Implementing Site-to-Site VPN Tunnel between Azure and AWS Cloud

Hi Friends,
This blog post is a walkthrough guide to implement Site-to-Site (IPSEC) VPN Tunnel between Azure and AWS cloud environment. Being a multi-cloud professional, I always keep exploring different features and capabilities across different cloud platforms, I recently setup IPsec VPN tunnel between Azure and AWS cloud environment so I thought to write a detailed post about this and here you go.

Below are the main steps that we need to follow to achieve this.

Steps to follow:
1. Create Azure Virtual Network (VNET).
2. Create Gateway Subnet in the Virtual Network.
3. Allocate Public IP Address for the VPN gateway.
4. Create an Azure VPN Gateway.
5. Allocate an Elastic IP Address in AWS account.
6. Create Local Network Gateway in Azure.
7. Configure Site-To-Site (IPsec) VPN Connection in Azure.
8. Create a new Windows Server 2016 VM in Azure.
9. Create VPC (Virtual Private Cloud) Network in AWS Cloud.
10. Launch a Windows Server 2016 EC2 Instance (VM) in public subnet of the VPC.
11. Disable Source/Destination Check on EC2 instance.
12. Associate Elastic IP Address to the EC2 Instance.
13. Configure Route Table for AWS VPC.
14. Install and configure Windows RRAS VPN on EC2 Windows Instance.
15. Test VPN Connectivity between AWS VPC and Azure VNET.

High Level Architecture Diagram:



Step by Step Configuration:
Now let’s go ahead and start implementing the above steps practically to complete this lab deployment.

1. Create Azure Virtual Network (VNET):
I’m creating a new VNET with CIDR “192.168.0.0/16”, this VNET will have three subnets including “GatewaySubnet” needed for Azure VPN Gateway.

$Subnet1 = New-AzVirtualNetworkSubnetConfig -Name Lab-Subnet1 -AddressPrefix “192.168.1.0/24”

$Subnet2 = New-AzVirtualNetworkSubnetConfig -Name Lab-Subnet2 -AddressPrefix “192.168.2.0/24”

New-AzVirtualNetwork -Name LAB-VNET1 -ResourceGroupName LAB-RG -Location southeastasia -AddressPrefix “192.168.0.0/16” -Subnet $Subnet1, $Subnet2

2. Create Gateway Subnet in the Virtual Network:
I’m creating “GatewaySubnet” in above VNET, you need to have a gateway subnet in the VNet in order to configure an Azure VPN Gateway. Subnet name must be “GatewaySubnet”, don’t name your gateway subnet something else. We shouldn’t never deploy VMs or any other resources to the gateway subnet apart from Azure VPN Gateway. Below PowerShell cmdlet will create gateway subnet.

$vnet = Get-AzVirtualNetwork -Name “LAB-VNET1”

Add-AzVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $Vnet -AddressPrefix “192.168.3.0/27” | Set-AzVirtualNetwork

3. Allocate Public IP Address for the VPN gateway:
Allocate a public IP address which will be assigned to Azure VPN Gateway, run the following command to allocate public IP address and create gateway IP configuration that will be used when creating Az VPN Gateway.

Note:  Currently, you can only use a Dynamic public IP address for the gateway. Static IP address is not supported on Azure VPN gateways.

$gwpip = New-AzPublicIpAddress -Name GwIP -ResourceGroupName LAB-RG  -Location southeastasia -AllocationMethod Dynamic

$subnet = Get-AzVirtualNetworkSubnetConfig -Name GatewaySubnet -VirtualNetwork $vnet

$gwipconf = New-AzVirtualNetworkGatewayIpConfig -Name GwIPConf -Subnet $subnet -PublicIpAddress $gwpip

4. Create an Azure VPN Gateway:
Now in this step I’m creating a new Azure VPN Gateway using below cmdlet, please refer screenshot.

New-AzVirtualNetworkGateway -Name MYVPNGW -ResourceGroupName LAB-RG -Location southeastasia -IpConfigurations $gwipconf -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

5. Allocate an Elastic IP Address in AWS account:
I’m allocating a Public IP address (knowns as Elastic IP address in AWS) in my AWS account, this Elastic IP address will be assigned to the EC2 instance later which will be acting as VPN Server in AWS environment. You can consider this as On-Prem VPN device’s IP address.

This Elastic IP address will be used when creating “Local Network Gateway” in Azure subscription.

6. Create Local Network Gateway in Azure:
Now I’m creating a Local Network Gateway in Azure, Local Network Gateway is basically a small configuration object which points to on-premises network, in this case we will specify the Elastic IP address of AWS EC2 instance and VPC CIDR address prefix when creating Local Network Gateway.

New-AzLocalNetworkGateway -Name myLocalGW -ResourceGroupName LAB-RG -Location “southeastasia ” -GatewayIpAddress 44.229.24.161 -AddressPrefix “172.31.0.0/16”


7. Configure Site-To-Site (IPsec) VPN Connection in Azure:
In this step, I’m creating the Site-To-Site (IPsec) VPN Connection between Azure VPN Gateway and AWS VPC using following PowerShell cmdlets. Please keep a note of shared key and public IP address of Azure VPN Gateway which will be needed later when configuring VPN device in AWS.

$localGW = Get-AzLocalNetworkGateway -Name myLocalGW -ResourceGroupName LAB-RG

$VPNGW = Get-AzVirtualNetworkGateway -Name MYVPNGW -ResourceGroupName LAB-RG

New-AzVirtualNetworkGatewayConnection -Name AWStoAzure -ResourceGroupName LAB-RG -Location “southeastasia” -VirtualNetworkGateway1 $VPNGW -LocalNetworkGateway2 $localGW -ConnectionType IPsec -SharedKey “Pr0perty”


8. Create a new Windows Server 2016 VM in Azure:
I have deployed a Virtual Machine running Windows Server 2016 in Azure, this VM will be used later to test VPN connectivity between Azure VNET and AWS VPC.

9. Create VPC (Virtual Private Cloud) Network in AWS Cloud:
Now starting from this step, all the configuration steps are from AWS side (which mimics on-premises here, you can say like that), I have a created a new VPC with CIDR “172.31.0.0/16” and it has few subnets.

10. Launch a Windows Server 2016 EC2 Instance (VM) in public subnet of the VPC:
I have launched a new EC2 Instance running Windows Server 2016 OS, this EC2 Instance is running in the Public Subnet of above VPC. This Windows Instance  will be acting as a VPN Server in AWS VPC.

11. Disable Source/Destination Check on EC2 instance:
In this step, I’m disabling Source/Destination Check for the above EC2 Instance, by default AWS EC2 Instances performs this check. Which means that EC2 instance must be either source or destination of any traffic it sends or receives. Disabling this attribute enables an instance to handle network traffic that isn’t specifically destined for the instance. For example, instances running as NAT, routing, or a firewall should have this value disabled.

12. Associate Elastic IP Address to the EC2 Instance:

 I had allocated an Elastic IP Address in my AWS account in step 5, now I’m associating that Elastic IP address with above Windows EC2 Instance which will be acting as VPN Server. Please refer below screenshots.



13. Configure Route Table in the VPC:
Now I’m configuring route table to route traffic from this AWS VPC/Subnet to Azure VNET using above EC2 Instance (VPN). I have specified destination as Azure VNET CIDR and Target (Next Hop) to Elastic Network Interface (ENI) of EC2 Windows Instance (running as VPN).

14. Install and configure Windows RRAS VPN on EC2 Windows Instance:
Connect to the Windows Instance launched in step 10 above and run below cmdlet to install Windows RRAS/VPN features.

Install-WindowsFeature Routing, RemoteAccess, RSAT-RemoteAccess-PowerShell, DirectAccess-VPN -IncludeManagementTools




–Now open Remote Access Management console, Click on Direct Access and VPN and then click on Run the Getting Started Wizard.
Choose “Deploy VPN only” option during the wizard.



–Routing and Remote Access console will open now, right click on Server name and then click on Configure and Enable Routing and Remote access.


–Click Next and then select “Custom configuration”.


 
–Choose VPN Access and click on Next button.


 
–Finally click on finish button.

 
–Now open PowerShell and run following cmdlet to create Site-to-Site VPN Interface. We need to provide Azure VPN Gateway’s public IP address and Shared key as parameter in this cmdlet.

Add-VpnS2SInterface -Protocol IKEv2 -AuthenticationMethod PSKOnly -NumberOfTries 3 -ResponderAuthenticationMethod PSKOnly -Name AWS-2-Azure -Destination 52.187.40.190 -IPv4Subnet @(“192.168.0.0/16:100”) -SharedSecret Pr0perty

Set-VpnServerIPsecConfiguration -EncryptionType MaximumEncryption


–Run below command to disable configuration payload negotiation.

Set-VpnS2Sinterface -Name AWS-2-Azure -InitiateConfigPayload $false -Force

–Now go to the Network Interfaces in Routing and Remote Access console, you would see VPN Interface that was created using above cmdlet. In my case interface named as “AWS-2-Azure” is my S2S VPN Interface.

–Go to the properties of this interface and then go to “Options” tab and select “Persistent connection”, also set “Redial attempts” to 0.

–Restart RRAS service using below cmdlet.

Restart-Service RemoteAccess

–Run the following cmdlet to connect site-to-site (S2S) interface, This cmdlet initiates the connection process for the interface.

Connect-VpnS2SInterface -Name AWS-2-Azure


At this point, we have successfully configured IPsec VPN Tunnel between Azure VNET and AWS VPC, next thing would be to test the traffic flow over this VPN Tunnel between both networks. We should be able to communicate using private IP address from Azure VNET to AWS VPC and vice versa.

15. Test VPN Connectivity between AWS VPC and Azure VNET:
If you remember, we created an Azure VM in step 8 above, I’m logged into that Azure VM now and I can reach one of the AWS EC2 machine over private IP which confirms our VPN Tunnel is up and traffic is flowing.



This lab Site-to-Site VPN Tunnel isn’t highly available hence it has a single point of failure which is not an ideal configuration in enterprise production environment, if you would like to implement highly available S2S Azure VPN tunnel in active-active mode then you can refer following Microsoft documentation.

Configure active-active S2S VPN connections with Azure VPN Gateways:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-activeactive-rm-powershell



If you are newbie to VPN technology like me, there are great resources available to refer and learn. I’m listing some of them below that I’m referring currently to learn VPN fundamentals and core concepts. I hope you would find this helpful.

Internet Key Exchange Protocol Version 2 (IKEv2):
https://tools.ietf.org/html/rfc5996

IKEv2 Packet Exchange and Protocol Level Debugging:
https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/115936-understanding-ikev2-packet-exch-debug.html

IPsec (Internet Protocol Security):
https://networklessons.com/cisco/ccie-routing-switching/ipsec-internet-protocol-security

Azure VPN Gateway FAQ:
https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vpn-faq

Policy-Based vs Route-Based VPNs:
https://packetlife.net/blog/2011/aug/15/policy-based-vs-route-based-vpns-part-1/

VPN encryption explained: IPSec vs SSL:
https://www.comparitech.com/blog/vpn-privacy/ipsec-vs-ssl-vpn/

SSL VPN vs IPSec VPN – Pros & Cons Of Both VPNs:
https://www.limevpn.com/ssl-vpn-vs-ipsec-vpn-pros-cons-of-both-vpns/

Understanding IPSec IKEv1 negotiation on Wireshark:
https://devcentral.f5.com/s/articles/understanding-ikev1-negotiation-on-wireshark-34187

Configuring Windows Server 2012 R2 as a Customer Gateway Device:
https://docs.aws.amazon.com/vpc/latest/adminguide/customer-gateway-windows-2012.html

Please let me know if you have any feedback on this via comments. I will keep improving the quality of my lab configuration or anything that would be posting here.

Leave a Reply

Your email address will not be published. Required fields are marked *