Site-to-Site VPN: Connecting AWS with Azure

Published by admin on

aws vs azure

Why And When Do We Need?

We need a VPN when workloads are distributed across various cloud providers (i.e., Azure and AWS). In our case, the VPN need arises when resources on this platform are private and cannot be accessed outside the cloud by default. So, we need it to allow workloads across these platforms to communicate securely over the public internet.

Terminologies You Need To Know

  1. VPN

A Virtual Private Network (VPN) establishes a secure network connection between devices via the Internet. It allows for the safe and anonymous transmission of data across public networks. VPNs achieve this by concealing user IP addresses and encrypting data to prevent unauthorized access.

2. VPN tunneling

This refers to the method by which VPN packets reach their designated destination, often a private network.

3. IPSec 

IPSec encompasses a collection of communication protocols designed for establishing secure connections over a network.

For Azure Services, We Require:

1. Resource Group

2.VNet associated to the resource Group

3. Virtual Gateway attached to VNet for Secure Communication

For AWS Services, We Require:

1. Virtual Private Cloud – By default, there is one created for each region

2. Virtual Private Gateway – It handles private connections made through VPN

3. Customer Gateway- It accepts connections from Azure VGW.

NOTE: An architectural diagram is provided at the end of the reference section below for in-depth understanding.

Steps To Implement It:

1. Create a Resource Group in Azure (Optional if you have one)

2. Create a VNet and Subnet in the existing one or newly created RG (Resource Group)

3. Create a Virtual Network Gateway (VGW) and select the above-created VNet for it.

4. Create an AWS Virtual Private Gateway (VPC) and associate a Subnet to it.

5. Create AWS CGW (Customer Gateway) with the Public IP of Azure VGW.

6. Create a Virtual Private Gateway (VPG) and select/attach to the above create VPC for it in AWS.

7. Now, in AWS, create a Site-to-Site VPN. Navigate to VPC > VPN Connection > Create a new connection. Select the existing VPN and CGW that we created earlier. For the Routing Option, choose Static and provide the Azure Subnet range.

8. After creating this VPN Connection on AWS, download the configuration file, which contains information about tunnel keys and IP addresses.

9. Use this configuration on Azure to create a Local Network Gateway (LGW) for each tunnel. In the “IP address” section, please input the IP values specified in the VPN Configuration file. For Tunnel #1, locate these values in the Tunnel Interface Configuration under Outside IP Addresses, specifically under Virtual Private Gateway.

Note: In the “Address Space(s)” field, enter the AWS VPC CIDR Range, which is typically 10.10.0.0/16.

10. Now, create a connection using Azure Virtual Network Gateway. Please select the Virtual Network Gateway and Local Network Gateway that were created in the preceding step. You can obtain the Shared Key (PSK) from the VPN Configuration file, specifically under the corresponding IPSec Tunnel section, labeled as Pre-Shared Key.

11. Now, check if the status is shown as connected on Azure and up on AWS.

12. Do the same for tunnel 2 and navigate to step 9.

13. Edit the AWS VPC Route table. Include the Azure VNET’s Subnet CIDR range (subnet-01) established in Step 02 as the Target for the Virtual Private Gateway.

14. Your Site-to-Site VPN is all set.

15. Create Azure and AWS resources under created RG and VPC to test it.

Which IP Range To Use For VPN:

Azure Vnet-1 CIDR = 10.0.0.0/16, Subnet-1 = 10.0.0.0/24

Azure Vnet-2 CIDR = 10.1.0.0/16, Subnet-1 = 10.1.0.0/24

Azure VGW Subnet Range = 10.0.1.0/24 (It should be under CIDR, but should not match or overlap other subnets in Vnet) same for Vnet-2

Azure Local Network Gateway (LGW) uses AWS VPC CIDR ranges to Address Space

 =====================================================================

AWS VPC CIDR = 10.10.0.0/16, Subnet = 10.10.0.0/24

Or use this Ranges CIDR = 172.10.0.0/16, Subnet = 172.10.0.0/24

AWS CW uses the IP address of Azure VGW

AWS VPN Connection uses Azure Subnet-1 range in Static IP prefixes

For more information, connect with itechops.

References:

Site-to-Site VPN: Connecting AWS to Azure | by The MLOps Guy | Medium

AWS VPN | Pricing | Amazon Web Services (AWS)

Categories: Uncategorized
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

cloud cost savings
Uncategorized

Cloud Cost Savings: 5 Proven Strategies

Are you looking for some effective cloud cost savings strategies? Cloud computing has completely transformed the way businesses operate by providing unmatched scalability and accessibility. With time, more and more businesses are looking for cloud Read more…

ci/cd
Uncategorized

CI/CD- Top 10 Cutting-Edge Tools for Modern Development

CI/CD, or Continuous Integration and Continuous Delivery, streamlines software development by frequently consolidating code changes from multiple contributors (CI) and automating the steps to prepare and deploy software (CD). #1. Jenkins: Essentially the CI/CD cornerstone. Read more…