Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Image:https://github.com/ricmmartins/azure-vpn-aws

Okay.. believe it or not, it took me almost two days to figure out how to configure BGP and static VPN between Azure and AWS. That’s kinda frustrating but much relief and delighted when I finally did it!

I am also glad that I found articles on internet helped me solving my problems, thanks to the author of those articles! Now is my turn to write my own post for recording and as well as to help anyone in future who might just need it. Let’s get started!

We will build resources listed below for both Azure and AWS.

  1. Azure Virtual Network Gateways = AWS Virtual Private Gateways
  2. Azure Local Network Gateways = AWS Customer Gateways
  3. Azure Connections = AWS Site-to-Site VPN Connections

Personally, I comprehend the above this way

№1 is the VPN service provided by the cloud service provider

№2 is the VPN service/device of your local site or destination

№3 is the VPN connection configuration between №1 and №2 used to established VPN service

Assuming that you already have Vnet and VPC created with VM in them, I will focus on VPN configurations only. Follow the steps below for efficient setup.

  1. Create Azure Virtual Network Gateway (Takes about 30 - 45 mins)
  2. Create AWS Customer Gateways
  3. Create AWS Virtual Private Gateways
  4. Create AWS Site-to-Site VPN Connections
  5. Create Azure Local Network Gateways
  6. Create Azure Connections
  7. Add VPN route table to AWS VM Subnet
  8. Verify result by ping VMs on both side

Let’s create this first cause it takes about 30 to 45 mins to complete and in addition, we need it’s Public IP address to configure the next step, AWS Customer Gateways.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Since we are doing Static VPN, so we choose Disabled for BGP.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Once done, copy the Public IP address.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Follow the steps as shown below, input the Public IP address you just copied.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Next, let’s create the AWS VPN service and attach it to the VPC.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Attach the Virtual Private Gateway to the VPC where your EC2 locates.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Next we create AWS S2S VPN connections so that we can obtain the VPN IPs and configure on Azure Local Network Gateways.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
  • Choose the AWS resources just created for №1 and №2
  • Choose Static at №3 since we are doing Static VPN
  • Since we are doing Static VPN, we must add a route specifying network segment that will be communicating through VPN

In this demo, only one Tunnel is configured.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
  • №1 is the network segment CIDR of Azure side
  • №2 is the network segment CIDR of AWS side
  • №4, Configure VPN pre-shared key for VPN authentication

Once done, copy down the Tunnel 1 Public IP address to configure Azure Local Network Gateways.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Use the IP address copied from previous step and configure as below.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
  • №2 is the Tunnel 1 IP address obtained from previous step
  • №3 is the network segment CIDR of AWS side

Once Azure Local Network Gateway is created, click Connections to add S2S VPN connection.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
Static Site-to-Site VPN Between Azure Vnet and AWS VPC

№1, Select the Azure Virtual Network Gateway created at Step 1

№2, Input the pre-shared key configured at Step 4

№3, Choose IKEv2 protocol

If everything is setup correctly, you will see both Azure and AWS showing Connected after a few minutes.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
Static Site-to-Site VPN Between Azure Vnet and AWS VPC

At this moment, we have set everything up already. The last thing we need to do is to direct all traffic from AWS VM subnet to Azure network (10.0.0.0/16) through VPN by configuring AWS Route Table.

There are two ways to achieve the requirement from AWS Route Table, I will use №1

  1. Add a static route
  2. Enable Route propagation

From №1 and №2, choose the route table associated with your VM subnet.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC
  • №3, You can see all your current routes on this particular route table
  • №4, Click edit to add routes

Add a route directing traffic to Azure network (10.0.0.0/16) through AWS Virtual Private Gateway created early in the post.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

A finished view as below.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Finally!! Let’s verify the result!! My VM IP is as below

  • Azure VM private IP at 10.0.0.4
  • EC2 private IP at 172.31.34.176
Static Site-to-Site VPN Between Azure Vnet and AWS VPC

VM on Azure side ping EC2

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

EC2 ping VM on Azure

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

Succeed!! And if we go back to Azure Connection page, we could see that there are ingress and egress data flow.

Static Site-to-Site VPN Between Azure Vnet and AWS VPC

That’s it for this article, hopefully it is detailed enough to help anyone who has problem establishing S2S VPN between Azure and AWS!

In the next article, I will be writing about how to setup S2S VPN using BGP between Azure and AWS, stay tuned!

How to create a VPN between Azure and AWS using only managed solutions

AWS Certified SA, SysOps & Developer Associate, Alibaba Cloud certified SA. Focusing on Azure, Prometheus w/ Grafana, ELK and K8S now.