Recently, I was working with a client who utilises both AWS and Azure in their business and needed to establish a VPN connection across these cloud providers for certain services. This allowed me to work on establishing a VPN tunnel between the two public cloud offerings.
I would like to share the steps I used to establish the VPN (Site-to-Site) tunnel between Azure and AWS.
In the ideal world, the Azure VPN Gateway and AWS Gateway offering should have been enough to establish the VPN connection. But I soon discovered that:
- The Azure VPN Gateway will act both as initiator or responder for VPN access, but the AWS Gateway can only act as a responder. Due to this limitation, the AWS environment requires an appliance or a supported VPN device.
I chose to build out my solution by implementing a Windows Server with Routing and Remote Access service (RRAS) in AWS as my VPN device. There are other appliances that can do this job as well and for more information around the supported Azure Site-to-Site VPN devices please refer to this link: https://docs.microsoft.com/en-us/Azure/vpn-gateway/vpn-gateway-about-vpn-devices?WT.mc_ID=ITOpstalk-Blog-pierrer
- You need to have valid subscriptions in both the Azure and AWS environment.
- When configuring a Site-to-Site connection, public-facing IPv4 IP addresses are required for your VPN device
- In my lab environment, I don’t have any custom DNS Servers. If you do have DNS servers, enter these details in your Virtual Network settings > DNS servers
- Windows and Linux VMs across Azure and AWS to establish and test our Site-to-Site (S2S) VPN connectivity.
Preparing your Azure Environment
We will complete the following tasks in our Azure portal:
- Create a Virtual Network (VNet)
- Create a Gateway Subnet
- Create a VPN Gateway
- Create a Local Network gateway (your remote site i.e. AWS)
- Deploy a Windows server 2016
Create a Virtual Network (VNet)
- Click + create a resource button, Select, Networking > Virtual Network
- Enter the details to create a single virtual network with one subnet
Create a Gateway Subnet
- Once your Virtual network is created, open the blade and click on subnets
- Click the + Gateway subnet button at the top
- The Name for subnet is automatically filled in with the value ‘GatewaySubnet’. It is worth noting this name cannot be changed to a custom name.
- Enter the IP Address range as below. Microsoft recommends keeping the gateway subnet CIDR range to a /27 or /28.
- Leave all the other settings on the defaults and click OK.
Create a VPN Gateway
On the left side of the portal page, click + create a resource and type Virtual Network Gateway in search. In the results, click Virtual network gateway and click Create
On the Create virtual network gateway blade enter the following details:
- Name: Enter Name of gateway
- Gateway type: Select VPN
- VPN type: Route-based (This the new name for dynamic routing)
- SKU: For our lab, select VpnGw1. Refer here for more about gateway SKUs
NOTE: Only select Enable active-active mode if you are creating an active-active gateway configuration. Otherwise, leave this setting unselected.
Location: Scroll down to the bottom of the blade and select the region where the new VNet is located otherwise you will not see the desired virtual network.
- Virtual network: Click ‘Choose a virtual network’ page and select the VNet created in the previous step. Again, if you don’t see your VNet, make sure the Location field is pointing to the region in which your virtual network is located.
- Public IP address: Use an existing public IP address name if you have one otherwise, create a new one by typing in a name in the text box.
- Verify the details entered and click Create to begin creating the VPN gateway. Once the settings are validated, and you’ll see the “Deploying Virtual network gateway” tile on the dashboard.
- NOTE: Creating a Virtual Network gateway can take up to 20 minutes
Create the local network gateway
Pre-requisite: Before creating the local network gateway, follow the steps to create your VPC in the AWS section and then proceed.
The local network gateway represents the VPN device in your local network which in this instance is our AWS environment and is used to set up your site-to-site VPN connection. The local network gateway is treated as the remote location. This should not be confused with the virtual network gateway.
- In the Azure portal, click + Create a resource. In the search box, type Local network gateway, then press Enter to search. Click Local network gateway, then click Create.
- On the Create local network gateway page, specify the values for AWS environment in local network gateway.
- Name: Choose a name
- IP address: This is the public IP address of the VPN device (Windows RRAS Server in AWS) that you want Azure to connect to. In this exercise, will provide 220.127.116.11. Refer to Create Elastic IP Address in the AWS Environment section.
- Address Space: refers to the address ranges for the network in AWS Environment. In this exercise, we will provide 18.104.22.168/16. Refer to Create VPC in the AWS Environment section.
- (Optional) Configure BGP settings: Use only when configuring BGP. Otherwise, don’t select this.
- Subscription: Select your subscription
- Resource Group: Select the same resource group as your virtual network
- Location: Select the location.
- Click the Create button at the bottom of the page to create the local network gateway.
- In the meantime, create a windows server in virtual network. This will be used to test the connection.
Establish the VPN connection
Navigate to the local network gateway and select it.
- Click on Overview -> Connected devices -> Azure-LNGW
- On the page for Azure-LNGW, click Connections. At the top of the Connections page, click +Add to open the Add connection page.
- On the Add connection page, configure the values for your connection.
- Name: Name your connection
- Connection type: Site-to-site (IPSec). This is selected by default.
- Virtual network gateway: Click Choose a local network gateway
- Local network gateway: The value is fixed because you are connecting from this gateway.
- Shared Key: This is used for encryption for tunnel.
- NOTE: The value you specify here must be the same value that you specify when configuring your VPN device.
- The remaining values for Subscription, Resource Group, and Location are fixed.
- Click OK to create your connection.
- After its created, the status will be
- NOTE: Wait till all the steps are completed for this to turn into the connected state.
Deploy Virtual Machines
Deploy your Windows VM in Azure environments as per table below:
- Windows Server 2016
Preparing your AWS Environment assume you are familiar with deploying virtual machines in Azure and will not show these steps below. Please refer to the links below for assistance with this.
We will complete the following tasks in our AWS subscription:
- Create a Virtual Private Cloud (VPC)
- Create an Elastic IP
- Create the VPN device
- Add routes to the route table in the VPC
Create a Virtual Private Cloud (VPC)
Log into your AWS console and type in VPC in the find services box. Click VPC Dashboard, otherwise, click Launch VPC Wizard.
- Select VPC with a Single Public Subnet, and then click Select.
- Fill in the following information on this page
- IP CIDR block: 22.214.171.124/16
- VPC name: AWS-VPC01
- Public subnet: 126.96.36.199/24
- Availability Zone: No Preference
- Subnet name: public_subnet_aws01
- Leave other settings on the defaults and click on Create VPC
- Once the VPC is created, select it and identify your VPC id
- On left-side of the AWS VPC dashboard
- Select Internet gateways and verify that it is attached to the VPC you created. This is required to allow the resources in your newly deployed VPC to communicate with the Internet.
- NOTE: The Internet Gateway does not have a name by default, you can give it a name if you wish.
Deploy Virtual Machines
Deploy your Windows and Linux VMs in AWS environments as per the table below:
- Redhat Server 7.5 – Generic server
- Windows Server 2016 with RRAS
Create an Elastic IP Address
An Elastic IP address is a public IPv4 address, which is reachable from the internet. This required for our windows server (RRAS), which will act as the VPN device in AWS.
- From the VPC Dashboard pane, choose Elastic IPs.
- Choose Allocate new address
- Now leaving the settings on defaults, and click Allocate
NOTE: Takedown this IP address, as we will use it when we set up the Azure local network gateway.
- While configuring the Windows server, please ensure you select auto assign public IP address to this instance. The server network interface cards will not have a name, you can give it a label if you wish.
- We will use Elastic IP Address to mask the instance public IP address. This will be useful during failure.
- Once our virtual machines are up and running, associate the Elastic IP address to the Windows server NIC.
- In the AWS navigation pane, choose Elastic IPs.
- Select the Elastic IP address, which we created earlier in this exercise and choose Actions > Associate address.
- Select instance and then choose Associate.
- Click Close
Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends or receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself.
In our case, we need to disable source/destination on our Windows server.
- In the AWS console, choose Instances.
- Select the Windows instance, choose Actions > Networking > Change Source/Dest. Check.
- Choose Yes, Disable
- Verify the instances settings once again, before we move to next steps.
Configure the VPN Device
We will now configure the windows server to be our VPN device in our AWS tenant
- RDP into AWS Windows server and install Remote Routing Access (RRAS) service role
- Using an elevated PowerShell command (Legacy mode), run: Install-WindowsFeature RSAT-RemoteAccess-Mgmt
- Run msc to launch the RRAS console.
- Right-click on the server name and choose “Configure and Enable Routing and Remote Access”.
- Click Next
- Click Custom configuration and click Next
- Check the box for VPN access and click Next
- Click Finish to complete the initial configuration
- You will get a popup indicating a policy was created.
- Click “Start this service” to get RRAS running.
Configure the S2S VPN via PowerShell
- Run the PowerShell script below replacing the values highlighted in yellow. The script has been taken from the Azure-vpn-config-samples GitHub repository.
- I have taken only the relevant sections for our task and have performed the remaining steps manually.
- The PowerShell script as:
#Install Remote Access binaries
Install-WindowsFeature DirectAccess-VPN -IncludeManagementTools
#Install S2S VPN
Import-Module RemoteAccessif ((Get-RemoteAccess).VpnS2SStatus -ne “Installed”)
Install-RemoteAccess -VpnType VpnS2S
# Add and configure S2S VPN interface
Add-VpnS2SInterface -Protocol IKEv2 `
-AuthenticationMethod PSKOnly `
-NumberOfTries 3 `
-ResponderAuthenticationMethod PSKOnly `
-Name ‘Azure VPN Gateway name‘ `
-Destination IP Address of Azure VPN Gateway `
-IPv4Subnet @(“CIDR IP Address of Azure:100″) `
-SharedSecret “Pre-shared Key from Azure “
Set-VpnServerIPsecConfiguration -EncryptionType MaximumEncryption
Set-VpnS2Sinterface -Name ‘Azure VPN Gateway name‘
Set the S2S VPN connection to be persistent:
- From the RRAS management console, select your local server and click on Network Interfaces.
- Select the Azure VPN Gateway name.
- Set S2S VPN connection type to Persistent connection
- Change Dialling policy to Zero and click Ok
Bring up the VPN tunnel
- From a PowerShell console, run the commands below:
# Restart the RRAS service
# Dial-in to Azure gateway
Connect-VpnS2SInterface -Name Azure VPN Gateway name
- Verify the Azure VPN is connected from the RRAS console
- In Azure portal, verify Virtual Network Gateway STATUS under Connections. This should now say connected.
Add routes to the Route table in the VPC
- In the AWS console, switch to the VPC view and select Route tables.
- Select the route table associated with your VPC.
- Under Routes, click Edit routes and add routes for the following:
|0.0.0.0/0||Igw-xxxxxx (your internet gateway)|
|10.0.0.0/16||Windows RRAS server instance|
- This covers the network address for the Azure Virtual network so that traffic is routed through network interface of instance ID of Windows RRAS Server.
Test Site-to-Site Connectivity
To verify the Site-to-Site VPN is connected, we will log into Azure windows server and try to ping AWS Linux server.
I hope this article has been helpful to you to understand how to create a VPN tunnel between Azure and AWS.