- Connecting AWS and Azure via VPN - Wed, Aug 14 2019
- MaxPowerSoft Active Directory Reports Professional - Tue, Jun 11 2019
- Load balancing two EC2 instances - Thu, Dec 13 2018
Historically, this has always been problematic, because AWS did not support IKE2. However, this changed in February 2019. As a result, instead of needing to use a third-party network virtual appliance, you can now do this natively.
This tutorial assumes the following:
- An existing virtual network exists in Azure (10.0.0.0/16)
- An existing subnet of the Azure virtual network (10.0.1.0/24)
- An existing virtual network gateway in Azure (route-based VPN type)
- An existing VPC in AWS (192.168.0.0/16 address space)
- An existing subnet within the VPS (192.168.0.0/24)
This tutorial will explain how to connect the virtual network gateway in Azure to a virtual private gateway in AWS. If you need help creating the virtual network gateway in Azure, click here.
To get started, open the AWS portal and browse to the VPC dashboard. You are going to create a Customer Gateway.
Click Customer Gateways (under Virtual Private Network) to create a new customer gateway. Name it AzureGW. After naming it, supply the public IP address of the existing Azure virtual network gateway that you’ll be connecting to. Leave the routing set to "static."
Click Create Customer Gateway.
At this point, you can create a virtual private gateway in AWS. For the name, use the same name you used when you created the Customer Gateway.
Leave the ASN set to default and click Create Virtual Private Gateway.
With the new virtual private gateway created, select it. Then, from the Actions menu, click Attach to VPC and attach it to your AWS VPC.
With the customer gateway and virtual private gateway created and attached to your VPC in AWS, you can create a VPN connection. To do this, click Site-to-Site VPN Connections under Virtual Private Network in the AWS portal. Then click Create VPN Connection.
Use the same name you used for the virtual private gateway. Then choose both the virtual private gateway you just created and the customer gateway ID you created earlier.
Click the Static radio button next to Routing Options and provide the Azure subnet address range (10.0.1.0/24 in this example) in the IP Prefixes box. Provide a pre-shared key for Tunnel 1 and Tunnel 2. You can let Amazon generate the Inside IP CIDR for both tunnels. Click Create VPN Connection.
Download the completed configuration, choosing Generic from the Vendor dropdown.
The downloaded configuration file includes the following information:
- IPSec tunnel # 1
- Pre-shared key
- Outside IP addresses
- Virtual private gateway
With this information, you should now go into the Azure Portal and create a Local network gateway. You can search for it in the marketplace.
Provide a name for the local network gateway. Then, in the IP address field, provide the outside Virtual Private Gateway address for Tunnel 1 from the text file that you downloaded.
In the Address Space field, provide the AWS VPC subnet range (192.168.0.0/24 in this example).
Choose the Azure subscription, resource group, and location that should host the local gateway.
With the local gateway configured in Azure, you can now create the connection between AWS and Azure. To do so, browse to your existing Virtual Network Gateway in Azure and find Connections on the left.
Click Add to create a connection.
Provide a Name for the connection and choose the Site-to-Site option for Connection Type.
Ensure that the Virtual network gateway is selected and then select the newly-created Local network gateway.
Provide the pre-shared key that you configured in AWS for Tunnel 1 and click OK.
Give Azure some time to provision the connection. Click the newly created connection to see its overview page. After a few minutes, the status of the connection in Azure will be "Connected."
At this point, go back to the AWS portal and browse to Route Tables under the VPC. If you don’t already have a route table, create one. Choose the route table for your VPC, click the Routes tab, and then the Edit Routes button to add the Azure subnet address range (10.0.1.0/24 in this example) as a destination if it doesn’t already exist. Set the virtual private gateway as the target and click Save.
Click the Route Propagation tab and then click Edit route propagation.
Check the Propagate box and then click Save.
For redundancy, create a second tunnel. To do so, create a second local network gateway in Azure. View the IPSec Tunnel # 2 info in the downloaded file and use it to configure the local network gateway. Use the outside virtual private gateway IP address for Tunnel 2. Provide the same AWS VPC subnet range as you did with the first local network gateway (192.168.0.0/24 in this example) in the address space field.
After creation, create a second connection in azure by searching the marketplace for "Connection" and following the same steps you followed for the first connection. Choose the existing virtual network gateway. For the local gateway, choose the local network gateway that you just created. Be sure to use the same pre-shared key that you set up for Tunnel 2 in AWS.
As with the first connection you configured in Azure, the second connection’s status will indicate "Connected" after a few minutes.
Subscribe to 4sysops newsletter!
Congratulations! You’ve successfully connected AWS and Azure via a Site-to-Site VPN. The best way to test your new connection is to create a VM in Azure and a VM in AWS, allow ping through the firewalls, and then ping each other.