In this first part of the article, I will show you how to implement an HA VPN between Amazon Web Services (AWS) and Google Cloud Platform (GCP) using the graphical interface. In the second part, we will review the implementation of the Migrate to Virtual Machine (M2VM) migration tool to migrate virtual machines from AWS to GCP.
Overview of VPN connectivity and how it works
A Virtual Private Network (VPN) is a technology that allows secure and private communication between two or more networks over an untrusted network, such as the Internet. With VPN connectivity, businesses can securely connect their on-premises networks or cloud networks to other cloud networks, enabling data transfer and communication between them. VPN connectivity works by creating a secure “tunnel” between the networks, which encrypts all data that passes through it, preventing unauthorized access and interception.
BGP, or Border Gateway Protocol, is a standardized exterior gateway protocol to exchange routing and reachability information among autonomous systems (AS) on the Internet. It is a path vector protocol that enables routers within different AS to communicate and make decisions about how to forward data packets.
Concepts
ASN stands for Autonomous System Number. It is a unique number assigned to an autonomous system (AS) on the Internet. An autonomous system is a collection of IP networks and routers under the control of a single organization that presents a common routing policy to the Internet. ASNs are used in BGP to identify and distinguish one autonomous system from another. When data is routed between different AS on the Internet, BGP uses ASNs to make routing decisions, ensuring that data reaches its destination efficiently and reliably.
It’s common to use different ASNs (Autonomous System Numbers) at each end of a VPN tunnel when using BGP. This helps identify and differentiate autonomous systems, allowing independent routing policies. While it’s possible to use the same ASN on both ends, it can complicate routing and policies. Different ASNs are recommended for clarity and flexibility.
For our article, we will use ASN 65001 on the AWS side and ASN 65000 on the GCP side to demonstrate the configuration of a BGP-based VPN connection between the two cloud platforms. These distinct ASNs will ensure clear identification and separate routing policies for each cloud environment.
In VPNs, common encryption protocols and algorithms include:
Security Protocols:
- IPsec (Internet Protocol Security): Ensures secure point-to-point or site-to-site connections.
- SSL/TLS (Secure Sockets Layer/Transport Layer Security): Used for web security and SSL VPNs.
- OpenVPN: An open-source protocol using SSL/TLS for secure connections.
Encryption Algorithms:
- AES (Advanced Encryption Standard): Highly secure, with variations like AES-256.
- 3DES (Triple Data Encryption Standard): Less secure but still used.
- RSA (Rivest-Shamir-Adleman): Key exchange and authentication in SSL/TLS VPNs.
Data Integrity and Authentication:
- HMAC (Hash-based Message Authentication Code): Verifies data integrity.
- Digital Certificates: Authenticate parties in SSL/TLS VPNs.
Architecture diagram
For this guide, we will interconnect the AWS and GCP environments through an HA VPN as follows:
Setting up a VPN in GCP
We will begin by setting up the VPN service in GCP. Follow the next steps to establish a secure VPN connection; this process will enable you to create a reliable and encrypted connection for your network, facilitating seamless communication between the Google Cloud Platform and other cloud or on-premises resources.
If you prefer to use the command line, take a look at the documentation to know how to implement the VPN through the Cloud Shell; otherwise, if you want to use the graphical interface, you can continue following the instructions in this article.
Create Cloud Router in GCP
Ensure the Compute Engine API is enabled before creating the Cloud Router; if it is not enabled, enable it using the console. Go to the Google Cloud console API Library, and from the projects list, select the project. In the API Library, select the API you want to enable. If you need help finding the API, use the search field and the filters. On the API page, click ENABLE:
To create a Cloud Router using the console, log in and select the project. Navigate to “Networking”, access “Network Connectivity” and choose “Cloud Routers”. Initiate Router Creation by providing the router details. Then, configure the network interfaces. Adjust Advanced Settings (Optional) and then click on “CREATE ROUTER”, and wait for completion:
If you need to advertise all subnets, leave the default configuration:
Create a VPN Connection in GCP
To create a VPN using the console, log in and select the project. Navigate to “Networking”, access “Network Connectivity”, and choose “VPN” to initiate the VPN creation:
Choose HA VPN and continue:
Enter the desired name for the VPN Gateway, select the associated VPC, and carefully align the chosen region with your business rules. It is crucial to consider using the equivalent region in AWS to minimize latency, ensuring optimal performance for your VPN connection. Additionally, specify whether to use IPv4 or IPv6 addresses based on your network requirements and compatibility:
Setting up a VPN in AWS
Now, let’s proceed with the configuration of the VPN service in AWS. Follow the upcoming steps to establish and configure the VPN service efficiently, ensuring a secure and reliable connection between Amazon Web Services (AWS) and Google Cloud Platform (GCP).
Create two Customer Gateways in AWS
Create two Customer Gateways in AWS to establish a connection with the VPN Gateways in GCP. Each Customer Gateway corresponds to a VPN Gateway in GCP, forming a redundant and highly available setup. Use the previously generated ASNs and public IPs from the GCP VPN Gateways. This dual Customer Gateway configuration enhances reliability by providing failover capabilities, ensuring continuous connectivity even in the event of a gateway or network failure, and optimizing overall performance between the two cloud environments.
Create the first Customer Gateway:
Then, create the second Customer Gateway:
Lastly, validate that both appear with their state as “Available”:
Create a Virtual Private Gateway in AWS
Now, we will create a Virtual Private Gateway (VGW). You could also configure a Transit Gateway (TGW) instead of a VGW if your architecture requires it. Let’s use ASN 65001 for AWS:
Create VPN Connections in AWS
Choose the previously established Virtual Private Gateway and select the respective Customer Gateway created for each VPN Connection.
Create the first VPN:
Create the second VPN:
Validate that both appear with their state as “Available”:
Click on each VPN connection and download the configuration file with the generic provider; we will use this information for the following configuration steps on GCP:
Connecting AWS and GCP through VPN
The next step is the interlinking of the AWS Virtual Private Gateway and the GCP VPN Gateway. In this section, we’ll explore the process of creating a Peer VPN Gateway in GCP to facilitate secure and continuous communication between these cloud environments. This connection lays the foundation for streamlined data transfer and collaboration, promoting efficiency and cohesion across AWS and GCP infrastructure.
Create Peer VPN Gateway in GCP
Create a Peer VPN Gateway in GCP by leveraging the pre-configured files obtained from AWS. Identify the two IPs from each file, ensuring precision in the selection, and proceed with the creation process. This essential step establishes a secure and bidirectional connection between the AWS Virtual Private Gateway and the GCP VPN Gateway:
The above image shows how to identify one IP Virtual Private Gateway, it is necessary to identify the second IP and do the same with the second configuration file downloaded to configure the 4 tunnels.
Introducing a crucial phase in our cross-cloud connectivity journey, we now explore the process of adding a Peer VPN Gateway in GCP using the configuration files obtained from AWS. This step plays a pivotal role in establishing a secure link between AWS and GCP. Follow along as we delve into the details of configuring this peer connection, ensuring a robust and interoperable network infrastructure across both cloud environments.
Add VPN Tunnels, select the peer VPN previously created, choose the Cloud Router previously created, and find the pre-shared key from the downloaded file for each tunnel (4):
Now, we will extract some crucial details from the configuration file, the repository of critical parameters for our secure connection. Within this file lies the pre-shared key, a cryptographic key that plays a fundamental role in authenticating and securing the communication between the VPN peers. In this section, we’ll explore where to locate this key in the configuration file, needed to ensure the confidentiality and integrity of our cross-cloud network communication. We will also identify the IP of the Customer Gateway and the Virtual Private Gateway. These two public IPs will serve as the endpoints for each side of the tunnel, establishing a secure connection between the AWS and GCP environments.
Configure the remaining 3 tunnels in the same way as for tunnel 1 shown above.
After configuring the four tunnels, proceed to the next step, which involves creating and configuring the connection. This action typically takes place within the VPN configuration wizard or management interface provided by the cloud service provider, whether it is AWS or GCP. Search for options related to tunnel activation, connection establishment, or a similar step in the wizard or interface where you initially set up the VPN configuration. This is where you’ll confirm and finalize the settings, allowing the VPN tunnels to become operational and ensuring seamless connectivity between the two cloud environments.
Configure each BGP session for each tunnel in GCP
To configure each BGP session for the tunnels in GCP, locate the necessary parameters in the downloaded configuration file. Specifically, search for the IPs associated with the Customer Gateway and Virtual Private Gateway. This information is crucial for establishing a successful BGP session. In the context of AWS, ensure that you use the designated ASN 65001 for seamless integration. Navigate to the BGP configuration section within the cloud provider’s management console or VPN configuration wizard, typically found under networking or connectivity settings:
Download the configuration file and identify the IPs for the Customer Gateway and the Virtual Private Gateway. Use the ASN 65001 from AWS. Navigate to the GCP Console, access the VPN Configuration, and initiate the BGP Configuration. Specify the Customer Gateway and the Virtual Private Gateway IPs. Confirm the ASN Configuration, and save and apply changes.
Click on “CONFIGURE BGP SESSION” and configure each of the 4 BGP Sessions:
Identify the other IPs in the configuration files to set up the remaining 3 BGP sessions and complete the 4 sessions.
GCP Tunnel validation
After completing the configuration of the four BGP sessions, we can observe the status of the VPN tunnels and also the status of the BGP sessions, which should appear as established:
AWS Tunnel validation
In AWS, validate the status of the tunnels after configuring the sessions in GCP.
Validate first tunnel:
Validate second tunnel:
Attach Virtual Private Gateway in AWS to VPC
Continuing with the AWS network configuration, we will now attach the Virtual Private Gateway (VPG) to the Virtual Private Cloud (VPC). This process is fundamental in establishing a secure and efficient connection between the VPC and VPG, forming a critical link for secure data flow and communication within your cloud infrastructure. In this section, we’ll explore the step-by-step process for executing this attachment. To accomplish this, select the VPG, click on actions and, select Attach, choose the VPC from the list:
Click on Attach to VPC:
Wait until the state value is “Attached”:
Check Route Tables in AWS
Finally, edit the route propagation:
And enable it:
Best practices for VPN connection
Here are some best practices for securing the VPN connection between AWS and GCP:
- Use strong authentication mechanisms like digital certificates or multifactor authentication (MFA) to ensure that only authorized users can access the VPN connection.
- Use strong encryption algorithms like AES-256 to encrypt all traffic passing through the VPN connection to protect it from unauthorized access.
- Use a dedicated VPN gateway for the VPN connection instead of using a shared one. A dedicated VPN gateway ensures the connection is secure and doesn’t interfere with other VPN connections.
- Limit access to the VPN connection to only authorized users and systems. Use network access control (NAC) mechanisms like firewalls and security groups to restrict access to the VPN connection.
- Monitor the VPN connection regularly to detect any suspicious activity or anomalies. Use monitoring tools like Amazon CloudWatch or Google Cloud Monitoring to monitor the VPN connection and alert you in case of any security breaches.
By following these best practices, you can ensure that your VPN connection between AWS and GCP is secure and protects your data from unauthorized access.
Conclusion
VPN connectivity is an essential tool for businesses that use multiple cloud providers. This allows businesses to securely and reliably connect their cloud networks. As we saw, creating a VPN between cloud providers is not a difficult process, but you need to understand where to acquire the values for each step. Keep that in mind!
To ensure the security of the VPN connection, it is important to follow best practices such as using strong authentication and encryption, using dedicated VPN gateways, and regularly monitoring the connection. By following these best practices, businesses can take advantage of the scalability, flexibility, and features of multiple cloud providers while ensuring the security and reliability of their cloud networks and workloads.
References
- Amazon Web Services. (2023). AWS Site-to-Site VPN.
- Google Cloud. (2023). Create HA VPN connections between Google Cloud and AWS.
- RFC 4271. (2006). A Border Gateway Protocol 4 (BGP-4).
