How do I use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure?

5 minute read

I want to use a dynamic Border Gateway Protocol (BGP) to configure a virtual private network (VPN) tunnel between AWS and Oracle Cloud Infrastructure (OCI).


To configure an AWS Site-to-Site VPN tunnel between AWS and OCI, follow these steps:

  • On the OCI side, configure the virtual cloud network (VCN), subnets, and the security list and rules.
  • On the AWS side, configure the Amazon Virtual Private Cloud (Amazon VPC), subnets, and routing.

AWS configuration

  1. Open the Amazon VPC console, and then create a customer gateway. Because you don't know the IP address of the OCI VPN gateway yet, you can add any details that you like. Later, you can specify the correct customer gateway IP address and Autonomous System Number (ASN). 
    Note: You must use AWS to create the customer gateway. The Amazon VPC console allows you to make changes to your customer gateway after you configure it, and OCI doesn't.
  2. Open the Amazon VPC console, create a virtual private gateway, and then attach it to your Amazon VPC.
  3. Create a VPN connection. For Virtual private gateway, choose the name of the virtual private gateway that you created. For Customer gateway ID, choose the ID of the customer gateway that you created. For Routing Options, choose Dynamic (requires BGP). (Optional) Under Advanced Options for Tunnel 1, turn on advanced encryption algorithms.
    Important: Check that the P****re-shared key contains only letters and numbers. OCI doesn't support certain characters, and AWS doesn't support using spaces in a pre-shared key. You can also enter your own pre-shared key to make sure that it contains only letters and numbers.
  4. Download the generic Site-to-Site VPN configuration file. Use the information from this file to set up VPN tunnels in the OCI Console.

OCI configuration

  1. Open the Oracle Cloud Console.
  2. Use the instructions on the Oracle website to create the customer-premises equipment. From the navigation pane, choose Networking, and then choose Customer-Premises Equipment.
  3. For Public IP address, enter the Tunnel A outside IP address from the configuration file that you downloaded.
  4. Choose Dynamic Routing Gateway, and then create a dynamic routing gateway. Attach the dynamic routing gateway to a VCN. You can either create a VCN in the Oracle Cloud Console, or attach it to an existing VCN. To find your VCNs, choose Networking from the navigation pane. Then, choose Virtual Cloud Networks.
  5. Create a Site-to-Site VPN connection in the Oracle Cloud Console. Enter the details of the customer-premises equipment and dynamic routing gateway that you created.
    Important: Before you choose Create IPSec Connection, you must configure the Tunnel1 and Tunnel2 settings. Choose Show Advanced Options, and enter the pre-shared key and BGP details from the configuration file that you downloaded. For Tunnel2, provide any information because you can't configure a second tunnel with OCI. Set the Routing Type to BGP.
  6. After you create the Site-to-Site VPN on the OCI side, you can view the Public IP address for AWS-Tunnel1. Note the IP address to use in the following steps.

Configure VPN Gateway on the Amazon VPC console

  1. Open the Amazon VPC console, and then create a customer gateway. For IP address, enter the IP address for AWS-Tunnel1. For BGP ASN, enter 31898. This is the default BGP ASN for the dynamic routing gateway.
  2. Navigate to your Site-to-Site VPN connection. Choose Actions, and then choose Modify VPN Connection. Update the target type for the customer gateway, and then choose the customer gateway.

Note: It takes a few minutes for AWS to modify and update the Site-to-Site VPN connection.

Confirm that the tunnel status is UP, and test the connection

  1. After AWS finishes modifying the Site-to-Site VPN connection, confirm that the tunnel and BGP are in the UP status. You must confirm this on both the AWS side and on the OCI side. Also, confirm that you have the correct routing. When the tunnel is up, both clouds don't allow traffic to flow by default.
  2. On the Oracle Cloud Console, configure the security list and network security group to allow traffic to flow between OCI and AWS.
  3. On the Amazon VPC console, configure the network ACLs and security groups that are associated with your connection to allow traffic to flow between AWS and OCI.
  4. Perform a bidirectional connectivity test to check the tunnel connection between OCI and AWS. Be sure to do a ping test from AWS to OCI, and from OCI to AWS.

Configure the redundant VPN connection between AWS and OCI

You can use only one on-premises IP address (customer gateway IP address) to configure both AWS and OCI Site-to-Site VPN services. You must repeat all the previous steps to create a second Site-to-Site VPN connection. Use one active tunnel and one duplicate tunnel so that if one tunnel goes down, the BGP routing automatically routes through the second tunnel.

AWS OFFICIALUpdated 10 months ago