Multi-cloud architectures are an ever-increasing common design in the IT world and there will likely become a point when you want to setup a fast-direct resilient VPN connection between your public cloud providers such as Azure and AWS.
This article shows you how to configure a site to site VPN between AWS and Azure utilising the Internet Key Exchange version 2 (IKEv2) for the tunnel setup.
Before the 6th February 2019, AWS did not support IKEv2 so to setup a site to site VPN with Azure you normally had to set the VPN connection with a 3rd party network appliance or a VM running software that supported it such as RRAS. Since the change you control the IKE version by updating the initiator end (Azure) and the AWS side endpoint will negotiate the session on the same protocol.
For Azure costs see https://azure.microsoft.com/en-gb/pricing/details/vpn-gateway/
For AWS costs please see https://aws.amazon.com/vpn/pricing/
It is strongly recommended to monitor and control the types of traffic traversing this link as it is probably not the most cost effective to regularly shift large amounts of data over it such as backups.
This guide switches between AWS and Azure configuration so it is recommended to login to each portal in separate browser tabs.
I am using the following for reference;
Virtual network: 172.16.0.0/16
Gateway subnet address range: 172.16.0.0/24 (This has to sit within the virtual network)
Azure Public IP for VPN Endpoint: 220.127.116.11
Virtual network: 192.168.10.0/24
AWS Public IP for VPN Endpoint: 18.104.22.168
Azure - Create the Virtual Gateway
This section assumes an Azure virtual network has been created
Within the Azure portal, search for Virtual Network Gateway then select Create
Select a Virtual Network half way down the page before you can choose your resource group
Create a logical name for the gateway and select the region in which your virtual network sits.
A gateway subnet address range has to be specified in CIDR notation which sits within your address space, for this guide I am using 172.16.0.0/24 which sits within the beginning of my Azure address space 172.16.0.0/16
Select the route based VPN. For policy based routing only IKEv1 is supported.
Select the SKU based on your requirements bearing in mind the cost implications of each, for further details see https://azure.microsoft.com/en-gb/pricing/details/vpn-gateway/
Create a new public IP address or use an existing spare, leave the remaining settings as disabled.
Your configuration should look similar to the following;
Select next, add any required tags, Azure will then validate your settings and after around 30 minutes your Virtual Network Gateway will be created. Once the gateway has been setup a public IP address will be displayed, this is what we need to use for the AWS customer gateway configuration.
AWS - Create Virtual Private Gateway
Navigate to the VPC section of your account and select 'Virtual Private Gateway' then 'Create Virtual Private Gateway'
Give it a logical name tag and leave the default ASN settings.
AWS - Attach Virtual Private Gateway to VPC
Once the VPG has been created in needs attached to the VPC so it can be used in the route tables
Select the VPG, select Actions and Attach to VPC then select the VPC in which it will be used
AWS - Create Customer Gateway
Once you have your Public IP from Azure, go to Customer Gateway then select Create Customer Gateway, add your details similar to below specifying the public IP you have been given in Azure.
AWS - Create VPN Connection
Select Site-To-Site VPN Connections from the left hand menu and select Create VPN Connection
Enter your details, along with the VPG and Customer gateway created earlier
In this guide I am using static routing so add the CIDR block of your Azure virtual network
Leave all of fields as default as these will be created automatically then create the connection
Once the connection has been created it will go into a Pending state, select the connection you have just created and select download configuration for use with Azure, select the Generic option from the Vendor dropdown.
Make a note of the PSK and Public IP address given by AWS for the Virtual Private Gateway which will be used by Azure, i.e.
Azure - Create a Local Network Gateway
Within Azure search for Local Network Gateway and select Create
This section is worded at on-premise configurations but add your AWS details ensuring you add the Public IP address specified in the configuration file downloaded from AWS (as shown above) and enter your AWS address space in CIDR notation.
Ensure your location and resource group is correct then select Create
Once this is created you can now create the Azure side of the VPN connection
Azure - Create the Azure connection
Search for connection then create 'New Connection'
Select Site-to-site (IPsec) connection type, your resource group and location which needs to match up with your Virtual Private Gateway
Select your virtual and local network gateways created earlier, set a connection name and add the PSK that was in the configuration file downloaded from AWS, your settings should look similar to the following,
Once the settings have been verified create the connection, after a few minutes a tunnel should be established
Azure should look like this,
AWS should look like the following image although in a production environment, 2 tunnels should be setup for resiliency, this can be achieved by creating another local network gateway and connection in Azure using the other tunnel details shown in the AWS configuration file.
AWS - Update Route Table
The VPG now needs added to the relevant route table(s) as shown below, this will ensure any traffic destined for the Azure network will route through the VPG rather than going out of the internet gateway.
Providing your routing and security groups/firewalls at each end are configured correctly you should now be able to ping devices within each cloud provider.