en
Misc.

How to establish a highly-available VPN connection between AWS and GCP

In this post, I’ll go through the process of setting up a highly available VPN connection between GCP and AWS with dynamic route propagation through BGP. AWS does not support multiple IP addresses on a single customer gateway, therefore 4 tunnels are required to make this setup work.

Overall, the setup can be summarized as:

1) (Optional) Create a VPC network on Google Cloud

We will start by creating a VPC network on Google Cloud. You can skip this step if you already have a VPC, or if you want to use the default one. We will also create a subnet with the IP range 10.0.1.0/24 in the us-east region.

a) Go to Networking > VPC Network > VPC networks > Create VPC Network.


2) Create a Cloud Router

a) Go to Networking > Hybrid Connectivity > Cloud Routers > Create router.

3) Start creating the VPN on the GCP side

a) Go to Networking > Hybrid Connectivity > VPN > Create VPN connection. Select High-Availability (HA) VPN

b) Enter a gateway name, and select the vpc network and the region.

c) You must CANCEL when you reach step 2, because we need to create the AWS components first. Write down the 2 IP addresses assigned to the VPN gateway. They are also available under VPN Connection > VPN gateways.

4) (Optional) Create a VPC network on AWS

We will also create a custom VPC network on AWS. You can skip this step if you already have a VPC or if you plan to use the default one. We will create a subnet with the IP range 10.0.2.0/24 in the us-east region.

a) Go to VPC -> Launch VPC Wizard > VPC with a single public subnet and enter the name of the vpc, the subnet, and the IP range.

5) Create an AWS Virtual Private Gateway

a) In AWS, goto VPC > Virtual Private Gateways > Create Virtual Private Gateway

b) Then click on Actions > Attach to VPC and select the VPC that will using the VPN connection.

6) Create 2 AWS Customer Gateways

a) In AWS, goto VPC > Customer Gateways > Create Customer Gateway

You need to create one customer gateway per IP address given in 3c)

7) Create 2 AWS VPN Connections

a) In AWS, goto VPC > Site-to-Site VPN Connections > Create VPN Connection

There needs to be a VPN connection between each customer gateway and the virtual private gateway, so 2 VPN connections are required.

b) In AWS, goto VPC > Site-to-Site VPN Connections, you need to write down the tunnel details for each connection (4 in total).

c) In VPC > Site-to-Site VPN Connections, click Download Configuration and write down the 4 pre-shared keys

8) Create the VPN tunnels on Google Cloud

a) Click Add VPN tunnel under Networking > Hybrid Connectivity > VPN > VPN gateways.

b) Select Non-Google Cloud and click o Create new peer VPN gateway

c) Enter the 4 outside IPs from step 7b)

d) Select Create 4 VPN tunnels (Required to connect to AWS) and select the cloud router created in 2a)

e) Configure each tunnel with the correct pre-shared key then click Create & continue

Tunnel 1 – Interface 0 to interface 0 – IKE version: IKEv2
Tunnel 2 – Interface 0 to interface 1– IKE version: IKEv2
Tunnel 3 – Interface 1 to interface 2 – IKE version: IKEv2
Tunnel 4 – Interface 1 to interface 3 – IKE version: IKEv2

9) Configure the BGP sessions

If the Inside IP CIDR from step 7b) is 169.254.100.200, then
– The Cloud Router BGP IP is 169.254.100.202 (add 2 to last digit)
– The BGP peer IP is 169.254.100.201 (add 1 to last digit)
– The Peer ASN is 64512, unless a custom ASN was selected in step 5a)

a) Set the values for the BGP session. For our example, the values would be:

BGP Tunnel 1 — Inside IP CIDR 169.254.223.32/30
– The Cloud Router BGP IP is 169.254.223.34
– The BGP peer IP is 169.254.223.33

BGP Tunnel 2 — Inside IP CIDR 169.254.10.104/30
– The Cloud Router BGP IP is 169.254.10.106
– The BGP peer IP is 169.254.10.105

BGP Tunnel 3 — Inside IP CIDR 169.254.183.228/30
– The Cloud Router BGP IP is 169.254.183.230
– The BGP peer IP is 169.254.183.229

BGP Tunnel 4 — Inside IP CIDR 169.254.67.212/30
– The Cloud Router BGP IP is 169.254.67.214
– The BGP peer IP is 169.254.67.213

b) Save the configuration. The VPN resources should start allocating.

10) Enable route propagation on AWS

a) In VPC > Route Tables, select each route table and click Actions > Edit route propagation and enable the route propagation.

If done correctly, the GCP subnet (e.g. 10.0.1.0/24) should be listed with the virtual private gateway (vgw-…) as a target and a Propagated value of Yes

11) Allow the VPN traffic through the firewall

a) On AWS, make sure the route tables (VPC > Route tables) allow the traffic to and from the GCP subnet.

b) On AWS, make sure the security group also allow the traffic from the GCP subnet.

c) On GCP, add a firewall rule (Networking > VPC Networks > Firewall Rules) to allow the traffic from and to the AWS subnet.

You should now available a highly available VPN connection between GCP and AWS and you should be able to ping instances over the VPN connection.

Newsletter

353 Saint-Nicolas St.
Suite 200
Montreal, QC  H2Y 2P1

398 Avenue Road
Suite 423
Toronto, ON  M4V 2H4

647-697-4500

Pages
Legal

Copyright © 2020 - Attrava Inc. - All Rights Reserved