Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I configure a Site-to-Site VPN connection with dynamic routing between AWS and Azure?

6 minute read
0

I want to configure an AWS Site-to-Site VPN connection with Border Gateway Protocol (BGP) between AWS and Azure.

Short description

To set up dynamic routing between AWS and Azure, create and configure the customer gateways, VPN gateways, local network gateways, and tunnel configurations on both the AWS and Azure side. Then, set up an active-active BGP failover and verify the VPN connection status.

Resolution

Note: For information on how to optimize performance, see AWS Site-to-Site VPN, choosing the right options to optimize performance.

Prerequisites:

  • Verify that you have an Amazon Virtual Private Cloud (Amazon VPC) Classless Inter-Domain Routing (CIDR) associated with a virtual private gateway or a transit gateway.
  • Make sure that the Amazon VPC CIDR and Azure network CIDR don't overlap.

Create a virtual network and VPN gateway on the Azure side

Complete the following steps:

  1. Use the Azure portal to create a virtual network. For more information, see Create an Azure Virtual Network on the Microsoft website.
  2. Create a VPN gateway with a public IP address. For more information, see Create a VPN gateway on the Microsoft website. Take the following actions:
    For Region, choose the region that you want to deploy the VPN gateway in.
    For Gateway type, choose VPN.
    For VPN Type, choose Route-based.
    For SKU, choose the SKU that meets your requirements for workloads, throughputs, features, and SLAs.
    For Virtual Network, select the virtual network that is associated with your VPN gateway (similar to a VPC in the AWS environment).
    For Enable active-active mode, choose Disabled to create a new public IP address that's used as the customer gateway IP address in the AWS Management Console.
    For Configure BGP, choose Enabled.
    For Custom Azure APIPA BGP IP address, select 169.254.21.2.
    Note: The ASN that you use for the VPN gateway must be the same as the customer gateway ASN in the AWS Management Console (65000).

Create a customer gateway and AWS Site-to-Site VPN connection on the AWS side

Complete the following steps:

  1. Create a customer gateway.
    For BGP ASN, you can add your own or use the default option (65000). If you choose the default, then AWS provides an Autonomous System Number (ASN) for your customer gateway.
    For IP address, enter the Azure public IP address from when you configured the VPN gateway in the Azure portal. For more information, see step 2 of the Azure Configuration section of this article.
  2. Create an AWS Site-to-Site VPN connection.
    For Inside IPv4 CIDR for tunnel 1 range for your Site-to-Site VPN, choose an address from the Azure reserved Automatic Private IP Addressing (APIPA) address range. APIPA addresses range from 169.254.21.0 to 169.254.22.255 for tunnels inside the IPv4 CIDR address.
    Example address: 169.254.21.0/30
    Example BGP IP address (AWS): 169.254.21.1
    Example Peer IP address (Azure): 169.254.21.2
    For Target gateway type, select either the virtual private gateway or transit gateway.
    For Routing options, choose Dynamic.
  3. Download the AWS configuration file.

Create a local network gateway on the Azure side

Complete the following steps:

  1. Use the Azure portal to create a local network gateway. For more information, see Create a local network gateway on the Microsoft website. Take the following actions:
    For IP Address, enter the public IP address of Tunnel 1 that you received when you created a Site-to-Site VPN. You can see this in the configuration file that you downloaded from the AWS Management Console.
    For Address space, enter the Amazon VPC CIDR block.
    For Autonomous System Number (ASN), enter the AWS ASN.
    For BGP peer IP address, enter the AWS BGP IP address. For more information, see step 2 of the Configure AWS section of this article.
  2. Create a Site-to-Site VPN connection with BGP turned on in the Azure portal. For more information, see Create VPN connections on the Microsoft website.
    Note: The cryptographic algorithms and pre-shared key (PSK) are the same on both Azure and AWS.
    Phase 1 (IKE): 
    Encryption: AES56      Authentication: SHA256      DH Group: 14
    Phase 2 (IPSEC): 
    Encryption: AES256      Authentication: SHA256      DH Group: 14 _(PFS2048)_ Diffie-Hellmen Group used in Quick Mode or Phase 2 is the PFS Group specified in Azure.   
    Lifetime: 3600s (Default on Azure portal is set to 27000s. AWS supports maximum of 3600s for IPSEC lifetime)

Set up Active-Active BGP failover with Site-to-Site VPN between AWS and Azure

Complete the following steps:

  1. In the Azure portal, create a VPN gateway.
    For Active-active mode, choose Enabled. This provides two public IP addresses. For more information, see Create a VPN gateway on the Microsoft website.
  2. Open the Amazon VPC console.
  3. Choose Customer gateways.
  4. Enter the two public IP addresses provided on the Azure portal in step 1 to create two customer gateways.
    For BGP ASN, enter the ASN that you configured in the Azure portal.
    For Routing type, choose Dynamic.
  5. Create two Site-to-Site VPN connections that connect to either a virtual private gateway or a transit gateway. Use the following CIDR ranges for the Tunnel inside IP address ranges on Tunnel 1 of each VPN connection:
    For Site-to-Site VPN 1, use 169.254.21.0/30.
    For Site-to-Site VPN 2, use 169.254.22.0/30.
    Note: The first IP addresses (21.1 and 22.1) in this range are assigned to the Site-to-Site VPN endpoints. Make sure that you correctly configure the second IP addresses on Azure (21.2 and 22.2).
  6. Use the Azure portal to create two Azure local network gateways. For the IP addresses, use the Tunnel 1 public IP addresses from your AWS Site-to-Site VPN tunnels. Also, make sure that the ASN matches the virtual private gateway or transit gateway. For more information, see Create a VPN gateway on the Microsoft website.
  7. Use the Azure portal to create two Azure Site-to-Site VPN connections. Make sure that each connection has an Azure VPN gateway that points towards the local network gateways that you created in the preceding step.

Note: To achieve ECMP on Active-active setup, you must turn on VPN ECMP support on the transit gateway.

Verify the VPN connection status

After you establish your Site-to-Site VPN configuration, confirm that the VPN Tunnel Status is UP.

On the Azure portal, verify that the VPN connection has the Succeeded status. Then, make sure that the status changes to Connected when you make a successful connection. For more information, see Verify the VPN connection.

Then, create an Amazon Elastic Compute Cloud (Amazon EC2) instance in your Amazon VPC to verify the connectivity between AWS and Azure. Connect to the Azure virtual machine (VM) private IP address, and then confirm that you established the Site-to-Site VPN connection. For more information, see Create a site-to-site VPN connection in the Azure portal on the Microsoft website.

For more information, see Test an AWS Site-to-Site VPN connection.

Note: For transit gateway VPN connections, make sure proper transit gateway attachments exist for both the VPC and Site-to-Site VPN. Then, turn on route propagation. Azure virtual network CIDR routes propagate only after you establish BGP.

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
AWS OFFICIALUpdated 5 months ago
No comments

Relevant content