Sometimes an organization may find itself in a spot where it needs to deploy resources in both Azure and AWS. In this tutorial, I’m going to explain how to connect the two environments via a site-to-site VPN.
Latest posts by Thomas Mitchell (see all)

Historically, this has always been problematic, because AWS did not support IKE2. However, this changed in February 2019. As a result, instead of needing to use a third-party network virtual appliance, you can now do this natively.

This tutorial assumes the following:

  • An existing virtual network exists in Azure (10.0.0.0/16)
  • An existing subnet of the Azure virtual network (10.0.1.0/24)
  • An existing virtual network gateway in Azure (route-based VPN type)
  • An existing VPC in AWS (192.168.0.0/16 address space)
  • An existing subnet within the VPS (192.168.0.0/24)

This tutorial will explain how to connect the virtual network gateway in Azure to a virtual private gateway in AWS. If you need help creating the virtual network gateway in Azure, click here.

To get started, open the AWS portal and browse to the VPC dashboard. You are going to create a Customer Gateway.

Click Customer Gateways (under Virtual Private Network) to create a new customer gateway. Name it AzureGW. After naming it, supply the public IP address of the existing Azure virtual network gateway that you’ll be connecting to. Leave the routing set to "static."

Click Create Customer Gateway.

Create Customer Gateway

Create Customer Gateway

At this point, you can create a virtual private gateway in AWS. For the name, use the same name you used when you created the Customer Gateway.

Leave the ASN set to default and click Create Virtual Private Gateway.

Create Virtual Private Gateway

Create Virtual Private Gateway

With the new virtual private gateway created, select it. Then, from the Actions menu, click Attach to VPC and attach it to your AWS VPC.

With the customer gateway and virtual private gateway created and attached to your VPC in AWS, you can create a VPN connection. To do this, click Site-to-Site VPN Connections under Virtual Private Network in the AWS portal. Then click Create VPN Connection.

Use the same name you used for the virtual private gateway. Then choose both the virtual private gateway you just created and the customer gateway ID  you created earlier.

Click the Static radio button next to Routing Options and provide the Azure subnet address range (10.0.1.0/24 in this example) in the IP Prefixes box. Provide a pre-shared key for Tunnel 1 and Tunnel 2. You can let Amazon generate the Inside IP CIDR for both tunnels. Click Create VPN Connection.

Create VPN Connection in AWS

Create VPN Connection in AWS

Download the completed configuration, choosing Generic from the Vendor dropdown.

The downloaded configuration file includes the following information:

  • IPSec tunnel # 1
  • Pre-shared key
  • Outside IP addresses
  • Virtual private gateway

With this information, you should now go into the Azure Portal and create a Local network gateway. You can search for it in the marketplace.

Provide a name for the local network gateway. Then, in the IP address field, provide the outside Virtual Private Gateway address for Tunnel 1 from the text file that you downloaded.

In the Address Space field, provide the AWS VPC subnet range (192.168.0.0/24 in this example).

Choose the Azure subscriptionresource group, and location that should host the local gateway.

Create Local Network Gateway

Create Local Network Gateway

With the local gateway configured in Azure, you can now create the connection between AWS and Azure. To do so, browse to your existing Virtual Network Gateway in Azure and find Connections on the left.

Click Add to create a connection.

Provide a Name for the connection and choose the Site-to-Site option for Connection Type.

Ensure that the Virtual network gateway is selected and then select the newly-created Local network gateway.

Provide the pre-shared key that you configured in AWS for Tunnel 1 and click OK.

Create Connection in Azure

Create Connection in Azure

Give Azure some time to provision the connection. Click the newly created connection to see its overview page. After a few minutes, the status of the connection in Azure will be "Connected."

Connected

Connected

At this point, go back to the AWS portal and browse to Route Tables under the VPC. If you don’t already have a route table, create one. Choose the route table for your VPC, click the Routes tab, and then the Edit Routes button to add the Azure subnet address range (10.0.1.0/24 in this example) as a destination if it doesn’t already exist. Set the virtual private gateway as the target and click Save.

Click the Route Propagation tab and then click Edit route propagation.

Propagation

Propagation

Check the Propagate box and then click Save.

For redundancy, create a second tunnel. To do so, create a second local network gateway in Azure. View the IPSec Tunnel # 2 info in the downloaded file and use it to configure the local network gateway. Use the outside virtual private gateway IP address for Tunnel 2. Provide the same AWS VPC subnet range as you did with the first local network gateway (192.168.0.0/24 in this example) in the address space field.

Propagation on

Propagation on

Click Create.

After creation, create a second connection in azure by searching the marketplace for "Connection" and following the same steps you followed for the first connection. Choose the existing virtual network gateway. For the local gateway, choose the local network gateway that you just created. Be sure to use the same pre-shared key that you set up for Tunnel 2 in AWS.

As with the first connection you configured in Azure, the second connection’s status will indicate "Connected" after a few minutes.

Subscribe to 4sysops newsletter!

Tunnel 2 connected

Tunnel 2 connected

Congratulations! You’ve successfully connected AWS and Azure via a Site-to-Site VPN. The best way to test your new connection is to create a VM in Azure and a VM in AWS, allow ping through the firewalls, and then ping each other.

0 Comments

Leave a reply

Please enclose code in pre tags

Your email address will not be published. Required fields are marked *

*

© 4sysops 2006 - 2021

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account