Purpose of the article: How to establish communication between AWS and Azure using VPN.
Intended Audience: Cloud – Managed services – IT Infrastructure – network and server.
Tools and Technology: AWS, Azure.
Key words: AWS, Azure,VPN-Connectivity, Site-to-Site VPN.
Configuring Site-to-Site VPN between Azure and AWS:
As per the current situation, all the organizations are moving to the cloud (AWS, Azure, GCP) to reduce the IT Costs as maintaining the datacenters will take a lot of effects.
Organizations are focusing on multi-cloud architectures to distribute their workloads to eliminate the reliance on any single cloud provider. In this article, I will show how to configure a site-to-site VPN between AWS and Azure.
The picture below indicates what exactly we are going to achieve in this article:
Preparing the HUB-RG in Azure Environment:
- Create Resource Group in Azure with the HUB-RG. And I am taking the East US region.
- Create a Virtual Network on HUB-RG with the name HUB-vNET.
- Create a Gateway subnet for the virtual network, a pre-requisite for creating the Virtual network Gateway (VNG).
- Create the Virtual Network Gateway (VNG).
On the portal, click on Virtual network gateway and click Create
On the Create virtual network gateway, enter the following details:
- Name: Enter the name of VNG
- Gateway Type: Select the VPN
- VPN Type: Select the Route-based (Nothing but dynamic routing).
- SKU: I am selecting VpnGw2.
And scroll down to the bottom of the blade.
- Virtual Network: Select the HUB-vNET. (Here once we select the HUB-vNET subnet will automatically select the GatewaySubnet.
- Public IP Address: Mention the name for the public IP. And click on create.
Preparing the Project-1-RG and Project-2-RG in Azure Environment:
We are now using a shell script to create Project-1-RG & Project-2-RG Resource groups and vNet and virtual machines.
Here we do not have to create the Gateway subnet as we are not creating the VNG.
Below is the script:
az group create -l eastus -n Project-1-RG
az network vnet create -g Project-1-RG -n vNET-1 –address-prefix 172.16.0.0/16 \
–subnet-name Subnet-1 –subnet-prefix 172.16.1.0/24 -l eastus
az group create -l eastus -n Project-2-RG
az network vnet create -g Project-2-RG -n vNET-2 –address-prefix 172.17.0.0/16 \
–subnet-name Subnet-1 –subnet-prefix 172.17.1.0/24 -l eastus
az vm create –resource-group Project-1-RG –name winvm1 –image win2019Datacenter –vnet-name vNET-1 \
–subnet Subnet-1 –admin-username adminuser –admin-password “Password@123” –size Standard_B2ms \
–nsg “”
az vm create –resource-group Project-2-RG –name winvm2 –image win2019Datacenter –vnet-name vNET-2 \
–subnet Subnet-1 –admin-username adminuser –admin-password “Password@123” –size Standard_B2ms \
–nsg “”
Establish peering Connections between HUB-RG and Project-1-RG && HUB-RG and Project-2:
After running the above script in the Azure portal, we can see the newly created vNETs in virtual networks.
Navigate to HUB-vNET and select it.
- Click on the add button, mention the name of the peering link and select ‘Use this Virtual network gateway or Route server’ option for both the virtual network and Remote virtual network.
- Click on add button so that peering connections will be done for both ends.
Note: Link wise we need to do peering from HUB-RG to Project-2-RG as well.
Preparing the AWS Environment as per our requirement:
We will create the below tasks in the AWS environment.
- Create a VPC (Virtual private Gateway)
- Creating Subnet and Internet Gateway
- Configure Route Tables
- Create a virtual machine in AWS
- Creating the Virtual Private Gateway
Create a Virtual Private Gateway:
Login into AWS console and type VPC in the search box and click on Launch VPC wizard.
- Click on Create VPC Button and fill the following information on the page.
- Name: Mention the name of the VPC.
- IPv4 CIDR block: Mention the 192.168.0.0/16
- Tags: Type Name in the Key and AWSVPC on the value.
- Leave the other settings as default and click on create.
- Once VPC is created select VPC and click on edit settings and enable DNS hostnames.
Creating Subnet and Internet Gateway:
On the left side of the AWS console select the subnet.
- Click on Create Subnet on the left side of the console.
- VPC: Click the drop-down and select the VPC.
- Subnet name: Mention the subnet name as subnet-1
- Availability Zone: Select the us-east-1a
- IPv4 CIDR block: Mention 192.168.1.0/24
- Key: Mention Name and value as subnet-1
- And click on Create Subnet
- Click on Internet Gateway on the left side of the console.
- Click on Internet Gateway
- Name tag: Mention the name as AWSSG
- Key: Mention Name and value as AWSSG
- Click on Create internet gateway
- Once it is created click on the action button on the right side of the console and select attach to VPC
- And select the AWSVPC and click on Attach internet gateway
Configure Route Tables:
- Click on Route Tables on the left side of the console.
- Click on edit routes and click on add route.
- Destination: 0.0.0.0/0
- Target: Select Internet Gateway.
- Click on save changes.
Create a virtual machine in AWS:
Create a Windows 2016/2019 virtual machine.
Creating the Virtual Private Gateway:
- Click on Virtual Private Gateway on the left side of the console.
- Click on Create virtual private gateway.
- Name: Enter the name VPG
- Leave the default settings.
- Click on create the virtual private gateway.
- After creating VPG, click on the Action button.
- Select Attach to VPC.
- And attach the AWSVPC on the scroll-down bar and click Yes.
- Click on Customer Gateway on the left side of the console.
- Click on Create Customer Gateway.
- Name: Enter name as AWSNG_CG.
- Routing: Select Static.
- IP Address: Go to Azure VNG1 and copy the public IP
- Leave the default settings and click on create customer gateway.
- Click on Site-to-Site VPN Connections on the left side of the console.
- Click on Create VPN Connection
- Name: Mention name AWS-AZURE.
- Target Gateway Type: Virtual Private Gateway.
- Virtual Private Gateway: Select AWSVPC.
- Customer Gateway: Select Existing.
- Routing Options: Select Static.
- Static IP Prefixes: Enter our Azure Address Spaces.
- Leave the default settings and click on Create VPN Connection.
- After creating VPN Connection, click on Download Configuration.
- Select the vendor, platform, software and click on download.
- After downloading the file, copy the pre-shared-key address and key values from the notepad.
Notepad:
Connecting Azure and AWS through the VPN:
- Select the Virtual Network Gateway(VNG1) on Azure.
- Select and click on Connections.
- Click on Add Connections.
- Name: Mention name as Azure-AWS.
- Connection Type: Site-to-Site (IPsec)
- Virtual Network Gateway: VNG1
- Local Network Gateway: Here we need to mention the public IP of AWS VPN as we already downloaded.
- Address Space: Mention 192.168.0.0/16 (AWSVPC Address Space)
- Click on OK.
- Shared Key: Copy and paste the key from the AWS VPN configuration file.
- Leave the remaining as default and click OK.
Now the final step is to add routes to AWSVPC:
- Click on Route Tables on the left side of the AWS console.
- Click on edit routes.
- Destination: add azure address spaces (i.e, 172.16.0.0/16, 172.17.0.0/16).
- Target: Select Virtual Private Gateway on the drop-down menu and select our VPG.
- And click on save changes.
Test Site-to-Site Connectivity:
To verify site-to-site VPN between AWS and Azure, log into our Azure and AWS Virtual machines and try connectivity using the ping command.
From AWS VM to Azure VMs:
From Azure VMs to AWS VM:
I hope this article is helpful to understand the connectivity between AWS to Azure through VPN.
References / Sources of the information referred:
AWS, Azure
Contact Details:
N.Jayachandra
Sr. Specialist, Cloud & Engineering-Infrastructure Services
MOURI Tech