How to easily set up a VPN between Azure and AWS using managed services (Updated 2024)

  • Thread starter Thread starter rmmartins
  • Start date Start date
R

rmmartins

Introduction


Setting up a secure VPN connection between Azure and AWS doesn’t have to be complicated. In this guide, we’ll demonstrate an easy and straightforward method to establish a multicloud static VPN using only managed services—no need to manage virtual machines or third-party appliances. This method provides a quick and reliable way to connect Azure VPN Gateway and AWS Virtual Private Gateway over IPsec tunnels (without BGP config), ensuring secure communication between the two environments.


This post is an updated version of a similar guide I published three years ago, reflecting changes in services and adding valuable troubleshooting tips to streamline the process.



rmmartins_0-1729815761706.png


For more advanced scenarios, such as integrating dynamic routing with BGP (Border Gateway Protocol) to support automatic route exchanges, we recommend referring to the official Azure VPN Gateway Documentation for in-depth guidance.


Step 1: Set Up Your Azure Environment


1.1. Create a Resource Group

  1. Go to Azure Portal > Resource groups > Create.
  2. Select your subscription and region, and give the resource group a name like RG-AzureAWSVPN.

1.2. Create a Virtual Network (VNet) and Subnet

  1. In the Azure Portal, go to Virtual Networks > Create.
  2. Name the VNet AzureVNet and specify an address space of 172.16.0.0/16.
  3. Under Subnets, create a subnet named Subnet-AzureVPN with the address range 172.16.1.0/24.
  4. Add a GatewaySubnet with a /27 address block (e.g., ) for the VPN gateway.

rmmartins_2-1729815841704.png



1.3. Set Up the Azure VPN Gateway

  1. Go to +Create a resource, search for Virtual Network Gateway, and select Create.
  2. Fill in the details:
    • Name: AzureVPNGateway
    • Gateway Type: VPN
    • SKU: VpnGw1 (or higher if needed)
    • Public IP Address: Create a new one and name it AzureVPNGatewayPublicIP.
    • Active-Active Mode: Leave disabled unless high availability is required.
      • If you need to ensure High Availability, enabling the Active-Active mode will made needed the following additional configurations on the Azure side:
        • Create a second Public IP Address for the Virtual Network Gateway
        • Create a second Local Network Gateway pointing to the public IP address of the Tunnel 2 on AWS side
        • Create a second VPN connection pointing to the Tunnel 2 on AWS side
    • Configure BGP: Leave disabled for this lab

This process can take up to 30 minutes.


rmmartins_3-1729816091284.png



Step 2: Set Up Your AWS Environment


2.1. Create a VPC and Subnet in AWS

  1. In the AWS Console, go to VPC > Create VPC.
  2. Use an address space (e.g., 10.0.0.0/16) for the AWS-VPC.

    rmmartins_4-1729816152081.png

3. Under Subnets, create a subnet with a name like Subnet-AWSVPN and the address space 10.0.1.0/24 for your subnet.


rmmartins_5-1729816232927.png


2.2. Create an AWS Virtual Private Gateway (VGW)

  1. In the AWS VPC Console, go to Virtual Private Gateway and create a new VGW named AWS-VPN-VGW.

rmmartins_9-1729816826025.png



2. Attach the VGW to the VPC.

rmmartins_7-1729816345113.png

rmmartins_8-1729816462363.png


2.3. Set Up a Customer Gateway (CGW)

  1. In the AWS Console, go to Customer Gateway, and create a CGW using the public IP of the Azure VPN Gateway. Name it Azure-CGW.

rmmartins_10-1729816889857.png


2.4. Create the Site-to-Site VPN Connection

  1. In AWS Console, go to Site-to-Site VPN Connections > Create VPN Connection.
  2. Select the Virtual Private Gateway created earlier.
  3. Select the Customer Gateway created earlier.
  4. Set Routing as Static, and define the Azure VNet subnet (172.16.1.0/24) as the static route.

    rmmartins_11-1729816938970.png

  5. Download the VPN Configuration File
    1. After the VPN is set up, download the configuration file.
    2. Select Generic for the platform and Vendor agnostic for the software.
    3. Select IKEv2 for the IKE version.

rmmartins_12-1729817058086.png



rmmartins_13-1729817076237.png


2.5. Enable Route Propagation

After creating the VPN connection, go to Route Tables > Select the existing route table > Route Propagation > Edit Route Propagation, and enable propagation for the VGW.



rmmartins_14-1729817161288.png





rmmartins_15-1729817168755.png



Step 3: Finish the Azure Side Configuration


3.1. Create the Local Network Gateway

  1. In the Azure Portal, go to Local Network Gateway > Create.
  2. Name the gateway AWSLocalNetworkGateway, and enter the public IP of the AWS VPN tunnel (from the configuration file).
  3. Set the AWS VPC CIDR block (e.g., 10.0.0.0/16) as the address space.
  4. In the next tab (Advanced), leave the option Configure BGP Settings defined to No

rmmartins_16-1729817221862.png


rmmartins_17-1729817247713.png



3.2. Create the VPN Connection

  1. Go to Azure Portal > Virtual Network Gateway > Connections > + Add.
  2. Configure the connection:
    • Name: AzureAWSVPNConnection
    • Connection Type: Site-to-site (IPsec).
    • Virtual Network Gateway: Select AzureVPNGateway.
    • Local Network Gateway: Select AWSLocalNetworkGateway.
    • Shared Key (PSK): Use the shared key from the AWS VPN configuration file.
    • IKE Protocol: Set to IKEv2.
    • IPsec/IKE Policy: Use Default, or configure custom policies per AWS (AES128, SHA1, DH Group 2).
    • DPD Timeout: Set to 45 seconds.
    • Connection Mode: Leave as Default unless specific behavior is required.



rmmartins_18-1729817282983.png



rmmartins_19-1729817306966.png



Step 4: Add Routes and Configure Security


4.1. Check the Route for Azure Subnets in AWS Route Table

  1. In the AWS Console, go to VPC > Route Tables.
  2. Check if the AWS Route Table has a route for the Azure VNet subnet (172.16.1.0/24) with the VGW as the target. If the route propagation enabled before was done correctly, you should be able to see the routes to Azure subnet (172.16.1.0/24) automatically added:

rmmartins_20-1729817394673.png



4.2. Add an Internet Gateway (IGW)


To test connectivity between Azure and AWS, first deploy a virtual machine in the appropriate subnet on each cloud provider—an EC2 instance on AWS and a VM on Azure. Once both machines are running, connect to each VM using their respective public IP addresses. After logging in, use the private IP addresses of both instances to run a ping test and verify private network connectivity between them.

An Internet Gateway (IGW) is required for the EC2 instance to be accessible via its public IP address. Without the IGW, the EC2 instance won’t be reachable over the public internet, preventing you from running the connectivity test using the private IP address. This is the sole purpose of deploying the IGW.



  1. Create an IGW: In the AWS Console, go to VPC > Internet Gateways and create an IGW named AWS-IGW, then attach it to the AWS VPC.
  2. Update Route Table: Add a route to 0.0.0.0/0 pointing to the IGW for external connectivity.

    rmmartins_22-1729817472593.png


After adding the new route, you should have 3 routes as below:


rmmartins_23-1729817506455.png



4.3. Set Security Group and NSG Rules

  1. AWS Security Group: Ensure the Security Group for the AWS EC2 instance allows ICMP (ping) and other protocols (e.g., SSH) from Azure.
  2. Azure NSG: Similarly, ensure the NSG attached to the Azure VM’s NIC allows inbound traffic from AWS.



Step 5: Test Connectivity Between Azure and AWS VMs


5.1. Ensure the VPN is established

1. From Site-to-Site VPN connections on AWS, go to Tunnel details and check that the Tunnel 1 is UP:


rmmartins_24-1729817572972.png



  1. From Azure side, check if the status of the VPN connection is Connected:


rmmartins_25-1729817624386.png



5.2. Ensure ICMP Traffic Is Allowed


Both the AWS Security Group and Azure NSG should allow ICMP (ping) traffic.



5.3. Test Connectivity with ping

  1. From the Azure VM, ping the AWS VM using its private IP:

rmmartins_26-1729817685101.png



2. From the AWS VM, ping the Azure VM using its private IP:



rmmartins_27-1729817685110.png



Troubleshooting Common Issues


1. Missing Static Route in AWS VPN

  • Ensure that the static route for the Azure VNet subnet (172.16.1.0/24) is added in the AWS VPN configuration. Without this route, AWS will not know to send traffic to Azure through the VPN.

2. No Inbound Traffic on Azure VPN Gateway

  • If Azure VPN Gateway shows data out but no data in, check the AWS route table and ensure the correct static route to the Azure subnet exists.

3. Custom IPsec/IKE Policies

  • If the default policies aren’t working, apply custom IPsec/IKE policies based on AWS configuration (AES128, SHA1, DH Group 2 for Phase 1 and Phase 2).

4. Further Troubleshooting




Conclusion


By following this guide, you’ve successfully set up a VPN connection between Azure and AWS using managed services. Ensuring that the route for Azure’s subnet is added to the AWS Route Table is crucial for proper communication between the two clouds. If you need more advanced configurations, such as BGP for dynamic routing, consult the Azure VPN Gateway documentation.

Continue reading...
 
Back
Top