VPN :: AWS ↔️ GCP

AWS — VPN — GCP

Setup a VPN connection between GCP and AWS.

Hi folks,

Once a wise man said, one should always plan for the future! 🙃

We are living in an era of cloud computing where trends/technologies are changing every day and the same also applies to a couple of cloud providers in the business i.e in a fight to provide extensive services, features, cost-effective, and easy to migrate options to their users and customers.

So, in the above context say if there is a need to have a multi-cloud solution where say few services running on GCP, some on AWS and some on-premises, then we must need to have a solution that provides the secured connectivity between two ends i.e. a VPN.

Coming to the point, under this story we going to set up a VPN connection between 2 popular cloud providers i.e. between AWS & GCP so as to achieve a multi-cloud setup.

Caution: Most of the resources that we create during this lab will be under free tire eligibilty but there might be some minimal cost to create a VPN in AWS. In GCP there will be no cost if you have the the enough credits in the account.

SETUP

Our Setup will look like as below

PLAN OF ACTION

Below are the steps we going to perform on both sides i.e. on AWS & GCP to set up a VPN connection.

AWS Side of Steps

• Create a custom VPC with a subnet( say 192.168.1.0/24)
• Create a VPG (Virtual Private Gateway)
• Attach VPG to custom VPC
• Create a Customer GW (to accommodate the GCP side of details)
• Create a Site to Site VPN(2 tunnels)
• Update security groups and routes to allow the flow of traffic from GCP

GCP Side of Steps

• Create an external IP
• Create a custom VPC with a subnet(say 10.0.1.0/24)
• Setup/Create a Cloud router
• Create a VPN and set up Cloud VPN Gateway.
• Set up Cloud VPN tunnels
• Set up Peer VPN Gateway
• Update firewall rules for custom VPC to allow traffic from AWS.

Pre-requisites

• Computer or laptop with working internet connection.
• AWS & GCP account
• Basic networking knowledge, VPN understanding will be a plus.

Implementation

Firstly, we will start with steps for AWS and move to then move to GCP though please note some steps might need to be executed to have the configuration setup on the other side of VPN.

AWS

1. Custom VPC Setup

Create a custom VPC with a subnet i.e. 192.168.1.0/24 and spin up an EC2 instance under the same so as to perform connectivity test post VPN setup.

Custom VPC

EC2 Instance

2. Virtual Private Gateway(VPG)

Create a Virtual Private Gateway(VPG) that gives us the AWS side of ASN(autonomous system number) that is to be used for BGP routing.

VPG — Detached

3. Attach VPG to VPC

VPG — attach to VPC

VPG — Attached

4. Customer Gateway(CG)

Create a Customer GW and for the same, we required a few GCP side details i.e. ASN & VPN IP(that should be an external IP). So, go to GCP #Step1 and create an external IP and put ASN as 65432(going to create the same in GCP later).

AWS — Customer GW

5. VPN Setup(AWS Side)

Create a Site to Site VPN with the VPG and CG that we created above, IP CIDR should be as amazon generated for the tunnel/s, and input a value for the pre-shared key(say awsgcp001) again that is to be used in GCP side of the tunnel too.

VPN

VPN — TUNNELS

VPN — PENDING

VPN — TUNNELS — DOWN

6. Security Groups + Route Updates

Update a security group(vpc001) and subnet route to allow traffic via VPN gateway for GCP IP range i.e. 10.0.1.0/24

ROUTES

Security Group

GCP

1. External IP(VPN IP)

Create an external(static) IP i.e. to assign to the GCP side of VPN.

External IP — VPN IP

2. Custom VPC

Create a custom VPC with a subnet i.e. 10.0.1.0/24 and spin up a google compute engine instance.

GCP — VPC

GCP Machine

3. Cloud Router

Create a Cloud router (Hybrid Connectivity → Cloud Routers), ASN should be the same as to be filled in AWS(65432), and lastly do remember to select advertise to all subnets option.

Clour Router

4. VPN (VPG+Tunnel) Setup

Create a VPN i.e. Hybrid Connectivity → Classic VPN, Under the GCE VPN Gateway section do select custom VPC(vpc001) and map/attach external static IP (created @ Step1) for IP address.

VPN

For tunnels input remote peer IP addresses as external IP of AWS side tunnel1 and pre-shared key as we created @ AWS #Step5 (awsgcp001).

tunnel 1

Create a BGP session(for tunnel1) and use

• Peer ASN same as AWS VPG ASN (Created @ AWS Side #Step2)
• BGP peer IP equals AWS end tunnel1 Inside CIDR IP +1 that is 169.254.162.45 (169.254.162.44 +1)
• Cloud Router BGP IP as tunnel1 Inside CIDR IP +2 that is 169.254.162.46 (169.254.162.44 +2)

BGP Session for Tunnel 1

On the same note please do setup tunnel 2 and BGP session for the VPN i.e. using the AWS side of tunnel2 information. And as soon as we have done with the setup, Our Cloud VPN tunnels should start making the first handshake and will be UP in some time.

Cloud VPN Tunnels

Cloud VPN Gateway should look like as below

Cloud VPN Gateway

5. Tunnels

As soon as setup is done on the GCP side, tunnels should be UP and status changes to established.

GCP — VPN Tunnels

AWS — VPN Tunnels

6. Firewall Rules

Lastly, update the firewall rules for GCP custom VPC i.e. to allow ICMP traffic from AWS range of IP or from anywhere.

GCP Firewall Rules

Testing Time!

If we have reached till this point that means our VPN connection has been set up and we are good to make our first connectivity test!

Login to AWS EC2 instance and try to ping GCP machine as we created under custom VPC and also vice versa.

GCP → AWS

GCP → AWS

AWS → GCP

AWS → GCP

Bingo! 👍

So, our VPN is up and connection has been successfully established across the borders and that is via a secured channel(VPN tunnel/s).

Cleanup

Please do remember to perform a clean up i.e. terminate/delete all resources as we created to set up or to test and establishment of our VPN connection, as it otherwise might charge you extra bucks.

Terminate/Delete EC2 instances, VPC’s, and associated components and all GCP resources we created, if not in use as it will save you some dollars💰.

— A blog by teckdevOps