Thor Draper Jr's Blog

Azure-to-AWS

Alright! This was a little lab that I did to connect an Azure vNet to an AWS VPC. I’ll walk you through doing a complete from scratch deployment. At the bottom of the article, I included a list of all of the individual resources that I used and the relevant links so you could learn more about that cloud technology. Due to how the VPNs deploy, we’ll need to jump between the Azure Portal and the AWS console.

Also, the VNG is one of the resources included in an Azure Students subscription, so be sure to take advantage of that!

Azure

The first thing that you’ll want to deploy is the Azure Virtual Network Gateway (VNG). The average deployment takes about 30 minutes. Traditionally, a VPN gateway is a specific type of virtual network gateway that sends encrypted traffic between an Azure virtual network over the public Internet to an on-premises location. We are going to connect it to another cloud instead of on-prem.

Create virtual network gateway

Navigate to the Azure Portal

1-search-vng.png

Search for and select Virtual network gateway once the page opens press create

2

```azure cli Subscription: [YOUR-SUBSCRIPTION]

Resource Group: [YOUR-RESOURCEGROUP]

Instance details

VPN type: Route-based

Generation: Generation2

Virtual Network: Create virtual network

Name: vNet-1

Public IP address

First, we’ve created a Resource Group, the container that holds related resources for an Azure solution. We’ve also created a vNet in the 10.0.0.0/16 address space as well as a dedicated GatewaySubnet. Currently, we’ve left the BGP selector disabled. We’ll configure BGP after we’ve created our AWS resources.

2

Before leaving the Azure platform you should see the Public IP address created fairly quickly.

AWS

Now we are onto the AWS console. Here we’ll be creating our VPC and the VPN gateway. We can use the resource details we generated in Azure to create our Customer gateway. A customer gateway provides information to AWS about your customer gateway device. In our case, it’s the VNG.

3

Navigate to your AWS Console.

4

Search for and select VPC once the page opens press Launch VPC Wizard

5

The launch wizard has four steps. We are going to launch a VPC with a private subnet and VPN access. We’ll use a 172 address space, so it’s easy to tell with resources are in AWS and which are in Azure. Lastly, we’ll need to put in the Public IP of the Azure VNG.

```aws cli Step 1: Select a VPC Configuration

Step 2: VPC with a Private Subnet Only and Hardware VPN Access

Service endpoints: Left blank

Step 3:

Once our resources are created, we’ll want to stay on the VPC page, use the left pane, and navigate the Site-to-Site VPN Connection. We need to do the two things here: changing the inside tunnel addresses and downloading our configuration and tunnel information.

5

VIRTUAL PRIVATE NETWORK > Site-to-Site VPN Connections

Right-click on your newly created VPN Connection and select Modify VPN Tunnel Options

```aws cli

6

Azure BGP IP in the ranges 169.254.21.* and 169.254.22.* while AWS makes you create a /30 CIDR in the 169.254.0.0/16 range. Your tunnel is automatically pulling the first address in the range. In our instance, it will be 169.254.21.1.

Back on the Site-to-Site VPN connection page, press Download Configuration.

```aws cli

From the downloaded .txt file, you’ll want to take note of the following information:

```aws cli For IPSec Tunnel #1

+(Line 36) Pre-Shared Key : GENERATED-BY-AMAZON

+(Line 111) Customer Gateway ASN : 65000

+(Line 112) Virtual Private Gateway ASN : 64512

+(Line 113) Neighbor IP Address : 169.254.21.1

===================

For IPSec Tunnel #2

+(Line 138) Pre-Shared Key : GENERATED-BY-AMAZON

+(Line 213) Customer Gateway ASN : 65000

+(Line 214) Virtual Private Gateway ASN : 64512

+(Line 215) Neighbor IP Address : 169.254.22.1


Take note of this information in case your side anything was assigned differently. Now, we're headed back to Azure!

## Azure (Part 2)

Navigate to the [Azure Portal](portal.azure.com)

Search for and select `Local network gateways` once the page opens, press create

![7](/assets/images/7-lng.png)

This is where you'll reference the config file that we downloaded from the AWS console.

```aws cli
* Name: Aws-Tunnel-1
* Endpoint: IP address
* IP address: OUTSIDE-VPG-IP<---found in the config file [Interface #1]
  + Address space: LEFT BLANK
  + Check the box to `Configure BGP settings`
    - Autonomous system number (ASN): 64512 <-- found in the config file [VPG ASN]
* Subscription: YOURSUBSCRIPTION
* Resource group: rg-1
* Location EastUs2

Search for and select Virtual Network Gateways. On the left menu pane Settings, choose Configuration and check the box Configure BGP. Add the Autonomous system number (ASN): 65000 <— found in the config file [Customer Gateway ASN]

8

```aws cli Add the Autonomous system number (ASN): 65000 <— found in the config file [Customer Gateway ASN]

To utilize both tunnels to make this a redundant connection, you’d need to create another Basic SKU Dynamic Public IP address. In your AWS portal, be sure to change Tunnel #2 to another /30 within the accepted Azure APIPA range.

Final Architecture

You should now be able to spin up virtual machines in both cloud environments, and they should be able to ping each other. Keep in mind that you’ll need to allow ICMP traffic outbound to the Instance in AWS. 9

Troubleshooting

A few areas to check for troubleshooting.

Azure resources

AWS resources