azure-rest-api-specs
azure-rest-api-specs copied to clipboard
Azure
[BUG] The configurationPolicyGroupAssociations property in Network.VirtualWan should be settable since it's settable in Azure Portal
API Spec link
https://github.com/Azure/azure-rest-api-specs/blob/2d701c73fb5ee44f95b97b6c3eaf8c4aeb051e73/specification/network/resource-manager/Microsoft.Network/stable/2023-09-01/virtualWan.json#L8682
API Spec version
2023-09-01
Describe the bug
P2SVPNGateway API cannot configure user groups to address pools mapping. But Azure Portal can configure user groups to address pools mapping.
Expected behavior
The readonly attribute of configurationPolicyGroupAssociations should be removed from Azure Rest API to allow users to configure user groups to address pools mapping.
Actual behavior
Azure Portal can configure user groups to address pools mapping.
But the corresponding property configurationPolicyGroupAssociations in Azure Rest API Spec is marked as readonly so that users cannot configure user groups to address pools mapping via Azure Rest API.
Reproduction Steps
- Create Resource Group
- Create VNet
- Create Virtual Wan
- Create Virtual Hub
- Create VPN Server Configuration
- Create one VPN Server Configuration Policy Group
- Create another VPN Server Configuration Policy Group
- Create Point to site vpn gateway
Environment
Global
@GuptaVertika I do not know how to find the person of Gateway team. Could you tell me how to find them?
Have you managed to find out the person for the gateway team? Note that for the root issue https://github.com/hashicorp/terraform-provider-azurerm/issues/25370 , selecting the group manually in the portal is causing terraform to re-create the p2s gateway, making the vpn_client_address_pool unusable.
@zzhxiaofeng - just here looking for an update, and noticed the label that has been put on this ticket. I think it should be "Network - VPN Gateway" rather than application gateway? Although tbh, the issue looks to be in the API for vWAN rather than the gateway.....
Thanks
@zzhxiaofeng following up above comment since I'm also running into the limitations mentioned in this Issue but label should be ''Network - Virtual WAN' instead of 'Network - VPN Gateway'. Thanks!
@zzhxiaofeng - notice this issue still seems to be sitting here 7 month on with incorrect tag / label. Can we have it corrected please?
@zzhxiaofeng, @GuptaVertika: another 2 months later and this is still sitting here with the wrong label. Can one of you please remove the Network - Application Gateway label and add the Network - VPN Gateway label? Unfortunately I don't have the necessary permissions to do so.
Can I escalate this please. This needs to be reassigned to the correct tag so that the right team can have visibility of the issue and resolve this please.
This issue really breaks Terraform/OpenTofu experience (I am talking about terraform-provider-azurerm/issues/25370 which was closed due to this issue being open):
- Creating Virtual Hub, Point-to-site VPN Gateway takes > 50 minutes
- You go to Azure Portal and assign the groups manually in Virtual Hub, another 10 minutes In practice you don't sit and wait for 1. to complete, so realistically about 1.5 hours to complete these two steps.
I have been recently experimenting with Point-to-site VPN Gateway, but each time I change the parameter that toggles the gateway re-creation, I get "punished" by that additional manual step, instead of letting Terraform/OpenTofu do things for me in the background.
This bug + sloooow resource creation time = Really awkward experience
similar topic, same root cause? https://github.com/Azure/bicep-types-az/issues/2379
21st July 2025 and no ones changed the tag yet, come on can we get the correct tag on so the right team can fix it??
