Okay.. believe it or not, it took me almost two days to figure out how to configure BGP and static VPN between Azure and AWS. That’s kinda frustrating but much relief and delighted when I finally did it!
I am also glad that I found articles on internet helped me solving my problems, thanks to the author of those articles! Now is my turn to write my own post for recording and as well as to help anyone in future who might just need it. Let’s get started!
We will build resources listed below for both Azure and AWS.
- Azure Virtual Network Gateways = AWS Virtual Private Gateways
- Azure Local Network Gateways = AWS Customer Gateways
- Azure Connections = AWS Site-to-Site VPN Connections
Personally, I comprehend the above this way
№1 is the VPN service provided by the cloud service provider
№2 is the VPN service/device of your local site or destination
№3 is the VPN connection configuration between №1 and №2 used to established VPN service
Assuming that you already have Vnet and VPC created with VM in them, I will focus on VPN configurations only. Follow the steps below for efficient setup.
- Create Azure Virtual Network Gateway (Takes about 30 - 45 mins)
- Create AWS Customer Gateways
- Create AWS Virtual Private Gateways
- Create AWS Site-to-Site VPN Connections
- Create Azure Local Network Gateways
- Create Azure Connections
- Add VPN route table to AWS VM Subnet
- Verify result by ping VMs on both side
Create Azure Virtual Network Gateway
Let’s create this first cause it takes about 30 to 45 mins to complete and in addition, we need it’s Public IP address to configure the next step, AWS Customer Gateways.
Since we are doing Static VPN, so we choose Disabled for BGP.
Once done, copy the Public IP address.
Create AWS Customer Gateways
Follow the steps as shown below, input the Public IP address you just copied.
Create AWS Virtual Private Gateways
Next, let’s create the AWS VPN service and attach it to the VPC.
Attach the Virtual Private Gateway to the VPC where your EC2 locates.
Create AWS Site-to-Site VPN Connections
Next we create AWS S2S VPN connections so that we can obtain the VPN IPs and configure on Azure Local Network Gateways.
- Choose the AWS resources just created for №1 and №2
- Choose Static at №3 since we are doing Static VPN
- Since we are doing Static VPN, we must add a route specifying network segment that will be communicating through VPN
In this demo, only one Tunnel is configured.
- №1 is the network segment CIDR of Azure side
- №2 is the network segment CIDR of AWS side
- №4, Configure VPN pre-shared key for VPN authentication
Once done, copy down the Tunnel 1 Public IP address to configure Azure Local Network Gateways.
Create Azure Local Network Gateways
Use the IP address copied from previous step and configure as below.
- №2 is the Tunnel 1 IP address obtained from previous step
- №3 is the network segment CIDR of AWS side
Create Azure Connections
Once Azure Local Network Gateway is created, click Connections to add S2S VPN connection.
№1, Select the Azure Virtual Network Gateway created at Step 1
№2, Input the pre-shared key configured at Step 4
№3, Choose IKEv2 protocol
If everything is setup correctly, you will see both Azure and AWS showing Connected after a few minutes.
Add VPN route table to AWS VM Subnet
At this moment, we have set everything up already. The last thing we need to do is to direct all traffic from AWS VM subnet to Azure network (10.0.0.0/16) through VPN by configuring AWS Route Table.
There are two ways to achieve the requirement from AWS Route Table, I will use №1
- Add a static route
- Enable Route propagation
From №1 and №2, choose the route table associated with your VM subnet.
- №3, You can see all your current routes on this particular route table
- №4, Click edit to add routes
Add a route directing traffic to Azure network (10.0.0.0/16) through AWS Virtual Private Gateway created early in the post.
A finished view as below.
Verify result by ping VMs on both side
Finally!! Let’s verify the result!! My VM IP is as below
- Azure VM private IP at 10.0.0.4
- EC2 private IP at 172.31.34.176
VM on Azure side ping EC2
EC2 ping VM on Azure
Succeed!! And if we go back to Azure Connection page, we could see that there are ingress and egress data flow.
That’s it for this article, hopefully it is detailed enough to help anyone who has problem establishing S2S VPN between Azure and AWS!
In the next article, I will be writing about how to setup S2S VPN using BGP between Azure and AWS, stay tuned!