Skip to content

Local Network Gateway

Local Network Gateway

A Local Network Gateway is an Azure resource that represents an on-premises VPN device. It holds the public IP (or FQDN) of the device and the address spaces reachable through it. The Local Network Gateway itself carries no cost and does not establish any connection — it is metadata that a Virtual Network Gateway Connection references to build a Site-to-Site tunnel.

Basic Configuration

The minimal configuration requires a gateway address and the on-premises address space:

1
2
3
4
5
6
7
local_network_gateway = {
    onprem01 = {
        resource_group  = "hub"
        gateway_address = "203.0.113.1"
        address_space   = ["10.0.0.0/8"]
    }
}

This creates a Local Network Gateway with the following defaults: - BGP: Disabled - Location: Uses the location defined in the main configuration

Advanced Configuration

The following example enables BGP and demonstrates multiple on-premises address spaces:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
local_network_gateway = {
    onprem01 = {
        resource_group  = "hub"
        gateway_address = "203.0.113.1"
        address_space   = [
            "10.0.0.0/8",
            "192.168.0.0/16"
        ]

        bgp_settings = {
            asn                 = 65000       # Must differ from Azure VGW ASN
            bgp_peering_address = "169.254.21.1"
            peer_weight         = 0
        }
    }

    onprem-fqdn = {
        resource_group = "hub"
        gateway_fqdn   = "vpn.contoso.com" # Use when on-premises device has a dynamic public IP
    }
}

Configuration Parameters

Parameter Type Required Default Description
resource_group string Yes - Key of the resource group where the gateway is deployed
gateway_address string No* - Public IP address of the on-premises VPN device. Mutually exclusive with gateway_fqdn
gateway_fqdn string No* - FQDN of the on-premises VPN device. Mutually exclusive with gateway_address
address_space list(string) No null On-premises address prefixes reachable through this gateway. Not required when BGP is used
bgp_settings object No null BGP configuration block (see BGP Settings)
name string No Auto-generated Custom name. If not specified, uses naming convention
location string No Global location Azure region where the resource is created
timeouts object No null Custom Terraform operation timeouts (create, read, update, delete)
tags map(string) No {} Tags merged with default tags

* One of gateway_address or gateway_fqdn must be provided.

BGP Settings

Configure BGP when the corresponding Virtual Network Gateway has bgp_enabled = true. The ASN here must differ from the Azure gateway ASN.

bgp_settings = {
    asn                 = 65000        # CHANGEME — on-premises BGP ASN
    bgp_peering_address = "169.254.21.1" # BGP peer IP on on-premises device (link-local or loopback)
    peer_weight         = 0            # Optional — higher value = preferred path
}
Field Type Required Description
asn number Yes On-premises BGP autonomous system number. Must differ from the Azure VGW ASN and avoid reserved ranges 65515–65520
bgp_peering_address string Yes BGP peer IP on the on-premises device. Typically a link-local (169.254.x.x) or loopback address
peer_weight number No Weight added to routes learned from this peer. Higher value = preferred path when multiple peers advertise the same prefix

Naming Convention

Gateway names are automatically generated using the following pattern:

{name_prefixes.local_network_gateway}{key}{name_suffixes.local_network_gateway}

For example, with the following prefixes and suffixes:

name_prefixes = {
    local_network_gateway = "lgw-connect-"
}

name_suffixes = {
    local_network_gateway = "-westus2"
}

local_network_gateway = {
    onprem01 = {
        resource_group  = "hub"
        gateway_address = "203.0.113.1"
        address_space   = ["10.0.0.0/8"]
    }
}

The resulting gateway name would be: lgw-connect-onprem01-westus2

To override automatic naming, specify a custom name:

local_network_gateway = {
    onprem01 = {
        name            = "my-onpremises-gateway"
        resource_group  = "hub"
        gateway_address = "203.0.113.1"
        address_space   = ["10.0.0.0/8"]
    }
}

Placeholder / Pre-Provisioning Pattern

Because the Local Network Gateway is free metadata, it can be deployed before the on-premises device is ready using RFC 5737 documentation addresses as placeholders. No traffic will route to these addresses as they are reserved and never routed on the internet.

local_network_gateway = {
    onprem01 = {
        resource_group  = "hub"
        gateway_address = "203.0.113.1"       # RFC 5737 TEST-NET-3 — replace with real IP
        address_space   = ["203.0.113.0/24"]  # RFC 5737 TEST-NET-3 — replace with real address space
    }
}

RFC 5737 documentation ranges: 192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24

Best Practices

  1. BGP over Static Routes: When the connected VPN gateway has BGP enabled, configure bgp_settings here as well. BGP eliminates the need to maintain address_space manually as on-premises routes change
  2. FQDN for Dynamic IPs: Use gateway_fqdn instead of gateway_address when the on-premises device has a dynamic public IP. Azure re-resolves the FQDN periodically
  3. Unique ASNs: Ensure the on-premises ASN in bgp_settings.asn differs from the Azure VGW ASN and from all other connected peer ASNs
  4. address_space with BGP: When BGP is enabled, address_space is not required — routes are exchanged dynamically. However, specifying it explicitly provides a fallback for static routing and improves visibility in the portal
  5. One Gateway Per Site: Create one Local Network Gateway per distinct on-premises site or VPN device, even if multiple devices share the same address space