VPN :: AWS ↔️ GCP
Setup a VPN connection between GCP and AWS.
Hi folks,
Once a wise man said, one should always plan for the future! 🙃
We are living in an era of cloud computing where trends/technologies are changing every day and the same also applies to a couple of cloud providers in the business i.e in a fight to provide extensive services, features, cost-effective, and easy to migrate options to their users and customers.
So, in the above context say if there is a need to have a multi-cloud solution where say few services running on GCP, some on AWS and some on-premises, then we must need to have a solution that provides the secured connectivity between two ends i.e. a VPN.
Coming to the point, under this story we going to set up a VPN connection between 2 popular cloud providers i.e. between AWS & GCP so as to achieve a multi-cloud setup.
Caution: Most of the resources that we create during this lab will be under free tire eligibilty but there might be some minimal cost to create a VPN in AWS. In GCP there will be no cost if you have the the enough credits in the account.
SETUP
Our Setup will look like as below
PLAN OF ACTION
Below are the steps we going to perform on both sides i.e. on AWS & GCP to set up a VPN connection.
AWS Side of Steps
- Create a custom VPC with a subnet( say 192.168.1.0/24)
- Create a VPG (Virtual Private Gateway)
- Attach VPG to custom VPC
- Create a Customer GW (to accommodate the GCP side of details)
- Create a Site to Site VPN(2 tunnels)
- Update security groups and routes to allow the flow of traffic from GCP
GCP Side of Steps
- Create an external IP
- Create a custom VPC with a subnet(say 10.0.1.0/24)
- Setup/Create a Cloud router
- Create a VPN and set up Cloud VPN Gateway.
- Set up Cloud VPN tunnels
- Set up Peer VPN Gateway
- Update firewall rules for custom VPC to allow traffic from AWS.
Pre-requisites
- Computer or laptop with working internet connection.
- AWS & GCP account
- Basic networking knowledge, VPN understanding will be a plus.
Implementation
Firstly, we will start with steps for AWS and move to then move to GCP though please note some steps might need to be executed to have the configuration setup on the other side of VPN.
AWS
- Custom VPC Setup
Create a custom VPC with a subnet i.e. 192.168.1.0/24 and spin up an EC2 instance under the same so as to perform connectivity test post VPN setup.
2. Virtual Private Gateway(VPG)
Create a Virtual Private Gateway(VPG) that gives us the AWS side of ASN(autonomous system number) that is to be used for BGP routing.
3. Attach VPG to VPC
4. Customer Gateway(CG)
Create a Customer GW and for the same, we required a few GCP side details i.e. ASN & VPN IP(that should be an external IP). So, go to GCP #Step1 and create an external IP and put ASN as 65432(going to create the same in GCP later).
5. VPN Setup(AWS Side)
Create a Site to Site VPN with the VPG and CG that we created above, IP CIDR should be as amazon generated for the tunnel/s, and input a value for the pre-shared key(say awsgcp001) again that is to be used in GCP side of the tunnel too.
6. Security Groups + Route Updates
Update a security group(vpc001) and subnet route to allow traffic via VPN gateway for GCP IP range i.e. 10.0.1.0/24
GCP
- External IP(VPN IP)
Create an external(static) IP i.e. to assign to the GCP side of VPN.
2. Custom VPC
Create a custom VPC with a subnet i.e. 10.0.1.0/24 and spin up a google compute engine instance.
3. Cloud Router
Create a Cloud router (Hybrid Connectivity → Cloud Routers), ASN should be the same as to be filled in AWS(65432), and lastly do remember to select advertise to all subnets option.
4. VPN (VPG+Tunnel) Setup
Create a VPN i.e. Hybrid Connectivity → Classic VPN, Under the GCE VPN Gateway section do select custom VPC(vpc001) and map/attach external static IP (created @ Step1) for IP address.
For tunnels input remote peer IP addresses as external IP of AWS side tunnel1 and pre-shared key as we created @ AWS #Step5 (awsgcp001).
Create a BGP session(for tunnel1) and use
- Peer ASN same as AWS VPG ASN (Created @ AWS Side #Step2)
- BGP peer IP equals AWS end tunnel1 Inside CIDR IP +1 that is 169.254.162.45 (169.254.162.44 +1)
- Cloud Router BGP IP as tunnel1 Inside CIDR IP +2 that is 169.254.162.46 (169.254.162.44 +2)
On the same note please do setup tunnel 2 and BGP session for the VPN i.e. using the AWS side of tunnel2 information. And as soon as we have done with the setup, Our Cloud VPN tunnels should start making the first handshake and will be UP in some time.
Cloud VPN Gateway should look like as below
5. Tunnels
As soon as setup is done on the GCP side, tunnels should be UP and status changes to established.
6. Firewall Rules
Lastly, update the firewall rules for GCP custom VPC i.e. to allow ICMP traffic from AWS range of IP or from anywhere.
Testing Time!
If we have reached till this point that means our VPN connection has been set up and we are good to make our first connectivity test!
Login to AWS EC2 instance and try to ping GCP machine as we created under custom VPC and also vice versa.
GCP → AWS
AWS → GCP
Bingo! 👍
So, our VPN is up and connection has been successfully established across the borders and that is via a secured channel(VPN tunnel/s).
Cleanup
Please do remember to perform a clean up i.e. terminate/delete all resources as we created to set up or to test and establishment of our VPN connection, as it otherwise might charge you extra bucks.
Terminate/Delete EC2 instances, VPC’s, and associated components and all GCP resources we created, if not in use as it will save you some dollars💰.
— A blog by teckdevOps