Teşekkür ederim! Gönderiniz alındı!
Hata! Formu gönderirken bir şeyler ters gitti.

Implementing High-Availability Cross-Cloud VPN between AWS and GCP

Bu makale şu tarihte güncellenmiştir
March 18, 2024
An illustration showing connection between AWS and GCP

As part of our effort to become cloud-agnostic, we are moving a section of our production services to GCP from AWS while most of our services and databases continue to run on the AWS infrastructure.

Throughout this campaign, keeping our services away from the public network has been one of our main security concerns. Thus, our solution to handle the traffic privately was to create a VPN tunnel between GCP and AWS using the IPSec protocol to secure the communication channel.

In our previous blog post, we described how we fixed the NAT Gateway issue in a site-to-site VPN between GCP and AWS. Here, we shall explain in more detail how we designed and implemented the connection using the Border Gateway Protocol.

Site-to-site VPN connection

The key concepts used on AWS to peer with GCP fall into two groups. First, we have the key concepts for the site-to-site VPN used on AWS:

  • VPN connection: A secure connection between other clouds and the VPCs on AWS
  • VPN tunnel: An encrypted link where data can pass from the other network to or from AWS
  • Customer gateway: An AWS resource that provides information to AWS about your gateway device. In our case, it's a peer GCP VPN gateway. GCP Cloud VPN gateways are associated with this gateway on AWS.
  • Virtual private gateway: The VPN endpoint on the Amazon side of our site-to-site VPN connection is to be attached to a single VPC

And then, there are the key concepts used on the GCP end to peer with AWS:

  • Cloud Router: Fully distributed and managed Google Cloud service to provide dynamic routing using BGP for your VPC networks
  • Cloud NAT: A Google service that lets certain resources without external IPs create outbound connections to the internet
  • Cloud VPN gateway: A Google-managed VPN gateway running on Google Cloud. Each Cloud VPN gateway is a regional resource that has one or two interfaces. We made use of two interfaces, each with its own external IP addresses: interface 0 and 1. Each Cloud VPN gateway is connected to a peer VPN gateway. AWS tunnels public IPs are associated with this gateway.
  • Peer VPN gateway: A gateway connected to a Cloud VPN gateway. All the tunnels at the GCP end use this gateway. Each tunnel should have one external IP.
  • Cloud VPN tunnels: A VPN tunnel connects two VPN gateways (AWS and GCP) and serves as virtual tunnels through which encrypted traffic passes
how to create VPN tunnel in AWS infographic

GCP has two types of VPN gateways, Classic and High Availability (HA). We will be creating the HA version of the VPN gateway, which allows us to achieve 99.99% SLA. In addition to this gateway, we must create 4 tunnels between AWS and GCP. On the AWS side, we will need to create two customer gateways and two site-to-site VPN connections.

We will be jumping between GCP and AWS consoles in this tutorial.

GCP

Step 1: Create a Cloud Router

  • Scroll down to Hybrid Connectivity and select “Cloud Routers”. Click “Create Router”.
screenshot showing steps to create cloud router GCP

  • When creating the Cloud Router, the following details are important:
  • Name: demo-cloud-router
  • Google ASN: 64567 (You can use any private ASN within the range 64512–65534. Make sure it doesn’t conflict with the ASN in the AWS side created later in Step 5 (This will be used in Step4).
  • *Note: 4200000000–4294967294 are not allowed in AWS, so don’t use this range.
  • BGP peer keepalive interval: 20 (Default)
  • Select “Advertise all subnets visible to the Cloud Router (Default)”
Screenshot showing steps to cloud router GCP

Step 2: Create a VPN

  • Go down to Hybrid Connectivity, select "CREATE VPN CONNECTION"
Screenshot showing steps to create a VPN on AWS
  • Select "High-availability (HA) VPN".
Screenshot showing steps to create a vpn on aws

Step 3: Create a Cloud HA VPN gateway

screenshot showing steps for AWS VPN high availability
  • Add "VPN gateway name".
  • Select "Network".
  • Select "Region" for your VPN.
  • Select "IPv4 (single-stack)" for the VPN tunnel inner IP stack type.
  • Create and continue.
  • Make sure to note down the interfaces created in the below step “0 : 35.242.99.173 1 : 35.220.70.6"
Screenshot of VPN tunnel interface

Step 4a: Switch to AWS and create Customer Gateway 1

  • Go to the VPC section in AWS and look for "Virtual private network (VPN)".
Screenshot of AWS site to site VPN steps
  • Select "Customer gateways" and select "Create customer gateway".
Screenshot showing customer gateway details
  • Name: demo-cg-1
  • BGP ASN: 64567 (the ASN you used to create the GCP Cloud Router in Step 1)
  • IP Address: 35.242.99.173 (IP from Interface Tunnel 0 in GCP VPN Gateway in Step 3)
  • Certificate ARN: blank
  • Device: blank

Step 4b: Repeat Step 4a to create Customer Gateway 2

  • We have to create 2 customer gateways to accommodate 4 tunnels between AWS and GCP
  • Name: demo-cg-2
  • BGP ASN: 64567 (The ASN you used to create the GCP Cloud Router in Step 1)
  • IP address: 35.220.70.6 (IP from Interface Tunnel 1 in the GCP VPN gateway in Step 3)
  • Certificate ARN: blank
  • Device: blank
Screenshot showing how to create customer gateway for AWS

Step 5: Create virtual private gateways

  • Select "Virtual private gateways"; then select "Create virtual private gateways".
Screenshot showing details to create virtual private gateways
  • Name tag: demo-vpg-1
  • ASN: Custom ASN: 64586 (Any ASN you want. This will be used on the GCP side in Step13)
Screenshot showing details to create virtual private gateways
  • You will notice that "State" shows Detached, We have to attach this VPG to a VPC.

Step 6: Attach the virtual private gateway (VPG) to VPC

  • Select the newly created VPG, go to Actions, and select Attach to VPC.
Screenshot showing details to attach virtual private gateway to VPC
  • Select the VPC you want to attach to the VPG.
Screenshot showing details to attach virtual private gateway to VPC

Note: There can only be one VPG attached to a VPC, so if a VPG already exists in your VPC, you can attach your customer gateways to that same existing VPG.

Step 7a: Create a site-to-site VPN connection (Tunnel 0)

  • Select "Site-to-Site VPN connections"; then select "Create VPN connection".
Screenshot for VPN connection setup
  • Name tag: demo-vpn-1
  • Target gateway type: Virtual Private Gateway
  • Virtual private gateway: vgw-0bfabc0d783bc9d95 (name tag: demo-vpg-1). Select the virtual private gateway you just created.
  • Customer gateway: Existing
  • Customer gateway: cgw-0a6031d4959a4631e (name tag: demo-cg-1). Select the first customer gateway you created that matches Tunnel 0 in GCP.
  • Routing options: Dynamic

Step 7b: Repeat Step 7a to create another site-to-site VPN connection (Tunnel 1)

  • Name tag: demo-vpn-2
  • Target gateway type: Virtual Private Gateway
  • Virtual private gateway: vgw-0bfabc0d783bc9d95 (name tag: demo-vpg-1). Select the virtual private gateway you just created.
  • Customer gateway: Existing
  • Customer gateway: cgw-0e74d3786ff8eb0e9 (name tag: demo-cg-2). Select the first customer gateway you created that matches Tunnel 1 in GCP.
  • Routing options: Dynamic
Screen showing VPN routing details

Step 8a: Download the configuration of the VPN-1 connection

  • Select the new site-to-site VPN connection (demo-vpn-1). Click “Download configuration”.
Screen with VPN connection setup details
  • Vendor: Generic
  • Platform: Generic
  • Software: Vendor Agnostic
  • IKE version: ikev1
  • Click "Download" to save the configuration and use it later while setting up GCP.

Step 8b: Repeat Step 8a to download the configuration of the VPN-2 connection

  • Select the new site-to-site VPN connection (demo-vpn-2). Click “Download configuration”.
  • Vendor: Generic
  • Platform: Generic
  • Software: Vendor Agnostic
  • IKE version: ikev1
  • Click "Download" to save the configuration and use it later while setting up GCP.

Step 9: Switch back to GCP to Step 3

  • For “Peer VPN gateway”, make sure “On-prem or Non Google Cloud” is selected.
  • For “Peer VPN gateway name”, click the drop-down menu and select “Create new peer VPN Gateway”.
Screen showing peer VPN gateway details
  • Name: demo-peer-gateway-1
  • Interfaces: Select “four interfaces”

Step 10a: Open the first configuration file you downloaded from AWS

  • Interface 0 IP address: 23.23.65.255 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Outside IP Addresses:” -> Virtual Private Gateway.)
Code for outside IP addresses
  • Interface 1 IP Address: 52.22.80.188 (Look for “IPSec Tunnel #2” -> “#3: Tunnel Interface Configuration” -> “Outside IP Addresses:” -> Virtual Private Gateway.)
Code for outside IP addresses

Step 10b: Open the second configuration file you downloaded from AWS

  • Interface 3 IP address: 34.235.79.68 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Outside IP Addresses:” -> Virtual Private Gateway.)
Code for outside IP addresses
  • Interface 4 IP address: 54.83.17.30 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Outside IP Addresses:” -> Virtual Private Gateway.)
Code for outside IP addresses
  • Add the above value in Step 9.
Screen showing peer VPN gateway details

Step 11: Attach the Cloud Router created in Step 1

  • Select "Create 4 VPN tunnels".
  • Add the name of the cloud router created in Step1 ("demo-peer-gateway-1").
Screen showing peer VPN gateway details

Step 12a: Configure the VPN (Tunnel 1)

  • Associated Cloud VPN gateway interface: “0 : 35.242.99.173”
  • Associated peer VPN gateway interface: “0 : 23.23.65.255”
  • Name: demo-vpn-tunnel-1
  • Description:
  • IKE version: IKEv1
  • IKE pre-shared key: pUXYaBBHqrwt5fT3zcJ1RFdwpMg5T2Ie (Look in the first configuration file you downloaded under “IPSec Tunnel #1” -> “#1: Internet Key Exchange Configuration” -> “- Pre-Shared Key”)
Guidelines for using NAT-T
Screen showing peer VPN gateway details

Step 12b: Configure the VPN (Tunnel 2)

  • Associated Cloud VPN gateway interface: “0 : 35.242.99.173”
  • Associated peer VPN gateway interface: “0 : 52.22.80.188”
  • Name: demo-vpn-tunnel-2
  • Description: demo-vpn-tunnel-2
  • IKE version: IKEv1
  • IKE pre-shared key: HeFwR_SmRsZf0WCaKGoFuDSixvXGcbCf (Look in the first configuration file you downloaded under “IPSec Tunnel #1” -> “#1: Internet Key Exchange Configuration” -> “- Pre-Shared Key”)
Guidelines for using NAT-T

Step 12c: Configure the VPN (Tunnel 3)

  • Associated Cloud VPN gateway interface: “0 : 35.242.99.173”
  • Associated peer VPN gateway interface: “0 : 34.235.79.68”
  • Name: demo-vpn-tunnel-3
  • Description: demo-vpn-tunnel-3
  • IKE version: IKEv1
  • IKE pre-shared key: JjfmK0HcxGx4sTidWx5cHTvnVKq_oXU7 (Look in the first configuration file you downloaded under “IPSec Tunnel #1” -> “#1: Internet Key Exchange Configuration” -> “- Pre-Shared Key”)
Guidelines for using NAT-T

Step 12d: Configure the VPN (Tunnel 4)

  • Associated Cloud VPN gateway interface: “0 : 35.242.99.173”
  • Associated peer VPN gateway interface: “0 : 54.83.17.30”
  • Name: demo-vpn-tunnel-4
  • Description: demo-vpn-tunnel-4
  • IKE version: IKEv1
  • IKE pre-shared key: R1ROQKVBCxVCZrV9Dtg5W6vCBD.3jzq4 (Look in the first configuration file you downloaded under “IPSec Tunnel #1” -> “#1: Internet Key Exchange Configuration” -> “- Pre-Shared Key”)
Guidelines for using NAT-T

Step 13a: Configure BGP Sessions (Tunnel 1)

  • You should be able to see the following screen.
BGP sessions configuration details
  • Click “Configure BGP Session” for demo-vpn-tunnel-1.
  • Name: demo-bgp-1
  • Peer ASN: 64568 (The ASN from the Virtual Private Gateway from AWS)
  • Advertised route priority (MED): blank
  • Cloud Router BGP IP: 169.254.60.22 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Customer Gateway)
  • BGP peer IP: 169.254.60.21 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Virtual Private Gateway)
  • Select “Use Cloud Router’s advertisements (Default)”.
Code for inside IP addresses
Screen showing peer VPN gateway details

Step 13b: Configure BGP Sessions (Tunnel 2)

  • Click “Configure BGP Session” on demo-vpn-tunnel-2.
  • Name: demo-bgp-2
  • Peer ASN: 64568 (The ASN from the Virtual Private Gateway from AWS)
  • Advertised route priority (MED): blank
  • Cloud Router BGP IP: 169.254.100.38 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Customer Gateway)
  • BGP peer IP: 169.254.100.37 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Virtual Private Gateway)
  • Select “Use Cloud Router’s advertisements (Default)”.
Code for inside IP addresses

Step 13c: Configure BGP Sessions (Tunnel 3)

  • Click “Configure BGP Session” on demo-vpn-tunnel-3.
  • Name: demo-bgp-3
  • Peer ASN: 64568 (The ASN from the Virtual Private Gateway from AWS)
  • Advertised route priority (MED): blank
  • Cloud Router BGP IP: 169.254.205.182 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Customer Gateway)
  • BGP peer IP: 169.254.205.181 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Virtual Private Gateway)
  • Select “Use Cloud Router’s advertisements (Default)”.
Code for inside IP addresses

Step 13d: Configure BGP Sessions (Tunnel 4)

  • Click “Configure BGP Session” on demo-vpn-tunnel-4.
  • Name: demo-bgp-4
  • Peer ASN: 64568 (The ASN from the Virtual Private Gateway from AWS)
  • Advertised route priority (MED): blank
  • Cloud Router BGP IP: 169.254.105.118 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Customer Gateway)
  • BGP peer IP: 169.254.105.117 (Look for “IPSec Tunnel #1” -> “#3: Tunnel Interface Configuration” -> “Inside IP Addresses:” -> Virtual Private Gateway)
  • Select “Use Cloud Router’s advertisements (Default)”.
Code for inside IP addresses
  • After configuring the BGP Session, It should look something as following:
BGP sessions configuration details
  • Click on "Save BGP Configuration".

On the GCP side

BGP sessions configuration on GCP details

On the AWS side

Screen showing BGP sessions configuration on AWS
Screen showing BGP sessions configuration on AWS

Step 14: Adding Routes from GCP into AWS

  • Select the VPC in which you created the VPN.
  • Click on “Route Tables” in the left nav bar. Select the routeing table associated with your VPC.
Screenshot of VPC menu
  • Click on the “Route Propagation” tab.
  • Click on “Edit route propagation”
Screen showing VPN route propogation
  • When you click on the “Routes” tab, you should now see the 10.128.0.0/20 GCP CIDR range add to the table automatically.
Screen showing VPN route propogation

This Will finish our setup of HA site-to-site VPN, cross-cloud networking with high availability is an involved process with many components, and requires considerable effort to stay on top. This tutorial aims to be a hands-on manual to give you an understanding of different components. Creating this HA site-to-site VPN requires individual cloud CLIs, e.g. gcloud and aws-cli, or IAC tools, such as Terraform.