Open in app

Sign in

Write

Sign in

Configuring VPN Connectivity between Google Cloud and AWS — Google Cloud Challenge Lab Walkthrough

Dazbo (Darren Lester)
Google Cloud - Community
Published in
8 min readFeb 19, 2024

Lab Overview

This lab tests your ability to set up a GCP/AWS multi-cloud configuration, making use of Google Cloud VPN. We will configure a highly available (HA) VPN topology, connecting a Google HA VPN gateway to an AWS virtual private gateway.

Topology of HA VPN connection between AWS and Google Cloud

This achieves a 99.99% SLA for availability on the Google Cloud side, because we create two tunnels from each HA VPN interface.

I found this a fairly tough lab. It took me three tries before I managed to successfully complete the lab only using gcloud CLI commands.

Intro to Challenge Labs

Google provides an online learning platform called Google Cloud Skills Boost, formerly known as QwikLabs. On this platform, you can follow training courses aligned to learning paths, to particular products, or for particular solutions.

One type of learning experience on this platform is called a quest. This is where you complete a number of guided hands-on labs, and then finally complete a Challenge Lab. The challenge lab differs from the other labs in that goals are specified, but very little guidance on how to achieve the goals is given.

I occasionally create walkthroughs of these challenge labs. The goal is not to help you cheat your way through the challenge labs! But rather:

  • To show you what I believe to be an ideal route through the lab.
  • To help you with particular gotchas or blockers that are preventing you from completing the lab on your own.

If you’re looking for help with challenge lab, then you’ve come to the right place. But I strongly urge you to work your way through the quest first, and to try the lab on your own, before reading further!

With all these labs, there are always many ways to go about solving the problem. I generally like to solve them using the Cloud Shell, since I can then document a more repeatable and programmatic approach. But of course, you can use the Cloud Console too.

Lab Scenario

You’ve been asked to configure VPN connectivity between Google Cloud and AWS. The lab requires you to use both Google Cloud, and AWS. Credentials for both are provided in the lab.

The tasks are:

  1. Create the HA VPN gateway and Cloud Router on Google Cloud.
  2. Create an AWS Customer gateway and a Target gateway.
  3. Create a VPN connection with dynamic routing on AWS.
  4. Create an external VPN gateway and VPN tunnels on Google Cloud.
  5. Add BGP peers to the Cloud Router.
  6. Verify the configuration.

Setup

Note that the Google Cloud VPC has already been created for you. As has a peer VPC on the AWS side.

Let’s start by defining some variables we can use throughout this challenge. Run the following from the Cloud Shell:

gcloud auth list

# Network
prj=<enter-your-project> # use your own project ID
region=us-east4
vpc_name=cymbal-cloud-vpc
vpn_gw=cymbal-cloud-ha-vpn-gw
cloud_router=cymbal-cloud-router
bgp_asn=65534
aws_asn=65001
gcp_external_peer_gw=gcp-to-aws-vpn-gw

# setting defaults
gcloud config set project $prj  
gcloud config set compute/region $region

Substitute for any variables you’ve been given.

1. Create the HA VPN gateway and Cloud Router on Google Cloud

Here we create an HA VPN gateway to achieve a 99.99% SLA. To do this, we setup a tunnel pair, where each gateway interface has one tunnel. The gateway has two interfaces.

From Cloud Shell:

gcloud compute vpn-gateways create $vpn_gw \
    --network=$vpc_name --region=$region

Make a note of the external IP addresses of the two interfaces:

Creating an HA VPN Gateway

Now create the Cloud Router.

gcloud compute routers create $cloud_router \
  --network=$vpc_name --region=$region --asn=$bgp_asn

2. Create an AWS Customer gateway and a Target gateway

Follow the provided instructions in the lab, to perform setup on the AWS side. This is done using SSH from a GCE instance, or from the AWS console.

Start by obtaining the VPC ID of your AWS VPC:

Finding your AWS VPC ID

Next:

  • Create two AWS Customer gateways with dynamic routing. Run the supplied command, and each time, pass in one of the two external IP addresses for each interface on our Google Cloud VPN Gateway. Make a note of the customer gateway IDs, as we’ll need them later.
Creating the AWS customer gateways
  • Create one virtual private gateway (the VPN endpoint on the AWS side). The gateway exposes two intefaces. Make a note of the VPN gateway ID assigned.
  • Attach the AWS virtual private gateway to the AWS VPC.
Attaching the AWS virtual private gateway to the AWS VPC

3. Create a VPN connection with dynamic routing on AWS

Here we setup two VPN connections with dynamic routing between the single AWS virtual private gateway and the two AWS customer gateways. Again, follow the lab instructions for AWS setup.

Note that the four IP TunnelInsideCidr addresses are inferrable, based on the IP addresses specified later in the instructions for the tunnels. E.g. if your VPN tunnel first IP address is 169.254.10.2 then the TunnelInsideCidr for the corresponding AWS VPN connection will be 169.254.10.0/30.

Also, note that we’re using a subnet mask for /30. You need to remember this later. (And if you get this wrong, you can’t complete the lab!! This is how I failed one of my early attempts.)

You will end up running two commands like those shown below. Remember to substitute your own customer-gateway-id values and the vpn-gateway-id.

aws ec2 create-vpn-connection \
   --type ipsec.1 \
   --customer-gateway-id cgw-0e6fe48be2a01c25c \
   --vpn-gateway-id vgw-09bdfb794749c6644 \
   --options TunnelOptions='[{TunnelInsideCidr=169.254.10.1/30,PreSharedKey=gcprocks},{TunnelInsideCidr=169.254.20.1/30,PreSharedKey=gcprocks}]'
   
aws ec2 create-vpn-connection \
   --type ipsec.1 \
   --customer-gateway-id cgw-0cea6882c7aad930c \
   --vpn-gateway-id vgw-09bdfb794749c6644 \
   --options TunnelOptions='[{TunnelInsideCidr=169.254.30.1/30,PreSharedKey=gcprocks},{TunnelInsideCidr=169.254.40.1/30,PreSharedKey=gcprocks}]'

Each time, you may need to page down after executing the command, to retrieve the two outside IP addresses for each connection. If you fail to record your outside IP addresses, you can always retrieve them from your SSH session like this:

aws ec2 describe-vpn-connections

You can check the VPN connections are available in VPN Connections in the AWS Console. It takes a couple of minutes for the VPN connections to become active.

4. Create an external peer VPN gateway and VPN tunnels on Google Cloud

Now, back in Google Cloud, we create VPN tunnels to AWS using IKEv2 encryption.

First, create a Google Cloud external peer VPN gateway with four interfaces, using the four AWS private gateway outside addresses.

The challenge lab hints that you should use the outside IP addresses from the first AWS private gateway for interfaces 1 and 2, and the outside IP addresses from the second AWS private gateway for interfaces 3 and 4. Note, however, that the external-vpn-gateways create command expects interfaces to be identified from 0 to 3 inclusive.

So you end up with a command like this:

# Create the external peer VPN gateway
# The number of interfaces on the external VPN gateway 
# are determined by the number of interfaces provided
# I.e. four external VPN interfaces --> FOUR_IPS_REDUNDANCY
gcloud compute external-vpn-gateways create $gcp_external_peer_gw \
   --interfaces 0=34.203.132.63,1=52.201.113.232,2=3.225.181.154,3=52.200.76.9

(Don’t forget to use your own IP addresses!)

Now create four VPN tunnels, using the four external interfaces of the Google Cloud external VPN gateway.

Your GCP VPN gateway only has two interfaces. So we will pair up:

  • GW interface 0 with peer interfaces 0, 1
  • GW interface 1 with peer interfaces 2, 3

(The requested interface names in the instructions are very misleading.)

gcloud compute vpn-tunnels create tunnel-1 \
   --peer-external-gateway=$gcp_external_peer_gw \
   --peer-external-gateway-interface=0 --interface=0 \
   --region=$region --router=$cloud_router \
   --ike-version=2 --shared-secret=gcprocks \
   --vpn-gateway=$vpn_gw


gcloud compute vpn-tunnels create tunnel-2 \
   --peer-external-gateway=$gcp_external_peer_gw \
   --peer-external-gateway-interface=1  --interface=0 \
   --region=$region --router=$cloud_router \
   --ike-version=2 --shared-secret=gcprocks \
   --vpn-gateway=$vpn_gw

gcloud compute vpn-tunnels create tunnel-3 \
   --peer-external-gateway=$gcp_external_peer_gw \
   --peer-external-gateway-interface=2 --interface=1 \
   --region=$region --router=$cloud_router \
   --ike-version=2 --shared-secret=gcprocks \
   --vpn-gateway=$vpn_gw

gcloud compute vpn-tunnels create tunnel-4 \
   --peer-external-gateway=$gcp_external_peer_gw \
   --peer-external-gateway-interface=3 --interface=1 \
   --region=$region --router=$cloud_router \
   --ike-version=2 --shared-secret=gcprocks \
   --vpn-gateway=$vpn_gw

5. Add BGP peers to the Cloud Router

Here we can use Cloud Router to establish a BGP session with the peer network over the VPN tunnels. Then, Cloud Router automatically learns the subnet IP addresses of the Google network, and advertises them to the peer network.

We have four BGP peers to establish, for each of the four tunnels. Note the --mask-length=30, to match the instructions we ran on the AWS side earlier.

# First, add an interface to the Cloud Router for each tunnel
# I'm using a loop to run this four times. 
for i in {1..4}; do
    gcloud compute routers add-interface $cloud_router \
      --interface-name=int-$i --vpn-tunnel=tunnel-$i --region=$region \
      --ip-address=169.254.$((i * 10)).2 --mask-length=30
done

# now add four BGP peers
gcloud compute routers add-bgp-peer $cloud_router \
   --peer-name=aws-conn1-tunn1 --interface=int-1 --peer-ip-address=169.254.10.1 \
   --peer-asn=$aws_asn --region=$region

gcloud compute routers add-bgp-peer $cloud_router \
   --peer-name=aws-conn1-tunn2 --interface=int-2 --peer-ip-address=169.254.20.1 \
   --peer-asn=$aws_asn --region=$region

gcloud compute routers add-bgp-peer $cloud_router \
   --peer-name=aws-conn2-tunn1 --interface=int-3 --peer-ip-address=169.254.30.1 \
   --peer-asn=$aws_asn --region=$region

gcloud compute routers add-bgp-peer $cloud_router \
   --peer-name=aws-conn2-tunn2 --interface=int-4 --peer-ip-address=169.254.40.1 \
   --peer-asn=$aws_asn --region=$region

6. Verify the configuration

# Verify the router status
gcloud compute routers get-status cymbal-cloud-router \
    --region us-east4 \
    --format='flattened(result.bgpPeerStatus[].name, result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'

# List the tunnels
gcloud compute vpn-tunnels list

# Check the tunnel status
gcloud compute vpn-tunnels describe tunnel-1 \
     --region us-east4 \
     --format='flattened(status,detailedStatus)'

And if everything went to plan, it will look something like this:

Connection established!

And we’re done!

I hope this walkthrough was useful!

Before You Go

  • Please share this with anyone that you think will be interested. It might help them, and it really helps me!
  • Feel free to leave a comment 💬.
  • Follow and subscribe, so you don’t miss my content. Go to my Profile Page, and click on these icons:
Follow and Subscribe

Links

Google Cloud Platform
Cloud Vpn
Challenge Lab
AWS
Multi Cloud

--

--

Dazbo (Darren Lester)
Google Cloud - Community

Written by Dazbo (Darren Lester)

785 Followers
Writer for

Cloud Architect and moderate geek. Google Cloud evangelist. I love learning new things, but my brain is tiny. So when something goes in, something falls out!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams