Dynamic VPN Routing Between Azure Virtual WAN and AWS Transit Gateway using BGP
Image:https://www.mobilise.cloud/azure-to-aws-vpn-with-dynamic-routing/
Image:https://jackstromberg.com/2021/03/establishing-an-aws-vpn-tunnel-to-azure-virtual-wan-active-active-bpg-configuration/
In the previous post, I wrote about Static Site-to-Site VPN Between Azure Vnet and AWS VPC. In this post, I will write about dynamic VPN routing between Azure and AWS using BGP protocol.
Assuming all necessary resources such as, Vnet, VM, vWAN, VPC, Transit Gateway etc are already built, this post will only focus on the key configurations.
Steps for whole process
- Build Azure vWAN
- Provide vHub with VPN Gateway
- Configure Azure VPN Gateway’s custom BGP IP
- Create AWS Transit Gateway
- Create AWS Transit Gateway Attachment
- Create AWS Customer Gateway
- Apply route to VPC
- Create AWS VPN Connection
- Create new Azure VPN Site and connect
- Verify result
For Step 1 & 2, please refer Azure Virtual WAN with Secured Virtual Hub.
Configure Azure VPN Gateway’s custom BGP IP
Since we are configuring both sides to communicate through BGP, therefore we must set BGP IP for both side.
On vHub page, click VPN then View/Configure.
Inside View/Configure, input your BGP IP Address. Copy the following as we will need it on later step.
- Azure AS Number
- VPN Public IP Address
- Custom BGP IP Address. In this demo, I use Instance 1.
For APIPA, please visit here for more detail.
Create AWS Transit Gateway
The most important parts of Transit Gateway are
- Amazon side ASN, default is 64512, you can leave it as it is or change to a number between 64512 to 65534.
- Transit Gateway CIDR blocks, you can leave it blank or give a CIDR block that is not in 169.254.0.0/16 and ranges overlap with addresses peered to Transit Gateway. For more information, please refer here.
Remember 64512 as we will use it at the last step. A finish view of the Transit Gateway.
Create AWS Transit Gateway Attachment
With Transit Gateway created, we now attach the VPCs we want it to peer with the Gateway. First choose the Transit Gateway.
Name your attachment and choose the which subnets are to be peered.
A finish view of Transit Gateway Attachment.
Create AWS Customer Gateway
We copied two information on Step 3, now is the time to use them. Do not forget to choose Dynamic for your routing option.
IMPORTANT:Make sure BGP ASN is the same as Azure AS Number!
Apply route to VPC
In order for VMs to communicate with each other, we need to set a routing rule directing traffics from EC2 to 10.0.0.0/16, Azure network, to go to Transit Gateway. Edit the route table that is associated with your VM VPC.
- №1, Add all the destination network segment
- №2, Choose the AWS Transit Gateway created
Create AWS VPN Connection
Create VPN Connection is the same concept from my previous post. The only difference is choose Transit Gateway rather than Virtual Private Gateway. Also, do not forget to choose Dynamic for Routing Options.
Next part is very important!
- For №1 and №2, since Dynamic routing will learn the routes itself, so we do not need to specify any CIDR here.
- №3, the CIDR we configure on previous Step 3. In Step 3, we set the Custom BGP IP as 169.254.22.2. And since AWS only takes a /30 CIDR, so it has to be 169.254.22.0/30 and AWS will use the first IP, which is 22.1.
- №4, Your secret word for VPN authentication.
Once done, grep the Public IP address of your AWS VPN Connection, as we will need it for next step.
Create new Azure VPN Site
We are almost there. Now back to Azure, let’s create the VPN connection, start by clicking Create new VPN site.
In the Basic tag, we can leave Private address space blank as we are using BGP.
In the Links tag, it is the most important part.
- Link IP address is generate from last step.
- 169.254.22.1 is the first IP of 169.254.22.0/30
- 64512 is the AS number configured for AWS on Step 4
Once done, create the new VPN connection. Next, we connect to the VPN site.
Before we connect, there are some other information to be filled. Input the same magic word you input at Step 8.
At this moment, VPN connection starts to establish between Azure and AWS. After a few minutes, you will see on Azure side, VPN connection is succeeded and connected.
And on AWS side, you will see the status is up and 2 BGP ROUTES are learned.
Let’s check the routes on Azure side. We could see that traffics going to 172.31.0.0/16, which is AWS network segment, are sent to VPN Gateway.
Let’s check on AWS side. We could also see that traffics going to 10.0.0.0/16 are send to VPN Gateway as well.
Verify result
Lastly, has been a long way, we are finally here. Let’s verify the result from pinging VM on each other from both side.
- My EC2’s private IP is 172.31.34.176
- My Azure VM private IP is 10.0.0.4
EC2 ping Azure VM
Azure VM pinging EC2
And test result is succeed! That’s it for today’s post. Hope you all like it. Have a good day.
Reference:
Azure to AWS VPN with Dynamic Routing
Establishing an AWS VPN Tunnel to Azure Virtual WAN; Active/Active BPG Configuration
