| .. | ||
| .terraform.lock.hcl | ||
| 010-provider.tf | ||
| 020-variables.tf | ||
| 030-stackit-azure-vpn.tf | ||
| MAINTAINERS.md | ||
| README.md | ||
STACKIT-to-Azure HA VPN Gateway
⚠️ azurerm_virtual_network_gateway.azure_gateway takes between 30-90mins
This example demonstrates how to establish a secure, Highly Available (HA) IPsec VPN connection between a STACKIT Network Area (SNA) and Microsoft Azure.
The connection uses BGP (Border Gateway Protocol) via an Azure Virtual Network Gateway (Active-Active mode) to automatically exchange and propagate routes dynamically between the two cloud environments.
Architecture
This Terraform configuration provisions the following resources:
- STACKIT: An SNA, a debug machine, and an HA VPN Gateway (
ASN 64512). - Azure: A Resource Group, VNet, dedicated
GatewaySubnet, an Active-Active Virtual Network Gateway (ASN 64513), two Local Network Gateways (representing STACKIT), and a private Ubuntu test VM. - VPN Connection: Two redundant IPsec tunnels using dynamically generated PSKs and Link-Local BGP peering (
169.254.x.x/30). - Security: Azure Network Security Group (NSG) rules configured to allow inbound ICMP/SSH traffic specifically from the STACKIT network range.
Prerequisites
- Configured STACKIT and Azure provider credentials.
- Azure CLI (
az) installed and authenticated for testing from the Azure side.
Outputs
Once the deployment is complete, Terraform will output the following information to help you verify connectivity:
vpn01_public_ip: The public IP of the debug machine in STACKIT.vpn01_private_ip: The private IP of the debug machine in STACKIT.azure_test_vm_private_ip: The private IP of the test VM in Azure.azure_run_command_ping_test: A pre-formatted Azure CLI command to test the connection.
How to Test the Connection
You can verify the bi-directional tunnel is fully operational by following these steps:
1. Test from Azure to STACKIT (Zero-Config)
We utilize the Azure "Run Command" feature to execute a ping test directly inside the private Azure VM without needing SSH access or a Bastion host.
Copy the command generated by the azure_run_command_ping_test output and run it in your terminal:
az vm run-command invoke \
--resource-group rg-vpn-test \
--name azure-vpn-test-vm \
--command-id RunShellScript \
--scripts 'ping -c 4 <vpn01_private_ip>'