'
AWS AZURE S2S VPN
AWSAzureUse Cases

AWS to Azure site-to-site VPN with BGP Dynamic Routing

author
3 minutes, 24 seconds Read

In today’s complex multi-cloud environments, businesses increasingly rely on the unique strengths of various cloud providers to meet their diverse security and integration requirements. Both AWS and Azure offer robust networking capabilities tailored to different needs, such as AWS’s availability zones and Azure’s geo-redundancy options. However, seamlessly connecting these platforms via a VPN is essential for establishing efficient communication channels.

This guide provides a step-by-step walkthrough for setting up a dynamic routing VPN connection between Azure and AWS. By utilizing Virtual Network Gateways (VNG) in Azure and configuring a site-to-site VPN with AWS, businesses can ensure smooth communication between Virtual Networks (VNets) and Virtual Private Clouds (VPCs) through the Border Gateway Protocol (BGP).

Architecture Overview

The architecture involves creating a VPN connection that links Azure’s VNet with AWS’s VPC, utilizing BGP for dynamic network route management.

Step-by-Step Setup:

AWS Network Configuration:

  • VPC CIDR: 10.0.0.0/16
  • Public Subnet CIDR: 10.0.1.0/24
  • Private Subnet CIDR: 10.0.2.0/24

Azure Network Configuration:

  • VNet CIDR: 20.0.0.0/16
  • Public Subnet CIDR: 20.0.0.0/24
  • Private Subnet CIDR: 20.0.1.0/24
  • Gateway Subnet CIDR: 20.0.2.0/24

Prerequisites:

  • Creation of VPCs and subnets in AWS.
  • Configuration of VNets and subnets in Azure.
  • Basic networking setup in both environments.
  1. Azure Virtual Network Gateway Configuration:
    • Deploy the Azure VNG. Choose at least the VpnGw2 SKU and ensure it is route-based to support BGP.
    • Enable BGP configuration, set the Azure-side BGP ASN to 65515 (or a unique ASN), and set the Custom Azure APIPA BGP IP address within the allowed range (e.g., 169.254.21.2).
    • Create new or use existing public IP address assigned to the VNG, in our use case Public IP address is (e.g., 13.71.97.6).
    • This will take 20 min to be get deployed.

      Azure-Vnet-Gateway
  2. AWS Customer Gateway (CGW):
    • Configure the AWS CGW using the Azure VNG’s public IP (e.g., 13.71.97.6). Set the routing option to dynamic and the BGP ASN to 65515 (Azure’s ASN).

  3. AWS Virtual Network Gateway Setup:
    • Create the AWS Virtual Network Gateway, setting the Amazon-side ASN to 65412 (default or customized as needed).
    • Attache this Virtual Network Gateway with AWS VPC, for which we want to setup VPN.

  4. AWS Site-to-Site VPN Configuration:
    • Create a new Site-to-Site VPN connection in AWS, targeting the Virtual Network Gateway.
    note: Select the new created Virtual network gateway from the dropdown.
    • Select the AWS Customer Gateway.
    • Routing option: Dynamic (Require BGP)
    • Configure tunnel options: Set Inside IPV4 CIDR for Tunnel 1 to 169.254.21.0/30 to match Azure’s APIPA address.
    • When VPN Creates, note down the outside IP Address of the tunnel (e.g., 13.126.72.134).
      AWS S2S VPN
  5. Azure Local Network Gateway (LNG):
    • In Azure, create a Local Network Gateway with the Public IP of AWS side outside IP Address (e.g., 13.126.72.134).
    • Under the address space, Enter the Private IP Address CIDR of AWS VPC (10.0.0.0/16).
    • Under Advanced, configure BGP settings, using AWS’s ASN (65412) and BGP peer IP (169.254.21.1).
      Azure Local Network Gateway Azure LNG Advance BGP
  6. Azure VPN Connection:
    • Set up the Site-to-Site VPN connection in Azure, linking it to the LNG, and ensure BGP is enabled. Match the pre-shared key used in AWS.
    • IKE Protocol: IKEv2
    • Verify BGP peers and routes in the Azure portal to ensure connectivity.
      Azure s2s VPN
  7. Route Table:
    • Add one more Route towards the Azure Private IP Address for both Public and Private Subnet Route tables and select target as Virtual Private Gateway.
    • Same For Azure Side, create a New Route table towards the AWS Private IP Address, attach requires subnet, and select next hop as Azure Virtual Network Gateway.
  8. Verification:
    • In the Azure portal, verify that the routes from AWS are learned by the Azure VNG BGP peers.

Extending Connectivity

You can extend this setup by adding more VNets and peering them with your main VNet in Azure. Ensure that the “Use this virtual network’s gateway or Route Server” option is enabled at the VNet’s end of the peering connection.

Azure Point-to-Site VPN Configuration

  1. Point-to-Site Setup:
    • Configure Point-to-Site VPN on Azure VNG, specifying the IP address range and tunnel type (e.g., IKEv2).
  2. Device Configuration:
    • Download the P2S VPN configuration and deploy it on Windows 10 devices using Group Policy or Microsoft Intune.
    • Verify additional routes are learned by BGP.

This setup ensures that all your VPCs and VNets are accessible across both AWS and Azure environments, providing a seamless multi-cloud network experience.

author

Kartik Kocher

👋 Namaste! I'm Kartik Kocher, a Senior Cloud DevOps Engineer with over 8 years of experience in AWS cloud and DevOps. I'm passionate about delivering innovative cloud solutions, specializing in CI/CD pipelines, infrastructure automation, containerization, and cloud security. I've worked across various sectors, bringing efficiency through new products and services. Proficient in Jenkins, GitHub, AWS CodeBuild, and CodeDeploy for CI/CD pipelines, and adept at Kubernetes deployments on AWS EKS. Skilled in Terraform for infrastructure as code (IaC) practices. Security-focused with expertise in IAM roles, security groups, and compliance checks. Certified as an AWS Certified DevOps Engineer - Professional and AWS Certified Solutions Architect. I've led projects like migrating on-premises workloads to AWS and Azure, optimizing costs, and implementing CI/CD pipelines. Committed to following AWS best practices and contributing to the tech community through knowledge sharing and blogging. Reach out at me@kartikkocher.com or visit my website https://www.kartikkocher.com for collaboration or to connect. Tech enthusiast. Cloud explorer. Innovator. Let's connect and explore the endless possibilities in the cloud domain together! 🚀

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *

X