AWS multi cloud configuration with vpn
Multi-cloud and Hybrid cloud strategies are adopted by organizations to deliver best in class IT solutions, to prevent themselves from being confined to a single cloud provider, or to take advantages of cloud arbitrage
A VPN enables us to safely access the resources residing across multiple clouds using their private IP addresses over the internet. VPN forms encrypted tunnels between the VPN endpoints using the IPSec protocol to secure the communication channel.
we will use BGP (Border Gateway Protocol) dynamic routing so that the BGP-advertised routes from your customer/peer gateway are automatically propagated to the route table when the status of this Site-to-Site VPN connection becomes UP and established.
We will create the following components in the same order to establish an end-to-end VPN connectivity between GCP and AWS
Assuming we already have a VPC and a subnet present in GCP. If not, create a VPC and subnet which will be shared with AWS.
1.Reserve External IP
2.Create VPC (private subnet + VPN)
- Customer Gateway - use the GCP reserved External IP as Customer Gateway IP.
Customer Gateway & VPN are created in this step.
3.Download Configuration of the VPN
Virtual Gateway and Tunnel details are generated automatically and are present in this configuration file.
4.Create classic VPN
VPN Gateway (Use the GCP reserved External IP as Customer Gateway IP)
- Tunnels - Remote Peer IP, IKE
= Cloud Router - Google ASN
= BGP Session - Peer ASN, Cloud Router BGP IP, BGP Peer IP
Step1: Reserve a Static IP Address in GCP
*Go to VPC network > External IP Addresses
*Click on [RESERVE STATIC ADDRESS]
*Go to the External IP Addresses console page.
*We should be able to see the assigned External IP Address
Step2: Configure a VPC on the AWS side
*Go to VPC dashboard
*Click on [Launch VPC Wizard]
*Select the VPC configuration — VPC with a Private Subnet Only & Hardware VPN Access.
*Create a subnet which we will share with GCP
Resources in this subnet will be accessible from GCP over the VPN which we are creating.
*Fill in other details as per preference.
*Click [Next] to configure VPN
we will need the GCP External IP that we reserved in Step 1 for creating Customer Gateway. Use the GCP reserved External IP as Customer Gateway IP.
*Fill in the other details and click [Create VPC]
*Once the VPC is created, we can select that VPC
Step3: Download the VPN connection details
*Select the VPN and click on [Download Configuration]
Select the options as given below
*Software: Vendor Agnostic
NOTE: AWS provides 2 Tunnels for redundancy.
Collect the IP addresses of the AWS Virtual Gateway and the Pre-shared keys used for IKE authentication that are automatically generated by AWS from this downloaded configuration file.
Step4: Create Cloud VPN on the GCP side
*Go to Hybrid connectivity > VPN
*Click on [Create a VPN]
*Select Classic VPN and click [CONTINUE]
*Create VPN Gateway
Fill in the Gateway details (use the External IP we reserved in Step 1) and VPC to be shared with AWS.
*Enter tunnel details.
We can obtain these details from the AWS configuration file we downloaded earlier.
The file is divided into 2 sections. Each section provides details about a single tunnel.
“Customer Gateway” refers to the GCP Cloud router side IP.
We will use Tunnel 1 information first.
Note: Remote Peer IP Address is mentioned as Virtual Private Gateway.
*Fill in the other details
*Scroll and create a new Cloud Router
Google ASN can be found in the AWS Configuration file we downloaded earlier.
Note: Google ASN is mentioned as Customer Gateway ASN.
*Create a new BGP session
Peer ASN can be found in the AWS Configuration file we downloaded earlier.
Note: Peer ASN is mentioned as Virtual Private Gateway ASN.
BGP IPs can be found in the AWS Configuration file we downloaded earlier.
Note: BGP session IPs are mentioned as Inside IP Addresses.
BGP peers on a set of 169.254.x.x link local addresses specified by the AWS configuration.
*Fill in the details and click on the [Save and Continue] button.
*Click [Done] for Tunnel 1
*We can add another tunnel as well. Details for another tunnel can be obtained from the same downloaded file under the Tunnel 2 section.
*Click [Create] once all the tunnels are added.
Step5: Validate the VPN tunnel status on both sides.
*Go to Cloud VPN Tunnels
*Check the VPN Tunnel status and BGP session status in GCP
*It shows Established status.
*Select the VPN and check the Tunnel Details tab.
The tunnels must show UP status.
Once the tunnels are UP and established in AWS and GCP respectively, the VPN is active and can be used for private communication between the subnets associated with the VPN endpoints.