How to easily set up a VPN between Azure and AWS using managed services (Updated 2024)

introduction

Establish a secure VPN connection between azure and AWS It doesn’t have to be complicated. This guide shows you a simple and easy way to set up a multicloud static VPN using: Managed service—No need to manage virtual machines or third-party appliances. This method provides a fast and reliable connection method. Azure VPN gateway and AWS Virtual Private Gateway Ensures secure communication between the two environments over an IPsec tunnel (without BGP configuration).

This post is an updated version of a similar guide. published 3 years agoStreamline the process by reflecting service changes and adding valuable troubleshooting tips.

For advanced scenarios, such as incorporating dynamic routing Border Gateway Protocol (BGP) We recommend that you refer to the formula to support automatic route exchange. Azure VPN Gateway documentation For in-depth guidance.

Step 1: Set up your Azure environment

1.1. Create a resource group

1. movement Azure portal > resource group > make.
2. Select your subscription and region, and give your resource group the following name: RG-AzureAWSVPN.

1.2. Create a virtual network (VNet) and subnet

1. at Azure portalGo to virtual network > make.
2. Specify VNet name AzureVNet Specifies the address space. 172.16.0.0/16.
3. below subnetCreates a named subnet. Subnet – AzureVPN address range 172.16.1.0/24.
4. addition gateway subnet /27 containing address blocks, e.g. ) for VPN gateways.

1.3. Azure VPN gateway settings

1. movement +Create resourcessearch virtual network gatewayselect make.
2. Please enter your details.

• name: AzureVPNGateway
• gateway type: VPN
• SKU: VPNGw1 (or higher if needed)
• public IP address: Create a new one and give it a name. AzureVPNGatewayPublicIP.
• Active-active mode: leave disabled Unless high availability is required.
  • If you need to ensure high availability, enabling active-active mode requires the following additional configuration on the Azure side:
    • Create a second public IP address for your virtual network gateway
    • Create a second local network gateway pointing to the public IP address of Tunnel 2 on the AWS side.
    • Create a second VPN connection pointing to Tunnel 2 on the AWS side.
      
• BGP configuration: For this lab, leave it disabled.

This process may take up to 30 minutes.

Step 2: Set up your AWS environment

2.1. Creating a VPC and Subnet in AWS

1. at AWS ConsoleGo to VPC > Create a VPC.
2. Use an address space, e.g. 10.0.0.0/16)for AWS-VPC.

   

3. Under subnetCreate a subnet with the following name: Subnet-AWSVPN and address space 10.0.1.0/24 For your subnet.

2.2. Create an AWS Virtual Private Gateway (VGW)

1. at AWS VPC consoleGo to Virtual Private Gateway Creates a new VGW named AWS-VPN-VGW.

2. VGW VPC.

2.3. Customer Gateway (CGW) Settings

1. at AWS ConsoleGo to customer gatewayCreate a CGW using: public IP Please name your Azure VPN gateway Azure-CGW.

2.4. Create a site-to-site VPN connection

1. in AWS ConsoleGo to Site-to-site VPN connection > Create a VPN connection.
2. select Virtual Private Gateway Created previously.
3. select customer gateway Created previously.
4. set routing like revolutionand Azure VNet subnet (172.16.1.0/24) As a static route.

   

5. Download VPN configuration file
   1. After your VPN is set up, download the configuration file.
   2. choose general platform and Supplier agnostic For software.
   3. choose IKEv2 For IKE version.

2.5. Enable route propagation

After creating the VPN connection, enable propagation to the VGW by going to Route Tables > Select an existing route table > Route Propagation > Edit Route Propagation.

Step 3: Complete configuration on the Azure side

3.1. Create a local network gateway

1. at Azure portalGo to local network gateway > make.
2. Specify gateway name AWSLocal Network Gatewayand type public IP AWS VPN Tunnel (from configuration file)
3. setting AWS VPC CIDR block (yes: 10.0.0.0/16) as the address space.
4. On the next tab (Advanced), leave the options as is. Configure BGP settings defined as no

3.2. Create a VPN connection

1. movement Azure portal > virtual network gateway > between > + add.
2. Configure your connection.

• name: AzureAWSVPNConnect
• Connection type: Site-to-site (IPsec).
• virtual network gateway: choose AzureVPNGateway.
• local network gateway: choose AWSLocal Network Gateway.
• Shared Key (PSK): Use the shared key from the AWS VPN configuration file.
• IKE protocol: set to IKEv2.
• IPsec/IKE policy: use basicor configure custom policy Per AWS (AES128, SHA1, DH Group 2)
• DPD timeout: set to 45 seconds.
• connection mode: Please leave it below basic Unless special action is required.

Step 4: Add Routes and Configure Security

4.1. Check Azure subnet routes in AWS route table

1. at AWS ConsoleGo to VPC > routing table.
2. Make sure you have the following route in your AWS routing table: Azure VNet subnet (172.16.1.0/24) with VGW To target. If the previously enabled route propagation was done correctly, you will see the route for the Azure subnet (172.16.1.0/24) added automatically.

4.2. Add Internet Gateway (IGW)

To test the connection between Azure and AWS, first deploy virtual machines in the appropriate subnets of each cloud provider (EC2 instances on AWS and VMs on Azure). Once both machines are running, connect to each VM using its public IP address. After signing in, run a ping test using the private IP addresses of both instances and verify private network connectivity between the instances.

To access your EC2 instance through a public IP address, you need an Internet Gateway (IGW). Without IGW, you won’t be able to connect to your EC2 instance over the public internet, so you won’t be able to run connectivity tests using your private IP address. This is the sole purpose of IGW deployment.

1. Create IGW: at AWS ConsoleGo to VPC > Internet Gateway Creates a named IGW. AWS-IGWand then connect it to your AWS VPC.
2. Routing table updates: Add a path. 0.0.0.0/0 Points to IGW for external connectivity.

   

When you add a new route, three routes are created as shown below.

4.3. Setting up security groups and NSG rules

1. AWS Security Group: security group For AWS EC2 instances, this is allowed. ICMP (ping) and other protocols in Azure, such as SSH.
2. Azure NSGs: Similarly, N.S.G. Allows inbound traffic from AWS when connected to the NIC of an Azure VM.

Step 5: Test the connection between Azure and AWS VMs

5.1. Make sure your VPN is set up.

1. In your Site-to-Site VPN connection in AWS, go to Tunnel Details and verify that Tunnel 1 is up.

2. On the Azure side, check that the VPN connection status is Connected.

5.2. Verify that ICMP traffic is allowed

both AWS Security Group and Azure NSGs You must allow ICMP (ping) traffic.

5.3. Test connection with ping

1. at Azure VMping AWS VMs Using your private IP:

2. From AWS VMsping Azure VM Using your private IP:

Solve common problems

1. Missing static routes in AWS VPN

• Check out the following: static route for Azure VNet subnet (172.16.1.0/24) Added to AWS VPN configuration. Without this route, AWS won’t know how to send traffic to Azure over the VPN.

2. There is no inbound traffic on Azure VPN Gateway.

• if Azure VPN gateway show Data is output but no data is inputCheck your AWS route table and ensure that the correct static route exists for your Azure subnet.

3. Custom IPsec/IKE policy

• Apply if the default policy doesn’t work. Custom IPsec/IKE policy Based on AWS configuration (AES128, SHA1, DH group 2 for steps 1 and 2).

4. Additional troubleshooting

conclusion

By following this guide, you will be able to successfully set up a VPN connection: azure and AWS Use a managed service. To ensure proper communication between the two clouds, it is important to ensure that the Azure subnet routes are added to the AWS route table. If you need advanced configuration such as: BGP For dynamic routing Azure VPN Gateway documentation.