Site-to-Site VPN connection between AWS & Azure

Introduction

The modern world cannot work in a ‘silo’ style. Whether it is communication between High Commissions of powerful countries or compatibility between popular technology products, interoperability is essential. We all come across a pressing need to effortlessly set up communication between different techno-products of distinct brands in our daily needs. We want Windows applications to run on Linux Operating System and vice versa, isn’t it? Also, we crave Android features on iOS and vice versa, right? With this prelude, I have tried to unfold how effectively we can set up Site-to-Site VPN connection between AWS and Azure, popular cloud providers in a simple step-by-step method.

Come join me in this AWS-Azure VPN communication journey… 

What to expect from this article?

Multi-cloud architecture is becoming more common in the IT world, and you will need to set up a fast-direct resilient VPN connection between your public cloud providers, such as Azure and AWS. 

There are some concerns about transferring data over the internet; legacy applications and workloads do not support internet protocols well. Let us play with Virtual Private Networks. 

In this article, I will show you how to set up a site-to-site VPN connection between Azure and AWS to connect the two virtual networks. 

The goal is for the VM (Virtual Machine) in AWS VPC (Virtual Private Cloud) to be able to connect to the VM in Azure via a VPN connection configured in AWS VPC. 

High Level Architecture Diagram:

The AWS VPC service allows you to use cloud resources in a logically isolated private network. It offers the same level of isolation as an Azure virtual network. The logical network can be divided into subnets, each of which controls whether spun VMs (virtual machines) can access the Internet or specified resources.  

An IPsec tunnel will be used to connect the AWS VPC to the Azure virtual network. Between the Azure virtual network gateway and the AWS VPN, an IPsec tunnel will be set up with the help of Customer Gateway from the AWS side and Local Gateway Network from the Azure side. This tunnel will carry all traffic between the AWS VPC and Azure VNet. 

Below are the main steps that you need to follow to achieve this infrastructure. 

Configuring Azure

Create An Azure Virtual Network (VNET)

Before creating VNet, First, create a Resource group then create VNET with CIDR range 172.10.0.0/16 and one subnet with CIDR range 172.10.1.0/24

Create Gateway Subnet 

Go to the VNET you just created. Click on Subnet and create Gateway Subnet with CIDR range 172.10.5.0/27.  You need to have a gateway subnet in the VNet to configure an Azure VPN Gateway. 

Create Azure Virtual Network Gateway

We have finally created Virtual Network Gateway and you will get a public IP.

This will take 20 – 45 minutes to provision.  

Configuring AWS

Create An AWS Virtual Private Network (VPC)

Now come to AWS side and create a VPC with CIDR range 192.16.0.0/16

Click on Subnets and create subnet with CIDR range 192.16.1.0/24. Go to route tables and associate the subnet.

Create Customer Gateway

Click on Customer Gateway from the panel and create Customer Gateway. In IP address place, give the Public IP  Azure Virtual Network Gateway. Refer Step 3 for the IP. 

Create AWS Virtual Private Gateway

Create Virtual Private Gateway. Select the VPN that you just created and attach to the VPC that you created in step 4. 

Create a Site-to-Site VPN

Click on VPN connection from the panel and create a VPN connection. Select Routing Option is Static and add Azure VPC CIDR range.

This will take 5 – 10 mins to provision. 

After VPN was created. Select the VPN and download the configuration you need to select the vendor as Generic. With this configuration file will setup Local Network Gateway in Azure.

Adding the AWS information on Azure Configuration

Create Azure Local Network Gateway

Now come back to Azure side and create 2 Local Network Gateways, because AWS gives you two tunnels for high availability.  

In place of IP Address. Give AWS VPN Public IP you can get this IP from the configuration file you downloaded in the previous step.

Note: Here I’m showing only one Local Network Gateway. You can create another one using the same configuration  second tunnel details. Details of two tunnels are available in that configuration file.   

Create a Connection

Go to Local Network Gateway you just created. Select connection and add new connections. Enter the shared key the configuration file of AWS VPN

This will take 10 -15 mins. Meanwhile, let’s go and configure the routes.

Configuring Routes

Create Route Table

Go to Route table and create a Route Table. Click on subnets and associate with the subnet you created in step 1.  

Click on a route and add a new route to a CIDR range of AWS VPC and pointing to the Virtual Network Gateway.

Add Route at AWS Route Table 

Back to AWS Route Table and add a route to a CIDR range of Azure VPC and pointing to the Virtual Private Gateway. 

Everything done. Your Site-to-Site VPN tunnels should now up and running.

For a quick test, deploy a VM in Azure and also deploy an EC2 Windows instances in AWS without public IP and try RDP (Remote Desktop Protocol) from Azure VM to AWS EC2. To make this work, you must create a rule in the security group assigned to the EC2 instance, in AWS that allows traffic to the Azure address range. In Azure, you create a Network Security Group for the subnet in which your VM is located, which allows traffic to the AWS VPC address range.

 You’ll be able to RDP into EC2 instance using private IP address from the Azure VM instance. This is proof that your VPN is working. Have some fun with your connected clouds now.  

Benefits 

• Highly available 
• Secure connectivity  
• Accelerate applications 

• Network address translation (NAT) Traversal  
• Robust Monitoring  

Use Cases

Some of the use cases are: 

• Application Migration 

• AD (Active Directory) services secure connection between On-Prem and Cloud 
• Workspaces, etc., 

Summary

You can scale your Cloud Infrastructure to multiple clouds connected by a secure connection. Both appear to have a quick connection. By allowing the VPN to be established only by the managed service, there is no need to set up a virtual machine. We no longer care operations because the need for management has been reduced. 

About CloudThat

As a pioneer in Cloud Computing training realm, we are a Microsoft Gold Partner, AWS (Amazon Web Services) Advanced Consulting Partner and Training partner. Also, as we are Google Cloud Partners delivering best-in industry training for Azure, AWS, and GCP (Google Cloud Platform). We are on a mission to build a strong cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers aim at enabling all the stakeholders in the cloud computing sphere.