Search

Please login in for more filter options

Kickstart your project with AVM templates.

AVM Bicep Modules
AVM Terraform Modules

network-virtualnetwork

avm-terraform

report
Report Package network-virtualnetwork

If you believe that this package or its contents contain harmful information, please inform us.
Please be aware that we will never share your credentials.

Please let us know what this package contains.
Please enter a valid email address.

This Terraform Azure Verified Module deploys: terraform-azurerm-avm-res-network-virtualnetwork

ipm add --package avm-terraform/network-virtualnetwork --version 0.15.0

Published: 15-10-2025

Project URL: https://ipmhub.io/avm-terraform

Package Type: Terraform

License: MIT

Azure Virtual Network Module

This module is used to manage Azure Virtual Networks, Subnets and Peerings, with optional IPAM (IP Address Management) support.

This module is composite and includes sub modules that can be used independently for pre-existing virtual networks. These sub modules are:

  • subnet - The subnet module is used to manage subnets within a virtual network.
  • peering - The peering module is used to manage virtual network peerings.

Features

This module supports managing virtual networks and their associated subnets and peerings together or independently.

The module supports:

  • Creating a new virtual network
  • Creating a new subnet
  • Creating a new virtual network peering
  • Associating DNS servers with a virtual network
  • Associating a DDOS protection plan with a virtual network
  • Associating a network security group with a subnet
  • Associating a route table with a subnet
  • Associating a service endpoint with a subnet
  • Associating a virtual network gateway with a subnet
  • Assigning delegations to subnets
  • IPAM pool allocation for virtual network address space
  • IPAM pool allocation for individual subnets
  • Mixed IPAM and traditional addressing within the same virtual network

IPAM Support

This module provides comprehensive IPAM (IP Address Management) support through Azure Virtual Network Manager IPAM pools.

What IPAM Provides

  • VNet address space allocation from centralized IPAM pools
  • Subnet address allocation from IPAM pools
  • Multiple pool support for IPv4 and IPv6 addressing
  • Mixed addressing - combine IPAM and traditional subnets in the same VNet
  • All standard subnet features work with IPAM subnets (NSGs, service endpoints, delegations, etc.)

Benefits

  • Centralized IP governance through Azure Network Manager
  • Automatic conflict prevention during address allocation
  • Simplified address management across multiple deployments

IPAM Regional Support

โš ๏ธ IPAM NOT supported in these regions: chilecentral, jioindiawest, malaysiawest, qatarcentral, southafricawest, westindia, westus3

Note: IPAM is available in all other regions where Azure Virtual Network Manager is supported. For the most up-to-date regional availability, consult the Azure products by region page.

IPAM Examples

Prerequisites

For IPAM Features

  • Azure Virtual Network Manager: Required for all IPAM functionality
  • Supported Azure region: IPAM must be available in your target region (see Regional Support)
  • azapi provider: Version ~> 2.4 required for IPAM resource management
  • Proper permissions: Network Manager and IPAM pool management permissions

Usage

To use this module in your Terraform configuration, you'll need to provide values for the required variables.

Example - Basic Virtual Network with Subnets

This example shows the most basic usage of the module. It creates a new virtual network with subnets using traditional static addressing.

module "avm-res-network-virtualnetwork" {
  source = "packages/network-virtualnetwork"

  address_space = ["10.0.0.0/16"]
  location      = "eastus2"
  name          = "vnet-demo-eastus2-001"
  parent_id     = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/rg-demo-eastus2-001"
  subnets = {
    "subnet1" = {
      name             = "subnet1"
      address_prefixes = ["10.0.0.0/24"]
    }
    "subnet2" = {
      name             = "subnet2"
      address_prefixes = ["10.0.1.0/24"]
    }
  }
}

Example - IPAM Virtual Network with Multiple Subnets

This example demonstrates IPAM usage with both VNet and subnet address allocation from IPAM pools.

module "avm-res-network-virtualnetwork" {
  source = "packages/network-virtualnetwork"

  location  = "East US"
  name      = "myIPAMVNet"
  parent_id = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup"

  # VNet address space from IPAM pool
  ipam_pools = [{
    id            = azapi_resource.ipam_pool.id
    prefix_length = 24
  }]

  # Multiple subnets allocated from IPAM pool
  subnets = {
    "web_subnet" = {
      name = "subnet-web"
      ipam_pools = [{
        pool_id       = azapi_resource.ipam_pool.id
        prefix_length = 26
      }]
    }
    "app_subnet" = {
      name = "subnet-app"
      ipam_pools = [{
        pool_id       = azapi_resource.ipam_pool.id
        prefix_length = 26
      }]
    }
    "data_subnet" = {
      name = "subnet-data"
      ipam_pools = [{
        pool_id       = azapi_resource.ipam_pool.id
        prefix_length = 27
      }]
    }
  }
}

Example - Create a subnet on a pre-existing Virtual Network

This example shows how to create a subnet for a pre-existing virtual network using the subnet module.

module "avm-res-network-subnet" {
  source = "Azure/avm-res-network-virtualnetwork/azurerm//modules/subnet"

  parent_id        = "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/myResourceGroup/providers/Microsoft.Network/virtualNetworks/myVNet"
  name             = "subnet1"
  address_prefixes = ["10.0.0.0/24"]
}

Troubleshooting

Common IPAM Issues

  • "IPAM subnet creation failed": Ensure parent VNet was created with IPAM pools for its address space
  • "Region not supported": Check the IPAM Regional Support section above
  • "Network Manager not found": Ensure Azure Virtual Network Manager exists before creating IPAM pools
  • "Subnet overlap errors": Module uses retry logic to handle allocation conflicts automatically
  • "Pool exhausted": Check that your IPAM pool has sufficient available address space for the requested subnets

Requirements

The following requirements are needed by this module:

Resources

The following resources are used by this module:

Required Inputs

The following input variables are required:

location

Description: (Optional) The location/region where the virtual network is created. Changing this forces a new resource to be created.

Type: string

parent_id

Description: (Optional) The ID of the resource group where the virtual network will be deployed.

Type: string

Optional Inputs

The following input variables are optional (have default values):

address_space

Description: (Optional) The address spaces applied to the virtual network. You can supply more than one address space.
Either address_space or ipam_pools must be specified, but not both.

Type: set(string)

Default: null

bgp_community

Description: (Optional) The BGP community to send to the virtual network gateway.

Type: string

Default: null

ddos_protection_plan

Description: Specifies an AzureNetwork DDoS Protection Plan.

  • id: The ID of the DDoS Protection Plan. (Required)
  • enable: Enables or disables the DDoS Protection Plan on the Virtual Network. (Required)

Type:

object({
    id     = string
    enable = bool
  })

Default: null

diagnostic_settings

Description: A map of diagnostic settings to create on the Key Vault. The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • name - (Optional) The name of the diagnostic setting. One will be generated if not set, however this will not be unique if you want to create multiple diagnostic setting resources.
  • log_categories - (Optional) A set of log categories to send to the log analytics workspace. Defaults to [].
  • log_groups - (Optional) A set of log groups to send to the log analytics workspace. Defaults to ["allLogs"].
  • metric_categories - (Optional) A set of metric categories to send to the log analytics workspace. Defaults to ["AllMetrics"].
  • log_analytics_destination_type - (Optional) The destination type for the diagnostic setting. Possible values are Dedicated and AzureDiagnostics. Defaults to Dedicated.
  • workspace_resource_id - (Optional) The resource ID of the log analytics workspace to send logs and metrics to.
  • storage_account_resource_id - (Optional) The resource ID of the storage account to send logs and metrics to.
  • event_hub_authorization_rule_resource_id - (Optional) The resource ID of the event hub authorization rule to send logs and metrics to.
  • event_hub_name - (Optional) The name of the event hub. If none is specified, the default event hub will be selected.
  • marketplace_partner_resource_id - (Optional) The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic LogsLogs.

Type:

map(object({
    name                                     = optional(string, null)
    log_categories                           = optional(set(string), [])
    log_groups                               = optional(set(string), ["allLogs"])
    metric_categories                        = optional(set(string), ["AllMetrics"])
    log_analytics_destination_type           = optional(string, "Dedicated")
    workspace_resource_id                    = optional(string, null)
    storage_account_resource_id              = optional(string, null)
    event_hub_authorization_rule_resource_id = optional(string, null)
    event_hub_name                           = optional(string, null)
    marketplace_partner_resource_id          = optional(string, null)
  }))

Default: {}

dns_servers

Description: (Optional) Specifies a list of IP addresses representing DNS servers.

  • dns_servers: List of IP addresses of DNS servers.

Type:

object({
    dns_servers = list(string)
  })

Default: null

enable_telemetry

Description: This variable controls whether or not telemetry is enabled for the module.
For more information see https://aka.ms/avm/telemetryinfo.
If it is set to false, then no telemetry will be collected.

Type: bool

Default: false

enable_vm_protection

Description: (Optional) Enable VM Protection for the virtual network. Defaults to false.

Type: bool

Default: false

encryption

Description: (Optional) Specifies the encryption settings for the virtual network.

  • enabled: Specifies whether encryption is enabled for the virtual network.
  • enforcement: Specifies the enforcement mode for the virtual network. Possible values are AllowUnencrypted and DropUnencrypted.

Note: When using DropUnencrypted enforcement, the AllowDropUnecryptedVnet subscription feature must be registered first. See the vnet-encryption-setup example for details.

Type:

object({
    enabled     = bool
    enforcement = string
  })

Default: null

extended_location

Description: (Optional) Specifies the extended location of the virtual network.

  • name: The name of the extended location.
  • type: The type of the extended location.

Type:

object({
    name = string
    type = string
  })

Default: null

flow_timeout_in_minutes

Description: (Optional) The flow timeout in minutes for the virtual network. Defaults to 4.

Type: number

Default: null

ipam_pools

Description: (Optional) Specifies the IPAM settings for requesting an address_space from an IP Pool. Only one IPv4 and one IPv6 pool can be specified.

  • id: The ID of the IPAM pool.
  • prefix_length: The length of the /XX CIDR range to request. for example 24 for a /24. Prefix length must be between 2 and 29 for IPv4 and 48 and 64 for IPv6.

Type:

list(object({
    id            = string
    prefix_length = number
  }))

Default: null

lock

Description: (Optional) Controls the Resource Lock configuration for this resource. The following properties can be specified:

  • kind - (Required) The type of lock. Possible values are \"CanNotDelete\" and \"ReadOnly\".
  • name - (Optional) The name of the lock. If not specified, a name will be generated based on the kind value. Changing this forces the creation of a new resource.

Type:

object({
    kind = string
    name = optional(string, null)
  })

Default: null

name

Description: (Optional) The name of the virtual network to create. If null, existing_virtual_network must be supplied.

Type: string

Default: null

peerings

Description: (Optional) A map of virtual network peering configurations. Each entry specifies a remote virtual network by ID and includes settings for traffic forwarding, gateway transit, and remote gateways usage.

  • name: The name of the virtual network peering configuration.
  • remote_virtual_network_resource_id: The resource ID of the remote virtual network.
  • allow_forwarded_traffic: (Optional) Enables forwarded traffic between the virtual networks. Defaults to false.
  • allow_gateway_transit: (Optional) Enables gateway transit for the virtual networks. Defaults to false.
  • allow_virtual_network_access: (Optional) Enables access from the local virtual network to the remote virtual network. Defaults to true.
  • do_not_verify_remote_gateways: (Optional) Disables the verification of remote gateways for the virtual networks. Defaults to false.
  • enable_only_ipv6_peering: (Optional) Enables only IPv6 peering for the virtual networks. Defaults to false.
  • peer_complete_vnets: (Optional) Enables the peering of complete virtual networks for the virtual networks. Defaults to false.
  • local_peered_address_spaces: (Optional) The address spaces to peer with the remote virtual network. Only used when peer_complete_vnets is set to true.
  • remote_peered_address_spaces: (Optional) The address spaces to peer from the remote virtual network. Only used when peer_complete_vnets is set to true.
  • local_peered_subnets: (Optional) The subnets to peer with the remote virtual network. Only used when peer_complete_vnets is set to true.
  • remote_peered_subnets: (Optional) The subnets to peer from the remote virtual network. Only used when peer_complete_vnets is set to true.
  • use_remote_gateways: (Optional) Enables the use of remote gateways for the virtual networks. Defaults to false.
  • create_reverse_peering: (Optional) Creates the reverse peering to form a complete peering.
  • reverse_name: (Optional) If you have selected create_reverse_peering, then this name will be used for the reverse peer.
  • reverse_allow_forwarded_traffic: (Optional) If you have selected create_reverse_peering, enables forwarded traffic between the virtual networks. Defaults to false.
  • reverse_allow_gateway_transit: (Optional) If you have selected create_reverse_peering, enables gateway transit for the virtual networks. Defaults to false.
  • reverse_allow_virtual_network_access: (Optional) If you have selected create_reverse_peering, enables access from the local virtual network to the remote virtual network. Defaults to true.
  • reverse_do_not_verify_remote_gateways: (Optional) If you have selected create_reverse_peering, disables the verification of remote gateways for the virtual networks. Defaults to false.
  • reverse_enable_only_ipv6_peering: (Optional) If you have selected create_reverse_peering, enables only IPv6 peering for the virtual networks. Defaults to false.
  • reverse_peer_complete_vnets: (Optional) If you have selected create_reverse_peering, enables the peering of complete virtual networks for the virtual networks. Defaults to false.
  • reverse_local_peered_address_spaces: (Optional) If you have selected create_reverse_peering, the address spaces to peer with the remote virtual network. Only used when reverse_peer_complete_vnets is set to true.
  • reverse_remote_peered_address_spaces: (Optional) If you have selected create_reverse_peering, the address spaces to peer from the remote virtual network. Only used when reverse_peer_complete_vnets is set to true.
  • reverse_local_peered_subnets: (Optional) If you have selected create_reverse_peering, the subnets to peer with the remote virtual network. Only used when reverse_peer_complete_vnets is set to true.
  • reverse_remote_peered_subnets: (Optional) If you have selected create_reverse_peering, the subnets to peer from the remote virtual network. Only used when reverse_peer_complete_vnets is set to true.
  • reverse_use_remote_gateways: (Optional) If you have selected create_reverse_peering, enables the use of remote gateways for the virtual networks. Defaults to false.
  • sync_remote_address_space_enabled: (Optional) If the peering sync status changes a plan will be created to sync the peering address space with an azapi update resource. Defaults to false.
  • sync_remote_address_space_triggers: (Optional) A value that when changed will trigger a resync of the remote address space. This must be supplied if sync_remote_address_space_enabled is true. Defaults to null.

timeouts (Optional) supports the following:

  • create - (Defaults to 30 minutes) Used when creating the Subnet.
  • delete - (Defaults to 30 minutes) Used when deleting the Subnet.
  • read - (Defaults to 5 minutes) Used when retrieving the Subnet.
  • update - (Defaults to 30 minutes) Used when updating the Subnet.

retry (Optional) supports the following:

  • error_message_regex - (Optional) A list of regular expressions to match against the error message returned by the API. If any of these match, the retry will be triggered.
  • interval_seconds - (Optional) The number of seconds to wait between retries. Defaults to 10.
  • max_interval_seconds - (Optional) The maximum number of seconds to wait between retries. Defaults to 180.
  • multiplier - (Optional) The multiplier to apply to the interval between retries Defaults to 1.5.

Type:

map(object({
    name                               = string
    remote_virtual_network_resource_id = string
    allow_forwarded_traffic            = optional(bool, false)
    allow_gateway_transit              = optional(bool, false)
    allow_virtual_network_access       = optional(bool, true)
    do_not_verify_remote_gateways      = optional(bool, false)
    enable_only_ipv6_peering           = optional(bool, false)
    peer_complete_vnets                = optional(bool, true)
    local_peered_address_spaces = optional(list(object({
      address_prefix = string
    })))
    remote_peered_address_spaces = optional(list(object({
      address_prefix = string
    })))
    local_peered_subnets = optional(list(object({
      subnet_name = string
    })))
    remote_peered_subnets = optional(list(object({
      subnet_name = string
    })))
    use_remote_gateways                   = optional(bool, false)
    create_reverse_peering                = optional(bool, false)
    reverse_name                          = optional(string)
    reverse_allow_forwarded_traffic       = optional(bool, false)
    reverse_allow_gateway_transit         = optional(bool, false)
    reverse_allow_virtual_network_access  = optional(bool, true)
    reverse_do_not_verify_remote_gateways = optional(bool, false)
    reverse_enable_only_ipv6_peering      = optional(bool, false)
    reverse_peer_complete_vnets           = optional(bool, true)
    reverse_local_peered_address_spaces = optional(list(object({
      address_prefix = string
    })))
    reverse_remote_peered_address_spaces = optional(list(object({
      address_prefix = string
    })))
    reverse_local_peered_subnets = optional(list(object({
      subnet_name = string
    })))
    reverse_remote_peered_subnets = optional(list(object({
      subnet_name = string
    })))
    reverse_use_remote_gateways        = optional(bool, false)
    sync_remote_address_space_enabled  = optional(bool, false)
    sync_remote_address_space_triggers = optional(any, null)
    timeouts = optional(object({
      create = optional(string, "30m")
      read   = optional(string, "5m")
      update = optional(string, "30m")
      delete = optional(string, "30m")
    }), {})
    retry = optional(object({
      error_message_regex  = optional(list(string), ["ReferencedResourceNotProvisioned"])
      interval_seconds     = optional(number, 10)
      max_interval_seconds = optional(number, 180)
    }), {})
  }))

Default: {}

retry

Description: Retry configuration for the resource operations

Type:

object({
    error_message_regex  = optional(list(string), ["ReferencedResourceNotProvisioned"])
    interval_seconds     = optional(number, 10)
    max_interval_seconds = optional(number, 180)
  })

Default: {}

role_assignments

Description: (Optional) A map of role assignments to create on the . The map key is deliberately arbitrary to avoid issues where map keys maybe unknown at plan time.

  • role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
  • principal_id - The ID of the principal to assign the role to.
  • description - (Optional) The description of the role assignment.
  • skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
  • condition - (Optional) The condition which will be used to scope the role assignment.
  • condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
  • delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
  • principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

Note: only set skip_service_principal_aad_check to true if you are assigning a role to a service principal.

Type:

map(object({
    role_definition_id_or_name             = string
    principal_id                           = string
    description                            = optional(string, null)
    skip_service_principal_aad_check       = optional(bool, false)
    condition                              = optional(string, null)
    condition_version                      = optional(string, null)
    delegated_managed_identity_resource_id = optional(string, null)
    principal_type                         = optional(string, null)
  }))

Default: {}

subnets

Description: (Optional) A map of subnets to create

  • address_prefix - (Optional) The address prefix to use for the subnet. One of address_prefix, address_prefixes, or ipam_pools must be specified.
  • address_prefixes - (Optional) The address prefixes to use for the subnet. One of address_prefix, address_prefixes, or ipam_pools must be specified.
  • ipam_pools - (Optional) IPAM pools to allocate address space from. When specified, the subnet will request address space from these pools. Each pool configuration supports:
    • pool_id: Resource ID of the IPAM pool to allocate from
    • prefix_length: The CIDR prefix length for this subnet (e.g., 24 for /24, 26 for /26)
    • allocation_type: Type of allocation - "Static" (default) or "Dynamic"
  • enforce_private_link_endpoint_network_policies -
  • enforce_private_link_service_network_policies -
  • name - (Required) The name of the subnet. Changing this forces a new resource to be created.
  • default_outbound_access_enabled - (Optional) Whether to allow internet access from the subnet. Defaults to false.
  • private_endpoint_network_policies - (Optional) Enable or Disable network policies for the private endpoint on the subnet. Possible values are Disabled, Enabled, NetworkSecurityGroupEnabled and RouteTableEnabled. Defaults to Enabled.
  • private_link_service_network_policies_enabled - (Optional) Enable or Disable network policies for the private link service on the subnet. Setting this to true will Enable the policy and setting this to false will Disable the policy. Defaults to true.
  • service_endpoint_policies - (Optional) The map of objects with IDs of Service Endpoint Policies to associate with the subnet.
  • service_endpoints_with_location - (Optional) Service endpoints with location restrictions to associate with the subnet. Each service endpoint is an object with the following properties:
    • service - (Required) The service name. Possible values include: Microsoft.AzureActiveDirectory, Microsoft.AzureCosmosDB, Microsoft.ContainerRegistry, Microsoft.EventHub, Microsoft.KeyVault, Microsoft.ServiceBus, Microsoft.Sql, Microsoft.Storage, Microsoft.Storage.Global and Microsoft.Web.
    • locations - (Optional) A set of Azure region names where the service endpoint should apply. Default is ["*"] to apply to all regions.

delegation (This setting is deprecated, use delegations instead) supports the following:

  • name - (Required) A name for this delegation.
  • service_delegation - (Required) The service delegation to associate with the subnet. This is an object with a name property that specifies the name of the service delegation.

delegations supports the following:

  • name - (Required) A name for this delegation.
  • service_delegation - (Required) The service delegation to associate with the subnet. This is an object with a name property that specifies the name of the service delegation.

nat_gateway supports the following:

  • id - (Optional) The ID of the NAT Gateway which should be associated with the Subnet. Changing this forces a new resource to be created.

network_security_group supports the following:

  • id - (Optional) The ID of the Network Security Group which should be associated with the Subnet. Changing this forces a new association to be created.

route_table supports the following:

  • id - (Optional) The ID of the Route Table which should be associated with the Subnet. Changing this forces a new association to be created.

timeouts (Optional) supports the following:

  • create - (Defaults to 30 minutes) Used when creating the Subnet.
  • delete - (Defaults to 30 minutes) Used when deleting the Subnet.
  • read - (Defaults to 5 minutes) Used when retrieving the Subnet.
  • update - (Defaults to 30 minutes) Used when updating the Subnet.

retry (optional) supports the following:

  • error_message_regex - (Optional) A list of regular expressions to match against the error message returned by the API. If any of these match, the retry will be triggered.
  • interval_seconds - (Optional) The number of seconds to wait between retries. Defaults to 10.
  • max_interval_seconds - (Optional) The maximum number of seconds to wait between retries. Defaults to 180.

role_assignments supports the following:

  • role_definition_id_or_name - The ID or name of the role definition to assign to the principal.
  • principal_id - The ID of the principal to assign the role to.
  • description - (Optional) The description of the role assignment.
  • skip_service_principal_aad_check - (Optional) If set to true, skips the Azure Active Directory check for the service principal in the tenant. Defaults to false.
  • condition - (Optional) The condition which will be used to scope the role assignment.
  • condition_version - (Optional) The version of the condition syntax. Leave as null if you are not using a condition, if you are then valid values are '2.0'.
  • delegated_managed_identity_resource_id - (Optional) The delegated Azure Resource Id which contains a Managed Identity. Changing this forces a new resource to be created. This field is only used in cross-tenant scenario.
  • principal_type - (Optional) The type of the principal_id. Possible values are User, Group and ServicePrincipal. It is necessary to explicitly set this attribute when creating role assignments if the principal creating the assignment is constrained by ABAC rules that filters on the PrincipalType attribute.

Type:

map(object({
    address_prefix   = optional(string)
    address_prefixes = optional(list(string))
    name             = string
    ipam_pools = optional(list(object({
      pool_id         = string
      prefix_length   = optional(number)
      allocation_type = optional(string, "Static")
    })))
    nat_gateway = optional(object({
      id = string
    }))
    network_security_group = optional(object({
      id = string
    }))
    private_endpoint_network_policies             = optional(string, "Enabled")
    private_link_service_network_policies_enabled = optional(bool, true)
    route_table = optional(object({
      id = string
    }))
    service_endpoint_policies = optional(map(object({
      id = string
    })))
    service_endpoints_with_location = optional(list(object({
      service   = string
      locations = optional(list(string), ["*"])
    })))
    default_outbound_access_enabled = optional(bool, false)
    sharing_scope                   = optional(string, null)
    delegations = optional(list(object({
      name = string
      service_delegation = object({
        name = string
      })
    })))
    timeouts = optional(object({
      create = optional(string, "30m")
      read   = optional(string, "5m")
      update = optional(string, "30m")
      delete = optional(string, "30m")
    }), {})
    retry = optional(object({
      error_message_regex  = optional(list(string), ["ReferencedResourceNotProvisioned"])
      interval_seconds     = optional(number, 10)
      max_interval_seconds = optional(number, 180)
    }), {})
    role_assignments = optional(map(object({
      role_definition_id_or_name             = string
      principal_id                           = string
      description                            = optional(string, null)
      skip_service_principal_aad_check       = optional(bool, false)
      condition                              = optional(string, null)
      condition_version                      = optional(string, null)
      delegated_managed_identity_resource_id = optional(string, null)
      principal_type                         = optional(string, null)
    })))
  }))

Default: {}

tags

Description: (Optional) Tags of the resource.

Type: map(string)

Default: null

timeouts

Description: Timeouts for the resource operations

Type:

object({
    create = optional(string, "30m")
    read   = optional(string, "5m")
    update = optional(string, "30m")
    delete = optional(string, "30m")
  })

Default: {}

Outputs

The following outputs are exported:

address_spaces

Description: The address spaces of the virtual network.

name

Description: The resource name of the virtual network.

peerings

Description: Information about the peerings created in the module.

Please refer to the peering module documentation for details of the outputs

resource

Description: The Azure Virtual Network resource. This will be null if an existing vnet is supplied.

resource_id

Description: The resource ID of the virtual network.

subnets

Description: Information about the subnets created in the module.

Please refer to the subnet module documentation for details of the outputs

Modules

The following Modules are called:

peering

Source: ./modules/peering

Version:

subnet

Source: ./modules/subnet

Version:

Data Collection

The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the repository. There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoftโ€™s privacy statement. Our privacy statement is located at https://go.microsoft.com/fwlink/?LinkID=824704. You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices.

Release History

Version 0.15.0 - 2025-10-15

Breaking changes

The deprecated service_endpoints input for subnets has been removed.

We have had to separate the implementation of subnets using IPAM. If you have deployed a subnet with IPAM since that change went out, you'll need to add a moved block to your code into order to migrate the state. E.g.

moved {
  from = module.vnet.module.subnet["subnet01"].azapi_resource.subnet
  to   = module.vnet.module.subnet["subnet01"].azapi_resource.subnet_ipam[0]
}

If you are not using IPAM your state will automatically be migrated.

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.14.1...v0.15.0

Version 0.14.1 - 2025-10-07

What's Changed

Thanks to @Arhughes14 for contributing this change

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.14.0...v0.14.1

Version 0.14.0 - 2025-10-07

๐ŸŽ‰ Major New Feature: IPAM Support

This release introduces comprehensive IP Address Management (IPAM) support through Azure Virtual Network Manager, enabling centralized IP governance and automatic conflict prevention.

โœจ New Capabilities

  • ๐Ÿข VNet IPAM Allocation - Automatically allocate VNet address space from centralized IPAM pools
  • ๐Ÿ”— Subnet IPAM Allocation - Dynamic subnet addressing with automatic conflict resolution
  • ๐Ÿ”€ Mixed Addressing - Combine IPAM and traditional subnets within the same VNet
  • ๐Ÿ”„ Enhanced Subnet Module - Standalone subnet module now supports IPAM allocation
  • โšก Retry Logic - Robust conflict resolution with 15-second intervals (300s max timeout)

๐Ÿ“ Regional Availability

IPAM is supported in all Azure regions where Virtual Network Manager is available, except: chilecentral, jioindiawest, malaysiawest, qatarcentral, southafricawest, westindia, westus3

๐Ÿ›  What's New

Core Module

  • Added ipam_pools variable for VNet address space allocation
  • Enhanced subnet configuration with IPAM pool support
  • Integrated retry mechanisms for reliable IPAM operations
  • Maintained full backwards compatibility (zero breaking changes)

Subnet Module

  • Added IPAM allocation capabilities to standalone subnet module
  • Support for dynamic IP assignment from IPAM pools
  • Consistent interface with main module IPAM features

New Examples

  • ipam_basic - Complete IPAM usage with VNet and multiple subnets
  • existing_vnet_ipam_subnets - Adding IPAM subnets to existing IPAM-enabled VNets
  • ipam_vnet_only - IPAM VNet creation with traditional subnet management

๐Ÿ”ง Technical Requirements

  • Azure Virtual Network Manager required for IPAM functionality
  • azapi provider version ~> 2.4
  • Removed time provider dependency (replaced with native azapi retry logic)

๐Ÿ“š Migration Notes

  • No breaking changes - existing configurations work unchanged
  • Optional feature - IPAM can be adopted gradually alongside traditional addressing
  • State compatibility - no state migration required

๐Ÿ› Other Improvements

  • Enhanced error handling and retry mechanisms
  • Comprehensive documentation and troubleshooting guides

๐Ÿ™ Acknowledgments

Special thanks to @ChrisChapman-gh for his initial structure and shell that helped lay the foundation for this IPAM implementation.

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.13.0...v0.14.0

Version 0.13.0 - 2025-10-06

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.12.0...v0.13.0

Version 0.12.0 - 2025-09-29

Breaking Change

This PR removes some of the retry options, but very unlikely they are being used so not expecting much impact.

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.11.0...v0.12.0

Version 0.11.0 - 2025-09-26

Breaking Changes

This release includes a significant breaking change to the module interface.

We have removed the resource_group_name and subscription_id inputs. The resource group ID must now be explicitly provided via the parent_id input.

This change was necessary to align to forthcoming AVM v1 specs as well as fix an underlying idempotency issue with the existing implementation.

We try very hard not to make breaking changes to module interfaces like this and understand the impact it has to consumers of our modules. We do not anticipate any further breaking changes to the interface of this module prior to v1.

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.10.0...v0.11.0

Version 0.10.0 - 2025-08-01

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.9.3...v0.10.0

Version 0.9.3 - 2025-07-24

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/0.9.1...v0.9.3

Version 0.9.2 - 2025-07-03

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/0.9.0...0.9.2

Version 0.9.1 - 2025-06-27

What's Changed

This release reverts a change added based on a customer request to set subnets and peerings to empty lists. It appears this has unexpected consequences for some customers.

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/0.9.0...0.9.1

Version 0.9.0 - 2025-06-24

Breaking changes

We no longer support azurerm v3 or azapi v1

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.8.1...0.9.0

Version 0.8.1 - 2025-02-06

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.8.0...v0.8.1

Version 0.8.0 - 2025-01-31

What's Changed

Breaking change

  • Update to the version of Terraform CLI support

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.7.2...v0.8.0

Version 0.7.2 - 2025-01-28

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.7.1...v0.7.2

Version 0.7.1 - 2024-11-16

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.7.0...v0.7.1

Version 0.7.0 - 2024-11-15

What's Changed

Releasing as a minor in this dependency change has impact on peering usage.

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.6.0...v0.7.0

Version 0.6.0 - 2024-11-01

What's Changed

This release adds support for v2 of the azapi provider. We have incremented the minor version, but there are no breaking changes and it is backwards compatible with v1 of azapi.

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.5.0...v0.6.0

Version 0.5.0 - 2024-10-29

What's Changed

Added backwards compatible support for v4 of azurerm.

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.4.2...v0.5.0

Version 0.4.2 - 2024-10-11

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.4.1...v0.4.2

Version 0.4.1 - 2024-10-11

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.4.0...v0.4.1

Version 0.4.0 - 2024-07-26

What's Changed

Added the capability to properly peer by subnet and fixed a non-backwards compatible default on peering.

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.3.0...v0.4.0

Version 0.3.0 - 2024-07-17

What's Changed

We added some missing properties and enabled automatic feature enablement for some preview features.

We added the address_prefix singular vartiable to the subnet submodule to support some cases where the address_prefixes variable is not being read by resources that use a subnet.

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.2.4...v0.3.0

Version 0.2.4 - 2024-07-05

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.2.3...v0.2.4

Version 0.2.3 - 2024-05-30

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.2.2...v0.2.3

Version 0.2.2 - 2024-05-29

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.2.1...v0.2.2

Version 0.2.1 - 2024-05-28

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.2.0...v0.2.1

Version 0.2.0 - 2024-05-28

Breaking Changes

v0.2.0 is a re-write of the module, it changes the interface and internal implementation considerably and you will have to update any code and state that is dependent on this module. We try to avoid making updates like this, but in this case we considered the updates valuable enough to make this change. The interface will be stable moving forward.

What's Changed

v0.2.0 moves the module to an AzAPI implementation. The primary driver for this is to support customers that implement common landing zone policies requiring route table and network security groups. You are now able to create a virtual network that meets your policy requirements in one atomic operation avoiding issues with policy blocking deployment.

We have also updated the module to better support common subscription vending scenarios, where application teams manage subnets, but don't managed the virtual network or peering.

We have broken out subnet and peering in sub modules that can be consumed independently. See the documentation and examples for more details on this.

A huge thanks to @kewalaka and @haflidif for all the work on this.

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.1.4...v0.2.0

Version 0.1.4 - 2024-03-20

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.1.3...v0.1.4

Version 0.1.3 - 2023-12-04

What's Changed

New Contributors

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.1.1...v0.1.3

Version 0.1.2 - 2023-10-16

  • changed approach in defining subnets
  • removed ability to create a DDOS plan as this should be a separate module. This module still accepts an existing ddos plan to be integrated to the vnet
  • added capability create a one side peer to another existing vnet

Version 0.1.1 - 2023-10-16

What's Changed

Full Changelog: https://github.com/Azure/terraform-azurerm-avm-res-network-virtualnetwork/compare/v0.1.0...v0.1.1

Version 0.1.0 - 2023-09-29

No release notes were published in the GitHub Release for this version.

 
 {
  "workingFolder": "packages",
  "packages": [
    // packages defined earlier
    {
      "name": "avm-terraform/network-virtualnetwork",
      "version": "0.15.0"
    }
  ]
}

This package has no dependencies

Stats

Selected version:

0.15.0

Downloads this version:

0

Downloads all versions:

46

Latest version:

0.15.0

Latest update:

15-10-2025

avm-terraform

Other versions (29)

0.15.0

0.14.1

0.14.0

0.13.0

0.12.0

0.11.0

0.10.0

0.9.3

0.9.2

0.9.0

Other packages

from avm-terraform

apimanagement-service

app-containerapp

app-job

View all from publisher