Home / Misc.

How to establish a highly-available VPN connection between AWS and GCP

In this post, I’ll go through the process of setting up a highly available VPN connection between GCP and AWS with dynamic route propagation through BGP. AWS does not support multiple IP addresses on a single customer gateway, therefore 4 tunnels are required to make this setup work.

Overall, the setup can be summarized as:

1) (Optional) Create a VPC network on Google Cloud

We will start by creating a VPC network on Google Cloud. You can skip this step if you already have a VPC, or if you want to use the default one. We will also create a subnet with the IP range in the us-east region.

a) Go to Networking > VPC Network > VPC networks > Create VPC Network.

2) Create a Cloud Router

a) Go to Networking > Hybrid Connectivity > Cloud Routers > Create router.

3) Start creating the VPN on the GCP side

a) Go to Networking > Hybrid Connectivity > VPN > Create VPN connection. Select High-Availability (HA) VPN

b) Enter a gateway name, and select the vpc network and the region.

c) You must CANCEL when you reach step 2, because we need to create the AWS components first. Write down the 2 IP addresses assigned to the VPN gateway. They are also available under VPN Connection > VPN gateways.

4) (Optional) Create a VPC network on AWS

We will also create a custom VPC network on AWS. You can skip this step if you already have a VPC or if you plan to use the default one. We will create a subnet with the IP range in the us-east region.

a) Go to VPC -> Launch VPC Wizard > VPC with a single public subnet and enter the name of the vpc, the subnet, and the IP range.

5) Create an AWS Virtual Private Gateway

a) In AWS, goto VPC > Virtual Private Gateways > Create Virtual Private Gateway

b) Then click on Actions > Attach to VPC and select the VPC that will using the VPN connection.

6) Create 2 AWS Customer Gateways

a) In AWS, goto VPC > Customer Gateways > Create Customer Gateway

You need to create one customer gateway per IP address given in 3c)

7) Create 2 AWS VPN Connections

a) In AWS, goto VPC > Site-to-Site VPN Connections > Create VPN Connection

There needs to be a VPN connection between each customer gateway and the virtual private gateway, so 2 VPN connections are required.

b) In AWS, goto VPC > Site-to-Site VPN Connections, you need to write down the tunnel details for each connection (4 in total).

c) In VPC > Site-to-Site VPN Connections, click Download Configuration and write down the 4 pre-shared keys

8) Create the VPN tunnels on Google Cloud

a) Click Add VPN tunnel under Networking > Hybrid Connectivity > VPN > VPN gateways.

b) Select Non-Google Cloud and click o Create new peer VPN gateway

c) Enter the 4 outside IPs from step 7b)

d) Select Create 4 VPN tunnels (Required to connect to AWS) and select the cloud router created in 2a)

e) Configure each tunnel with the correct pre-shared key then click Create & continue

Tunnel 1 – Interface 0 to interface 0 – IKE version: IKEv2
Tunnel 2 – Interface 0 to interface 1– IKE version: IKEv2
Tunnel 3 – Interface 1 to interface 2 – IKE version: IKEv2
Tunnel 4 – Interface 1 to interface 3 – IKE version: IKEv2

9) Configure the BGP sessions

If the Inside IP CIDR from step 7b) is, then
– The Cloud Router BGP IP is (add 2 to last digit)
– The BGP peer IP is (add 1 to last digit)
– The Peer ASN is 64512, unless a custom ASN was selected in step 5a)

a) Set the values for the BGP session. For our example, the values would be:

BGP Tunnel 1 — Inside IP CIDR
– The Cloud Router BGP IP is
– The BGP peer IP is

BGP Tunnel 2 — Inside IP CIDR
– The Cloud Router BGP IP is
– The BGP peer IP is

BGP Tunnel 3 — Inside IP CIDR
– The Cloud Router BGP IP is
– The BGP peer IP is

BGP Tunnel 4 — Inside IP CIDR
– The Cloud Router BGP IP is
– The BGP peer IP is

b) Save the configuration. The VPN resources should start allocating.

10) Enable route propagation on AWS

a) In VPC > Route Tables, select each route table and click Actions > Edit route propagation and enable the route propagation.

If done correctly, the GCP subnet (e.g. should be listed with the virtual private gateway (vgw-…) as a target and a Propagated value of Yes

11) Allow the VPN traffic through the firewall

a) On AWS, make sure the route tables (VPC > Route tables) allow the traffic to and from the GCP subnet.

b) On AWS, make sure the security group also allow the traffic from the GCP subnet.

c) On GCP, add a firewall rule (Networking > VPC Networks > Firewall Rules) to allow the traffic from and to the AWS subnet.

You should now available a highly available VPN connection between GCP and AWS and you should be able to ping instances over the VPN connection.


Using Office365 credentials to login to AWS

In this post, I will describe, step-by-step, how to use your existing Office365 credentials to login to your AWS account, and how to assign AWS permissions to your current Office 365 users. I’m assuming you already have (1) an Office 365 subscription and (2) an AWS account.

1. Login to Azure Active Directory

a) In Office 365, click on the dots in the corner and select Admin.

b) Select Azure Active Directory under Admin Centers

c) In the Azure Portal, select Azure Active Directory. Alternatively, you can type https://aad.portal.azure.com/ in your browser to access the Azure Active Directory directly.

2. Create an AWS entreprise app

a) Select Entreprise applications in the left menu

b) Click on + New Application in the main panel

c) Type Amazon Web Services under “Add from the gallery” then select Amazon Web Services (AWS)

d) Click on Add

3. Download the metadata XML

a) Click on 2. Set up single sign on

b) Select SAML as the authentication method

c) Under 3. SAML Signing Certificate, click on Federation Metadata XML > Download and save the file as metadata.xml

4. Create user roles in AWS

For this demonstation, we will create a azure.admin role with full administrator permission, and a azure.reader role with view only permission. Feel free to different roles with other permissions as you see fit.

a) Login in to AWS and navigate to IAM

b) In the left menu, click on Identity Providers

c) Click on Create Provider, select SAML as the provider type, enter any name, and select metadata.xml for the metadata document. Then click Next Step and Create

d) In the left menu, select Roles, then Create role. For our admin role, we would select SAML 2.0 federation, and the provider created in step c) with Programmatic and console access. Then Next:Permissions, select AdministratorAccess, then Next:Tags, then Next:Review. Finally we name the role as azure.admin and select Create role.

e) For our reader role, we create another role with SAML 2.0 federation, Programmatic and console access, the ViewOnlyAccess policy, and we name the role azure.reader.

5. Create AzureAAD user to download roles

a) In IAM, select Users in the left menu, then Add User

b) Enter AzureAAD as the user name, and select Programmatic Access. Click Next:Permissions, then Next:Tags, then Next:Review, and finally Create user. You should receive a warning that this user has no permissions.

c) Copy the Access key ID, and the Secret access key shown after creating the user.

d) Go back to IAM > Users > AzureAAD, then click on the Permissions tab, and + Add Inline Policy. In the JSON tab, copy the following policy, then click Review Policy, name the policy AzureAAD.Policy and click Create Policy.

    "Version": "2012-10-17",
    "Statement": [
            "Effect": "Allow",
            "Action": "iam:ListRoles",
            "Resource": "*"

6. Configure Azure Provisioning

a) In Azure Active Directory > Enterprise Applications > Amazon Web Services, click on Provisioning, and on Get Started.

b) Select Automatic as the Provisioning Mode, then enter the Access key ID and secret access key from the AzureAAD user as the clientsecret and secret token. Click on Test Connection to validate the credentials. Finally click on Save.

c) Click on Provisioning in the left menu, then select Start Provisioning.

d) After several minutes, you should see roles being imported. If this doesn’t work, edit the provisioning and toggle the status to Off, then On, then click refresh.

7. Assign roles to users

a) In Azure Active Directory > Enterprise Applications > Amazon Web Services, click on Users and groups, and then on +Add user.

b) Select the user who can logged in to AWS and one of the role the user can assume. To add another role to the same user, click on add user again and select the second role.

Note: If you only see the Default Access role, try adding yourself as the application owner and disable/re-enable the provisioning, and refresh its status. It can take several minutes for it to work. Don’t forget to remove yourself as an application owner afterwards.

8. Login using the AWS Icon

a) Assigned user should be able to login using the AWS icon on their dashboard

b) If multiple roles have been assigned to them, they should have a menu to decide which role to assume when they login.

Recent Comments
    About Exponent

    Exponent is a modern business theme, that lets you build stunning high performance websites using a fully visual interface. Start with any of the demos below or build one on your own.

    Get Started

    353 Saint-Nicolas St.
    Suite 200
    Montreal, QC  H2Y 2P1

    398 Avenue Road
    Suite 423
    Toronto, ON  M4V 2H4



    Copyright © 2020 - Attrava Inc. - All Rights Reserved