professional-service/examples/vpn-usecases/stackit-azure
Mauritz Uphoff 20dd7ec314
All checks were successful
Default CI / Check for Open TODOs (pull_request) Successful in 43s
Default CI / Secret Scanner (TruffleHog) (pull_request) Successful in 1m7s
Default CI / Pre-Commit Hooks (pull_request) Successful in 2m30s
example(vpn): remove my mail
2026-05-13 13:53:46 +02:00
..
.terraform.lock.hcl example(vpn): implement usecases 2026-05-13 13:21:22 +02:00
010-provider.tf example(vpn): implement usecases 2026-05-13 13:21:22 +02:00
020-variables.tf example(vpn): remove my mail 2026-05-13 13:53:46 +02:00
030-stackit-azure-vpn.tf example(vpn): remove my mail 2026-05-13 13:53:46 +02:00
MAINTAINERS.md example(vpn): implement usecases 2026-05-13 13:21:22 +02:00
README.md example(vpn): implement usecases 2026-05-13 13:21:22 +02:00

STACKIT-to-Azure HA VPN Gateway

⚠️ azurerm_virtual_network_gateway.azure_gateway takes between 30-90mins

This example demonstrates how to establish a secure, Highly Available (HA) IPsec VPN connection between a STACKIT Network Area (SNA) and Microsoft Azure.

The connection uses BGP (Border Gateway Protocol) via an Azure Virtual Network Gateway (Active-Active mode) to automatically exchange and propagate routes dynamically between the two cloud environments.

Architecture

This Terraform configuration provisions the following resources:

  • STACKIT: An SNA, a debug machine, and an HA VPN Gateway (ASN 64512).
  • Azure: A Resource Group, VNet, dedicated GatewaySubnet, an Active-Active Virtual Network Gateway (ASN 64513), two Local Network Gateways (representing STACKIT), and a private Ubuntu test VM.
  • VPN Connection: Two redundant IPsec tunnels using dynamically generated PSKs and Link-Local BGP peering (169.254.x.x/30).
  • Security: Azure Network Security Group (NSG) rules configured to allow inbound ICMP/SSH traffic specifically from the STACKIT network range.

Prerequisites

  • Configured STACKIT and Azure provider credentials.
  • Azure CLI (az) installed and authenticated for testing from the Azure side.

Outputs

Once the deployment is complete, Terraform will output the following information to help you verify connectivity:

  • vpn01_public_ip: The public IP of the debug machine in STACKIT.
  • vpn01_private_ip: The private IP of the debug machine in STACKIT.
  • azure_test_vm_private_ip: The private IP of the test VM in Azure.
  • azure_run_command_ping_test: A pre-formatted Azure CLI command to test the connection.

How to Test the Connection

You can verify the bi-directional tunnel is fully operational by following these steps:

1. Test from Azure to STACKIT (Zero-Config)

We utilize the Azure "Run Command" feature to execute a ping test directly inside the private Azure VM without needing SSH access or a Bastion host.

Copy the command generated by the azure_run_command_ping_test output and run it in your terminal:

az vm run-command invoke \
  --resource-group rg-vpn-test \
  --name azure-vpn-test-vm \
  --command-id RunShellScript \
  --scripts 'ping -c 4 <vpn01_private_ip>'