
The Azure VPN Gateway terminates the encrypted tunnel and routes traffic to resources inside the Azure Virtual Network.
2. Prerequisites
Before deploying a Site-to-Site VPN using Terraform, several prerequisites must be met:
Azure Requirements:
- Azure subscription
- Azure permissions to create networking resources
- Public IP address for on-premises VPN device
Software Requirements:
- Terraform installed
- Azure CLI installed
- Authenticated Azure session
- Login to Azure
az login
Terraform should also be initialized with the Azure provider.
3. Terraform Deployment Architecture
The Terraform deployment will create the following infrastructure:
- Resource Group
- Virtual Network
- Gateway Subnet
- Public IP Address
- VPN Gateway
- Local Network Gateway
- Site-to-Site VPN Connection
Each component must be created in the correct order to ensure proper dependency management.
4. Terraform Provider Configuration
The first step is configuring the Azure provider so Terraform can interact with Azure Resource Manager.
provider "azurerm" {
features {}
}
This provider enables Terraform to create and manage Azure resources.
5. Create Resource Group
The resource group will contain all networking resources.
resource "azurerm_resource_group" "vpn_rg" {
name = "rg-s2s-vpn"
location = "East US"
}
6. Create Virtual Network
The Azure Virtual Network hosts the workloads that will communicate with the on-premises environment.
resource "azurerm_virtual_network" "vnet" {
name = "vnet-hybrid"
location = azurerm_resource_group.vpn_rg.location
resource_group_name = azurerm_resource_group.vpn_rg.name
address_space = ["10.10.0.0/16"]
}
7. Create Gateway Subnet
Azure VPN Gateways require a dedicated subnet named GatewaySubnet.
resource "azurerm_subnet" "gateway_subnet" {
name = "GatewaySubnet"
resource_group_name = azurerm_resource_group.vpn_rg.name
virtual_network_name = azurerm_virtual_network.vnet.name
address_prefixes = ["10.10.255.0/27"]
}
The subnet name must be exactly GatewaySubnet.
8. Create Public IP for VPN Gateway
The VPN gateway requires a public IP address.
resource "azurerm_public_ip" "vpn_pip" {
name = "vpn-gateway-ip"
location = azurerm_resource_group.vpn_rg.location
resource_group_name = azurerm_resource_group.vpn_rg.name
allocation_method = "Dynamic"
sku = "Basic"
}
9. Create Azure VPN Gateway
The Azure VPN Gateway is responsible for terminating the IPsec VPN tunnel.
resource "azurerm_virtual_network_gateway" "vpn_gateway" {
name = "vpn-gateway"
location = azurerm_resource_group.vpn_rg.location
resource_group_name = azurerm_resource_group.vpn_rg.name
type = "Vpn"
vpn_type = "RouteBased"
active_active = false
enable_bgp = false
sku = "VpnGw1"
ip_configuration {
name = "vpngatewayconfig"
public_ip_address_id = azurerm_public_ip.vpn_pip.id
private_ip_address_allocation = "Dynamic"
subnet_id = azurerm_subnet.gateway_subnet.id
}
}
Deployment of the VPN gateway can take 30 to 45 minutes.
10. Create Local Network Gateway
The Local Network Gateway represents the on-premises network and VPN device.
resource "azurerm_local_network_gateway" "onprem_gateway" {
name = "onpremise-gateway"
location = azurerm_resource_group.vpn_rg.location
resource_group_name = azurerm_resource_group.vpn_rg.name
gateway_address = "203.0.113.1"
address_space = ["192.168.1.0/24"]
}
gateway_address represents the public IP address of the on-premises VPN device.
address_space represents the internal network range.
Create VPN Connection
The final step is creating the Site-to-Site VPN connection.
resource "azurerm_virtual_network_gateway_connection" "vpn_connection" {
name = "s2s-vpn-connection"
location = azurerm_resource_group.vpn_rg.location
resource_group_name = azurerm_resource_group.vpn_rg.name
type = "IPsec"
virtual_network_gateway_id = azurerm_virtual_network_gateway.vpn_gateway.id
local_network_gateway_id = azurerm_local_network_gateway.onprem_gateway.id
shared_key = "StrongSharedKey123"
}
The shared key must match the configuration on the on-premises VPN device.
11. Terraform Deployment Steps
Once all configuration files are created, the deployment process follows standard Terraform workflow.
Initialize Terraform
terraform init
Validate configuration
terraform validate
Generate execution plan
terraform plan
Deploy infrastructure
terraform apply
Terraform will provision all required Azure networking components automatically.
12. Verification of VPN Connection
After deployment completes, verify that the VPN tunnel is connected.
Steps:
Navigate to Azure VPN Gateway
Open Connections
Verify tunnel status
Status should display Connected.
You can also test connectivity using ping or traceroute between Azure resources and on-premises machines.
13. Security Best Practices
When deploying Site-to-Site VPN solutions in production environments, organizations should follow several security best practices.
Use strong shared keys
Restrict on-premises networks to required address spaces
Use route-based VPN gateways
Enable logging and monitoring
Use network security groups for workload protection
Consider implementing Azure Firewall or Network Virtual Appliances for advanced traffic inspection.
14. Monitoring and Troubleshooting
Azure provides several tools to monitor VPN health:
Azure Monitor
Network Watcher
VPN Diagnostics
Connection logs
Monitoring allows administrators to identify connection failures, packet drops, or configuration issues.
Common troubleshooting steps include checking:
Shared key mismatch
Firewall rules blocking IPsec ports
Incorrect address prefixes
VPN device compatibility
15. Benefits of Using Terraform for VPN Deployment
Using Terraform for Azure Site-to-Site VPN deployment provides several operational benefits.
Infrastructure automation
Repeatable deployments
Version-controlled infrastructure
Faster environment provisioning
Reduced configuration errors
Infrastructure as Code also simplifies disaster recovery because environments can be recreated quickly.
Conclusion
Deploying an Azure Site-to-Site VPN using Terraform allows organizations to automate hybrid connectivity between on-premises networks and cloud infrastructure. By defining the entire VPN architecture in Terraform configuration files, administrators can deploy secure, consistent networking environments quickly and reliably.
Terraform also improves governance and operational efficiency by enabling infrastructure to be managed through version control and automated deployment pipelines.
For readers who want a deeper understanding of Terraform architecture, Infrastructure as Code design, module development, and enterprise automation strategies, refer to my book Mastering Terraform: A Comprehensive Guide to Infrastructure as Code, which expands on the concepts discussed in this article with detailed technical examples and real-world implementations.
0 comments