Site-to-Site VPN: Connecting AWS to Azure
Have you ever wondered how we can establish a connection between services, let’s say a VM that resides in two different cloud platforms? Well, it is possible to connect services between multi-cloud providers or on-premises networks using a VPN. This blog explains to us one of many solutions that we can implement to connect a VM in the Azure network from a VM in the AWS network and vice-versa using AWS Site-to-Site VPN. However, before getting into the tutorial let’s first explore the available VPN options and understand the terminologies used.
VPN: A VPN or Virtual Private Network creates a private network connection between devices through the internet. VPNs are used to safely and anonymously transmit data over public networks. They work by masking user IP addresses and encrypting data so it’s unreadable by anyone not authorized to receive it.
VPN tunneling: The process by which VPN packets reach their intended destination, which is typically a private network
IPSec: A set of communication rules or protocols for setting up secure connections over a network
AWS
AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN
AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC).
AWS Client VPN is a fully managed, elastic VPN service that automatically scales up or down based on user demand
Virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You can create a virtual private gateway and attach it to a virtual private cloud (VPC) with resources that must access the Site-to-Site VPN connection. When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. If you don’t specify an ASN, the virtual private gateway is created with the default ASN (64512)
Customer gateway is a resource that you create in AWS that represents the customer gateway device in your on-premises network or other cloud platform. When you create a customer gateway, you provide information about your device to AWS.
Azure
VPN Gateway is a service that uses a specific type of virtual network gateway to send encrypted traffic between an Azure virtual network and on-premises or other cloud network locations over the public Internet. The connectivity is secure and uses the industry-standard protocols Internet Protocol Security (IPsec) and Internet Key Exchange (IKE).
Local Network gateway is used to instruct the VPN gateway to where we want to connect and what are the peer IP address ranges.
Let’s dive in…….
Step 01: Create a Resource Group in Azure
Step 02: Create VNET and VPN Gateway in Azure
Step 03: Create VPC and subnet in AWS
Step 04: Create a Customer Gateway in AWS pointing to the public IP address of Azure VPN Gateway
The Public IP that was generated during the creation of Virtual Network Gateway is 13.71.81.71 (publicip-vpnnwgw), this IP has to be specified during the setting up of Customer Gateway
Step 05: Create the Virtual Private Gateway in AWS and then attach it to the VPC
Step 06: Create a Site-to-Site VPN Connection in AWS
Use the same Virtual Private Gateway and Customer Gateway created in the previous steps
In the Static IP Prefixes, add the Azure subnet IP range (subnet-01) which was created inside the VNET from Step 02
Step 07: Download the AWS VPN configuration file
Since Azure isn’t a valid option, we need to change the Vendor, Platform, and Software to Generic
In this configuration file, you will note that there is information about the Public IP Address and Shared Keys, for each of the two IPSec tunnels created by AWS
We need to add these AWS VPN Configuration Information on Azure
Step 08: Create a Local Network Gateway in Azure
We need to create separate Local network Gateway for each IPSec Tunnel.
In the “IP address” please provide the IP Values which is mentioned in the VPN Configuration file. For the Tunnel #1, we can find it under the Tunnel Interface Configuration -> Outside IP Addresses -> Virtual Private Gateway
Note: For the “Address Space(s)”, enter the AWS VPC CIDR Range i.e.10.10.0.0/16
Step 09: Create the connection on the Virtual Network Gateway
Please choose Virtual Network Gateway and Local Network Gateway created during the previous step. For the Shared Key (PSK) we can get it from the VPN Configuration file, under the respective IPSec Tunnel -> Pre-Shared Key.
The Status is showing as “Connected”, now you can go back to the the VPN Connections on the AWS and check the respective tunnel status, it should show as “UP” if the connection was successfully established from Azure Virtual Network Gateway
Step 10: Repeat for Tunnel #2
To ensure high availability, follow Steps 08 and 09 to create a Local network gateway and Connection by adding the information of Tunnel #2. Now you can see both the Tunnel Status as “UP” on AWS VPN Connections
Step 11: Edit the Route Table Associated with the AWS VPC
Add the Subnet CIDR range (subnet-01) of Azure VNET created during Step 02, for the Target as a Virtual Private Gateway
Step 12: Create VM
Create a VM on the same Azure VNET, and create a VM on the same AWS VPC. Please note that these two VMs must have internet access.
Step 13: Test the connection
Log in to both the VMs from a separate terminal. Hence, we can successfully ping the eth0 inet IP of Azure VM from AWS VM and vice versa through the VPN Connection
Finally, we have established a connection between VMs on AWS and Azure using AWS Site-to-Site VPN
