Governance Policies Azure Networking Vpn Gateway - Azure/az-prototype GitHub Wiki
Governance policies for Vpn Gateway
Domain: azure-networking
| Name | Description |
|---|---|
| Active-active VPN Gateway with custom IPsec | Zone-redundant VPN Gateway with BGP, active-active, and strong IPsec policy |
| Description | Instead |
|---|---|
| Do not deploy a single-instance VPN Gateway for production | Use active-active configuration with two public IPs for high availability |
| Do not store VPN shared keys in plain text in source control | Use Key Vault references or secure parameters for shared keys |
| Check | Severity | Description |
|---|---|---|
| AZ-VPN-001 | Required | Deploy VPN Gateway with VpnGw2AZ or higher SKU for zone redundancy |
| AZ-VPN-002 | Required | Use IKEv2 with custom IPsec/IKE policy for site-to-site connections |
| AZ-VPN-003 | Required | Deploy GatewaySubnet with /27 or larger prefix for VPN Gateway |
| AZ-VPN-004 | Recommended | Enable diagnostic settings for VPN Gateway tunnel and route logs |
Deploy VPN Gateway with VpnGw2AZ or higher SKU for zone redundancy
Severity: Required
Rationale: AZ SKUs provide availability zone support; VpnGw1 lacks zone redundancy and has limited bandwidth
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworkGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/publicIPAddresses | pip-resource | Two Standard SKU static IPs for active-active |
| Microsoft.Network/virtualNetworks/subnets | GatewaySubnet | GatewaySubnet with /27 or larger |
| Microsoft.Network/localNetworkGateways | lgw-onprem | On-premises network definition |
| Microsoft.Network/connections | s2s-connection | Site-to-site connection resource |
| Microsoft.Insights/diagnosticSettings | diag-udr | Route logs to Log Analytics |
Use IKEv2 with custom IPsec/IKE policy for site-to-site connections
Severity: Required
Rationale: Default policies use weaker algorithms; custom policies enforce strong encryption
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworkGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.Network/virtualNetworkGateways | vpngw | VPN gateway |
| Microsoft.Network/localNetworkGateways | lgw-onprem | On-premises gateway |
Deploy GatewaySubnet with /27 or larger prefix for VPN Gateway
Severity: Required
Rationale: VPN Gateway requires a dedicated GatewaySubnet; /27 allows for future growth and active-active
Agents: terraform-agent, bicep-agent, cloud-architect
- Microsoft.Network/virtualNetworkGateways
Enable diagnostic settings for VPN Gateway tunnel and route logs
Severity: Recommended
Rationale: Tunnel diagnostics are critical for troubleshooting connectivity and monitoring BGP sessions
Agents: terraform-agent, bicep-agent, cloud-architect, monitoring-agent
- Microsoft.Network/virtualNetworkGateways
| Resource | Name | Purpose |
|---|---|---|
| Microsoft.OperationalInsights/workspaces | log-analytics | Log Analytics workspace |