You can configure spoke Vnets to use the hub Vnet VPN gateway to communicate with remote networks. To allow gateway traffic to flow from spoke to hub and connect to remote networks, you must:
- Configure the peering connection in the hub to allow gateway transit.
- Configure the peering connection in each spoke to use remote
gateways.
- Configure all peering connections to allow forwarded
traffic.
Here are a couple of Hub and Spoke architectures for your reference :
https://learn.microsoft.com/en-us/azure/architecture/reference-architectures/hybrid-networking/hub-spoke?tabs=cli#virtual-network-peering
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-peering-gateway-transit
In your Terraform code block above, you have set all 3 options (allow_forwarded_traffic, allow_gateway_transit & use_remote_gateways) to True, which is not possible. "allow gateway transit" option is enabled on the Hub Vnet where the VPN gateway is deployed and "use_remote_gateways" option is enabled on the spoke Vnet which needs to use the hub VPN gateway for access.
Refer : https://learn.microsoft.com/en-us/azure/virtual-network/virtual-network-peering-overview#gateways-and-on-premises-connectivity
Below is the Terraform code block for enabling "use_remote_gateways" option on a spoke Vnet:
resource "azurerm_virtual_network_peering" "spoke1-hub-peer" {
name = "spoke1-hub-peer"
resource_group_name = azurerm_resource_group.spoke1-vnet-rg.name
virtual_network_name = azurerm_virtual_network.spoke1-vnet.name
remote_virtual_network_id = azurerm_virtual_network.hub-vnet.id
allow_virtual_network_access = true
allow_forwarded_traffic = true
allow_gateway_transit = false
use_remote_gateways = true
depends_on = [azurerm_virtual_network.spoke1-vnet, azurerm_virtual_network.hub-vnet , azurerm_virtual_network_gateway.hub-vnet-gateway]}
You can find the whole Terraform code block for hub & spoke topology in the below doc:
https://learn.microsoft.com/en-us/azure/developer/terraform/hub-spoke-spoke-network
