Interconnected Kitchen: Link Azure and AWS with a VPN

Interconnected Kitchen: Link Azure and AWS with a VPN

Establishing a connection on your Azure and AWS environments using a Site-to-Site VPN, creating a secure and interconnected workspace.

Published Jul 24, 2024

Safe and Secured with a Site-to-Site VPN!

According to Fortinet, a site-to-site virtual private network (VPN) establishes a secure connection between multiple networks. This setup is ideal for corporations with several offices working together or for branch office networks linked to a central office. Site-to-site VPNs are essential for companies that need private and secure traffic, especially those with geographically dispersed offices. These organizations often need to access resources on a primary network, such as servers for email or data storage. In some cases, a server might host a crucial business application. A site-to-site VPN enables all locations to access this application seamlessly, as if it were hosted locally at each site.
You can read more here at: https://www.fortinet.com/resources/cyberglossary/what-is-site-to-site-vpn
A site-to-site VPN can also connect an on-premises data center to a cloud platform or link one cloud platform to another. This capability is particularly useful for scenarios such as data migration. By using a site-to-site VPN, organizations can ensure secure and seamless integration between different infrastructure environments, facilitating the smooth transfer and synchronization of data and applications.

Main Ingredients 🛒

Azure Virtual Network Gateway

According to Azure documentation, Azure VPN Gateway is a service that can be used to send encrypted traffic between an Azure virtual network and on-premises locations over the public Internet.
You can read more at:
https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways

Azure Local Network Gateway

According to Azure documentation, the local network gateway is a specific object deployed to Azure that represents your on-premises location (the site) for routing purposes. You give the site a name by which Azure can refer to it, and then specify the IP address of the on-premises VPN device to which you create a connection.
You can read more at:
https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-portal

AWS Virtual Private Gateway

According to AWS documentation, a virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You create a virtual private gateway and attach it to a virtual private cloud (VPC) with resources that must access the Site-to-Site VPN connection.
You can read more at:
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#VPNGateway

AWS Customer Gateway

According to AWS documentation, a customer gateway is a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS.
You can read more at:
https://docs.aws.amazon.com/vpn/latest/s2svpn/how_it_works.html#CustomerGateway

AWS Site-to-Site VPN

According to AWS, by default, instances that you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.
You can read more at:
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html

Prep Work 📝

  1. Complete setup of Azure Network Environment (Virtual Network, Subnets)
  2. Complete setup of AWS Network Environment (Virtual Private Cloud, Subnets, Route Tables)

Cooking Time! 🧑🏽‍🍳

Configure the Environments

Azure Environment

  1. Ensure that you have setup a virtual network, subnet/s, and most importantly, a gateway subnet.
  2. Create a Virtual Network Gateway.

    Once created, take note of the Virtual Network Gateway Public IP address because this is what we will be using in our AWS Customer Gateway.

AWS Environment

  1. Ensure that you have setup a Virtual Private Cloud and subnet/s.
  2. Create a Customer Gateway. Make sure to use the Azure Virtual Network Gateway Public IP.
  3. Create the Virtual Private Gateway.

    Attach the VPC that we created earlier to the created Virtual Private Gateway
  4. Create a Site-to-Site VPN Connection. In the Virtual Private Gateway and Customer Gateway ID sections, choose the resources that we created earlier.

    Configure the routing to be static, directing traffic to the Azure subnet-01 prefix (172.10.1.0/24).
  5. Choose the created Site-to-Site VPN. Then, download the configuration file.

    🚨 IMPORTANT 🚨 In the downloaded configuration file, there are 2 IPSec Tunnels bearing some important information. In each of the tunnels, you will see the following sections: #1: Internet Key Exchange Configuration, #2: IPSec Configuration, and #3: Tunnel Interface Configuration. For this demo, we will only configure 1 tunnel. In one of the tunnels, navigate to the Internet Key Exchange Configuration section. Make sure to note the Pre-Shared Key. Next, navigate to the Tunnel Interface Configuration section of one of the IPSec Tunnels. Make sure to note the Virtual Private Gateway Outside IP Address.

Azure Environment

  1. Create a Local Network GatewayFor the IP Address, put the Outside IP Address of the Virtual Private Gateway that you've copied in the downloaded configuration file. For the Address Space(s), put your AWS VPC CIDR that we've created earlier.
  2. Create a Connection via the Virtual Network Gateway. For the Connection Type, choose "Site-to-Site (IPSec)".

    For the Virtual Network Gateway and Local Network Gateway, choose the gateways that we've created earlier. For the Shared Key (PSK), put the key that you've taken note earlier.

Check the Connection Status in Both Environments

AWS Environment

Choose the Site-to-Site VPN that we've created earlier. Check the status of one of the tunnels that you've configured. The status should be "UP".

Azure Environment

Choose the Connection that we've created earlier in the Virtual Network Gateway. Check the connection status. The status should be "Connected".

AWS Routing Configuration

Choose the route table of the resources that you want to reach. Add the route to Azure subnet-01 through the Virtual Private Gateway.

Test the Connectivity

Create a test virtual machine for each of the environments. Use the subnets and route table that we configured earlier. Ensure your firewall rules allow ICMP (ping) traffic on both sides to facilitate testing. Once the VMs are running, use the "ping" command from one VM to the Private IP address of the other VM to test connectivity.

AWS Environment

Azure Environment

High Availability

You can configure the 2nd VPN Tunnel for High Availability. To do that, repeat the steps in creating a Local Network Gateway in Azure. Make sure to take note of the Outside IP Address of the Virtual Private Gateway of the 2nd IPSec Tunnel that can be seen in the downloaded configuration file. Then, repeat the steps in creating a Connection via the Virtual Network Gateway. Make sure to take note of the Pre-Shared Key of the 2nd IPSec Tunnel that can be seen in the downloaded configuration file.

Kitchen Mishaps ⚠️

Errors are inevitable, but they can be valuable learning experiences. Here are a few things I've learned from my own troubleshooting:
  1. To verify the connection between your cloud environments, create temporary virtual machines in each environment. Ensure your firewall rules allow ICMP (ping) traffic on both sides to facilitate testing. Once the VMs are running, use the "ping" command from one VM to the Private IP address of the other VM to test connectivity.
  2. In the AWS Route Tables of your VPC, make sure to edit the route table and add a route to the Azure subnet through the AWS Virtual Private Gateway.
  3. Thoroughly review the downloaded AWS Site-to-Site VPN Configuration File, as it contains crucial details required for establishing a secure and successful connection, including the Pre-Shared Key and the Outside IP Address of the Virtual Private Gateway.
  4. Verify that an Internet Gateway is incorporated into the route table linked to the subnet of your test VM in AWS. The Internet Gateway functions as a logical bridge between the Amazon VPC and the Internet, enabling access to the test VM via its public IP address. This configuration is intended solely for testing purposes and is not required for the VPN connection.

Need professional help on your business? 👋🏽

I'm an AWS Cloud Engineer at Computrade Technology Philippines, Inc., an AWS Partner. We specialize in all aspects of AWS Cloud, particularly databases. Whether you're migrating workloads, optimizing costs, enhancing security, or building chatbots, our expert AWS Cloud Engineers are here to help.
Reach us out via:
  • Email: ctp_sales@computradetech.com.ph
  • Website: computradetech.com.ph
     

Comments