Interconnected Kitchen: Link Azure and AWS with a VPN
Establishing a connection on your Azure and AWS environments using a Site-to-Site VPN, creating a secure and interconnected workspace.
Published Jul 24, 2024
According to Fortinet, a site-to-site virtual private network (VPN) establishes a secure connection between multiple networks. This setup is ideal for corporations with several offices working together or for branch office networks linked to a central office. Site-to-site VPNs are essential for companies that need private and secure traffic, especially those with geographically dispersed offices. These organizations often need to access resources on a primary network, such as servers for email or data storage. In some cases, a server might host a crucial business application. A site-to-site VPN enables all locations to access this application seamlessly, as if it were hosted locally at each site.
You can read more here at: https://www.fortinet.com/resources/cyberglossary/what-is-site-to-site-vpn
A site-to-site VPN can also connect an on-premises data center to a cloud platform or link one cloud platform to another. This capability is particularly useful for scenarios such as data migration. By using a site-to-site VPN, organizations can ensure secure and seamless integration between different infrastructure environments, facilitating the smooth transfer and synchronization of data and applications.
According to Azure documentation, Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet.
You can read more at:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways
According to Azure documentation, the local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection.
You can read more at:
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal
According to AWS documentation, a virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You create a virtual private gateway and attach it to a virtual private cloud (VPC) with resources that must access the Site-to-Site VPN connection.
You can read more at:
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#VPNGateway
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#VPNGateway
According to AWS documentation, a customer gateway is a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS.
You can read more at:
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#CustomerGateway
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#CustomerGateway
According to AWS, by default, instances that you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.
You can read more at:
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
- Complete setup of Azure Network Environment (Virtual Network, Subnets)
- Complete setup of AWS Network Environment (Virtual Private Cloud, Subnets, Route Tables)
- Ensure that you have setup a virtual network, subnet/s, and most importantly, a gateway subnet.
- Create a Virtual Network Gateway.
Once created, take note of the Virtual Network Gateway Public IP address because this is what we will be using in our AWS Customer Gateway.
- Ensure that you have setup a Virtual Private Cloud and subnet/s.
- Create a Customer Gateway. Make sure to use the Azure Virtual Network Gateway Public IP.
- Create the Virtual Private Gateway.
Attach the VPC that we created earlier to the created Virtual Private Gateway - Create a Site-to-Site VPN Connection. In the Virtual Private Gateway and Customer Gateway ID sections, choose the resources that we created earlier.
Configure the routing to be static, directing traffic to the Azure subnet-01 prefix (172.10.1.0/24).
- Choose the created Site-to-Site VPN. Then, download the configuration file.
🚨 IMPORTANT 🚨 In the downloaded configuration file, there are 2 IPSec Tunnels bearing some important information. In each of the tunnels, you will see the following sections: #1: Internet Key Exchange Configuration, #2: IPSec Configuration, and #3: Tunnel Interface Configuration. For this demo, we will only configure 1 tunnel. In one of the tunnels, navigate to the Internet Key Exchange Configuration section. Make sure to note the Pre-Shared Key. Next, navigate to the Tunnel Interface Configuration section of one of the IPSec Tunnels. Make sure to note the Virtual Private Gateway Outside IP Address.
- Create a Local Network GatewayFor the IP Address, put the Outside IP Address of the Virtual Private Gateway that you've copied in the downloaded configuration file. For the Address Space(s), put your AWS VPC CIDR that we've created earlier.
- Create a Connection via the Virtual Network Gateway. For the Connection Type, choose "Site-to-Site (IPSec)".
For the Virtual Network Gateway and Local Network Gateway, choose the gateways that we've created earlier. For the Shared Key (PSK), put the key that you've taken note earlier.
Choose the Site-to-Site VPN that we've created earlier. Check the status of one of the tunnels that you've configured. The status should be "UP".
Choose the Connection that we've created earlier in the Virtual Network Gateway. Check the connection status. The status should be "Connected".
Choose the route table of the resources that you want to reach. Add the route to Azure subnet-01 through the Virtual Private Gateway.
Create a test virtual machine for each of the environments. Use the subnets and route table that we configured earlier. Ensure your firewall rules allow ICMP (ping) traffic on both sides to facilitate testing. Once the VMs are running, use the "ping" command from one VM to the Private IP address of the other VM to test connectivity.
You can configure the 2nd VPN Tunnel for High Availability. To do that, repeat the steps in creating a Local Network Gateway in Azure. Make sure to take note of the Outside IP Address of the Virtual Private Gateway of the 2nd IPSec Tunnel that can be seen in the downloaded configuration file. Then, repeat the steps in creating a Connection via the Virtual Network Gateway. Make sure to take note of the Pre-Shared Key of the 2nd IPSec Tunnel that can be seen in the downloaded configuration file.
Errors are inevitable, but they can be valuable learning experiences. Here are a few things I've learned from my own troubleshooting:
- To verify the connection between your cloud environments, create temporary virtual machines in each environment. Ensure your firewall rules allow ICMP (ping) traffic on both sides to facilitate testing. Once the VMs are running, use the "ping" command from one VM to the Private IP address of the other VM to test connectivity.
- In the AWS Route Tables of your VPC, make sure to edit the route table and add a route to the Azure subnet through the AWS Virtual Private Gateway.
- Thoroughly review the downloaded AWS Site-to-Site VPN Configuration File, as it contains crucial details required for establishing a secure and successful connection, including the Pre-Shared Key and the Outside IP Address of the Virtual Private Gateway.
- Verify that an Internet Gateway is incorporated into the route table linked to the subnet of your test VM in AWS. The Internet Gateway functions as a logical bridge between the Amazon VPC and the Internet, enabling access to the test VM via its public IP address. This configuration is intended solely for testing purposes and is not required for the VPN connection.
I'm an AWS Cloud Engineer at Computrade Technology Philippines, Inc., an AWS Partner. We specialize in all aspects of AWS Cloud, particularly databases. Whether you're migrating workloads, optimizing costs, enhancing security, or building chatbots, our expert AWS Cloud Engineers are here to help.
Reach us out via:
- Email: ctp_sales@computradetech.com.ph
- Website: computradetech.com.ph