In today’s complex multi-cloud environments, businesses increasingly rely on the unique strengths of various cloud providers to meet their diverse security and integration requirements. Both AWS and Azure offer robust networking capabilities tailored to different needs, such as AWS’s availability zones and Azure’s geo-redundancy options. However, seamlessly connecting these platforms via a VPN is essential for establishing efficient communication channels.
This guide provides a step-by-step walkthrough for setting up a dynamic routing VPN connection between Azure and AWS. By utilizing Virtual Network Gateways (VNG) in Azure and configuring a site-to-site VPN with AWS, businesses can ensure smooth communication between Virtual Networks (VNets) and Virtual Private Clouds (VPCs) through the Border Gateway Protocol (BGP).
Architecture Overview
The architecture involves creating a VPN connection that links Azure’s VNet with AWS’s VPC, utilizing BGP for dynamic network route management.
Step-by-Step Setup:
AWS Network Configuration:
- VPC CIDR: 10.0.0.0/16
- Public Subnet CIDR: 10.0.1.0/24
- Private Subnet CIDR: 10.0.2.0/24
Azure Network Configuration:
- VNet CIDR: 20.0.0.0/16
- Public Subnet CIDR: 20.0.0.0/24
- Private Subnet CIDR: 20.0.1.0/24
- Gateway Subnet CIDR: 20.0.2.0/24
Prerequisites:
- Creation of VPCs and subnets in AWS.
- Configuration of VNets and subnets in Azure.
- Basic networking setup in both environments.
- Azure Virtual Network Gateway Configuration:
- Deploy the Azure VNG. Choose at least the VpnGw2 SKU and ensure it is route-based to support BGP.
- Enable BGP configuration, set the Azure-side BGP ASN to 65515 (or a unique ASN), and set the Custom Azure APIPA BGP IP address within the allowed range (e.g., 169.254.21.2).
- Create new or use existing public IP address assigned to the VNG, in our use case Public IP address is (e.g., 13.71.97.6).
- This will take 20 min to be get deployed.
- AWS Customer Gateway (CGW):
- Configure the AWS CGW using the Azure VNG’s public IP (e.g., 13.71.97.6). Set the routing option to dynamic and the BGP ASN to 65515 (Azure’s ASN).
- Configure the AWS CGW using the Azure VNG’s public IP (e.g., 13.71.97.6). Set the routing option to dynamic and the BGP ASN to 65515 (Azure’s ASN).
- AWS Virtual Network Gateway Setup:
- Create the AWS Virtual Network Gateway, setting the Amazon-side ASN to 65412 (default or customized as needed).
- Attache this Virtual Network Gateway with AWS VPC, for which we want to setup VPN.
- AWS Site-to-Site VPN Configuration:
- Create a new Site-to-Site VPN connection in AWS, targeting the Virtual Network Gateway.
- Select the AWS Customer Gateway.
- Routing option: Dynamic (Require BGP)
- Configure tunnel options: Set Inside IPV4 CIDR for Tunnel 1 to 169.254.21.0/30 to match Azure’s APIPA address.
- When VPN Creates, note down the outside IP Address of the tunnel (e.g., 13.126.72.134).
- Azure Local Network Gateway (LNG):
- In Azure, create a Local Network Gateway with the Public IP of AWS side outside IP Address (e.g., 13.126.72.134).
- Under the address space, Enter the Private IP Address CIDR of AWS VPC (10.0.0.0/16).
- Under Advanced, configure BGP settings, using AWS’s ASN (65412) and BGP peer IP (169.254.21.1).
- Azure VPN Connection:
- Set up the Site-to-Site VPN connection in Azure, linking it to the LNG, and ensure BGP is enabled. Match the pre-shared key used in AWS.
- IKE Protocol: IKEv2
- Verify BGP peers and routes in the Azure portal to ensure connectivity.
- Route Table:
- Add one more Route towards the Azure Private IP Address for both Public and Private Subnet Route tables and select target as Virtual Private Gateway.
- Same For Azure Side, create a New Route table towards the AWS Private IP Address, attach requires subnet, and select next hop as Azure Virtual Network Gateway.
- Verification:
- In the Azure portal, verify that the routes from AWS are learned by the Azure VNG BGP peers.
Extending Connectivity
You can extend this setup by adding more VNets and peering them with your main VNet in Azure. Ensure that the “Use this virtual network’s gateway or Route Server” option is enabled at the VNet’s end of the peering connection.
Azure Point-to-Site VPN Configuration
- Point-to-Site Setup:
- Configure Point-to-Site VPN on Azure VNG, specifying the IP address range and tunnel type (e.g., IKEv2).
- Device Configuration:
- Download the P2S VPN configuration and deploy it on Windows 10 devices using Group Policy or Microsoft Intune.
- Verify additional routes are learned by BGP.
This setup ensures that all your VPCs and VNets are accessible across both AWS and Azure environments, providing a seamless multi-cloud network experience.