VPN Gateway Configuration

Point-to-Site and Site-to-Site VPN connectivity for secure remote access to the private AKS cluster and Azure services.

[!NOTE] Part of the Deployment Guide. Return there for navigation and deployment order.

[!IMPORTANT] Required for default configuration. With should_enable_private_aks_cluster = true (the default), you must deploy this VPN Gateway and connect before running kubectl commands or cluster setup scripts. Without VPN, the private cluster endpoint is not accessible.

To skip VPN, set should_enable_private_aks_cluster = false in your terraform.tfvars for a public AKS control plane.

📋 Prerequisites

Platform infrastructure deployed (cd infrastructure/terraform && terraform apply)
Terraform 1.5+ installed
Core variables matching parent deployment (environment, resource_prefix, location)

🚀 Quick Start

cd infrastructure/terraform/vpn

# Configure
cp terraform.tfvars.example terraform.tfvars
# Edit: environment, resource_prefix, location (must match 001-iac)

terraform init && terraform apply

Deployment takes 20-30 minutes for the VPN Gateway.

⚙️ Configuration

Variable	Description	Default
`gateway_subnet_address_prefix`	GatewaySubnet CIDR (min /27)	`10.0.3.0/27`
`vpn_gateway_config.sku`	Gateway SKU	`VpnGw1AZ`
`vpn_gateway_config.client_address_pool`	P2S client IP range	`["192.168.200.0/24"]`
`aad_auth_config.should_enable`	Enable Azure AD auth	`true`

Non-AZ VPN Gateway SKUs are being deprecated by Azure. Use the AZ equivalents (VpnGw1AZ, VpnGw2AZ, VpnGw3AZ) to avoid portal warnings and unplanned SKU updates outside Terraform.

🔐 Authentication Options

Azure AD (Recommended)

Enabled by default. Users authenticate with their Azure AD credentials via the Azure VPN Client.

aad_auth_config = {
  should_enable = true
}

Certificate

For environments without Azure AD integration:

aad_auth_config = {
  should_enable = false
}
root_certificate_public_data = "MIIC5jCCAc6g..." # Base64-encoded cert

💻 VPN Client Setup

Install Azure VPN Client

Platform	Installation
Windows	Microsoft Store
macOS	App Store
Ubuntu 20.04/22.04	Microsoft Docs

Download VPN Configuration

Open the Azure Portal
Navigate to your Virtual Network Gateway resource:
- Search for "Virtual network gateways" in the portal search bar
- Select the gateway matching your deployment (e.g., vgw-<resource_prefix>-<environment>-<instance>)
Select Point-to-site configuration from the left menu
Click Download VPN client button
Save and extract the downloaded ZIP file

Import Configuration

Open the Azure VPN Client application
Click the + (Import) button in the bottom left
Navigate to the extracted ZIP folder
Open the AzureVPN folder
Select azurevpnconfig_aad.xml (for Azure AD authentication)
Click Save

Connect

Select the imported connection profile
Click Connect
Authenticate with your Azure AD credentials when prompted
Verify connection status shows "Connected"

Once connected, you can access private endpoints including OSMO UI, PostgreSQL, and Redis.

🏢 Site-to-Site VPN

Connect on-premises networks:

vpn_site_connections = [{
  name                 = "on-prem-datacenter"
  address_spaces       = ["10.100.0.0/16"]
  gateway_ip_address   = "203.0.113.10"
  shared_key_reference = "datacenter-key"
}]

vpn_site_shared_keys = {
  "datacenter-key" = "your-preshared-key"
}

Infrastructure Deployment — Main infrastructure documentation
Private DNS — Private DNS for OSMO UI (requires VPN)

🤖 Crafted with precision by ✨Copilot following brilliant human instruction, then carefully refined by our team of discerning human reviewers.

📋 Prerequisites​

🚀 Quick Start​

⚙️ Configuration​

🔐 Authentication Options​

Azure AD (Recommended)​

Certificate​

💻 VPN Client Setup​

Install Azure VPN Client​

Download VPN Configuration​

Import Configuration​

Connect​

🏢 Site-to-Site VPN​

🔗 Related​