Email: helpdesk@telkomuniversity.ac.id

This Portal for internal use only!

All Categories

All Categories

Search

0 Wishlist

Cart

Categories
More Categories Less Categories

iconTicket Service Desk

All Categories

All Categories

Search

0 Wishlist

Cart

Menu
Home/Microsoft/Dynamic Multi-Cloud Networking: Configuring a BGP-Enabled VPN Between Azure and AWS

Dynamic Multi-Cloud Networking: Configuring a BGP-Enabled VPN Between Azure and AWS

/ 2024-10-29
Dynamic Multi-Cloud Networking: Configuring a BGP-Enabled VPN Between Azure and AWS
Microsoft

Introduction

In my previous blog post, I demonstrated how to set up a basic VPN connection between Azure and AWS. This updated guide builds on that foundation by incorporating BGP (Border Gateway Protocol) to enable dynamic routing and redundancy across two VPN tunnels. By following this configuration, you can establish a more resilient multi-cloud VPN connection that supports automatic route exchanges between Azure VPN Gateway and AWS Virtual Private Gateway over IPsec tunnels. This approach ensures reliable connectivity and helps simplify network management between Azure and AWS environments.

 

Step 1: Set Up Your Azure Environment

 

1.1. Create a Resource Group

Go to Azure Portal > Resource groups > Create.
Select your subscription and region, and give the resource group a name like RG-AzureAWSVPN-BGP.

1.2. Create a Virtual Network (VNet) and Subnet

In the Azure Portal, go to Virtual Networks > Create.
Name the VNet AzureVNetBGP and specify an address space of 172.16.0.0/16.
Under Subnets, create a subnet named Subnet-AzureVPN with the address range 172.16.1.0/24.
Add a GatewaySubnet with a /27 address block (e.g., 172.16.254.0/27) for the VPN gateway.

 

1.3. Set Up the Azure VPN Gateway

Go to +Create a resource, search for Virtual Network Gateway, and select Create.
Fill in the details:

Name: AzureVPNGatewayBGP
Gateway Type: VPN
SKU: VpnGw1 (or higher for redundancy/performance).
Public IP Address: Create a new one and name it AzureVPNGatewayPublicIP.
Enable BGP: Yes.
ASN: Use an Autonomous System Number (ASN) for Azure, e.g., 65010.
Azure APIPA BGP IP Address: Use 169.254.21.2 for the first tunnel with AWS and 169.254.22.2 for the second tunnel with AWS.

Note: For this example, we’ll create an Active-Standby setup so Active-Active Mode will not be enabled. If you wanted to change from active-standby to active-active later follow this: Configure active-active VPN gateways: Azure portal – Azure VPN Gateway | Microsoft Learn.

 

 

Step 2: Set Up Your AWS Environment with BGP 

 

2.1. Create a VPC and Subnet in AWS

In the AWS Console, go to VPC > Create VPC.
Use an address space (e.g., 10.0.0.0/16) for the AWS VPC.
Under Subnets, create a subnet with a name like Subnet-AWSVPN and the address space 10.0.1.0/24 for your subnet.

2.2. Create an AWS Virtual Private Gateway (VGW)

In the AWS VPC Console, go to Virtual Private Gateway and create a new VGW named AWS-VPN-VGW-BGP.
Attach the VGW to the VPC.
During the VGW creation, set the ASN for AWS. AWS will assign one by default (e.g., 64512), but you can customize this if needed.

2.3. Set Up a Customer Gateway (CGW)

In the AWS Console, go to Customer Gateway, and create a CGW using the public IP address of the Azure VPN Gateway (obtained during the Azure VPN Gateway setup). Name it Azure-CGW-BGP.
Set the BGP ASN for the Customer Gateway to 65010, the same ASN as set in Azure.

 

 

2.4. Create the Site-to-Site VPN Connection with BGP setting

In AWS Console, go to Site-to-Site VPN Connections > Create VPN Connection.
Select the Virtual Private Gateway created earlier.
Select the Customer Gateway created earlier.
Routing Options: Select Dynamic (requires BGP) to enable dynamic routing with BGP.
Tunnels: AWS will automatically create two tunnels for redundancy.

 

 

2.4.1. Tunnel Configuration – Optional Settings

Under the Optional Tunnel Settings, configure the Inside IPv4 CIDR for each tunnel:

For Tunnel 1: Set the Inside IPv4 CIDR to 169.254.21.0/30.
For Tunnel 2: Set the Inside IPv4 CIDR to 169.254.22.0/30.

This ensures proper BGP peering between Azure and AWS for both tunnels.

 

 

 

 

2.4.3. Download the VPN Configuration File

After the VPN is set up, download the configuration file.
Select Generic for the platform and Vendor agnostic for the software.
Select IKEv2 for the IKE version.

 

Step 3: Finish the Azure Side Configuration with the two tunnels and BGP setup

 

3.1. Create Two Local Network Gateways

To support two tunnels, you will need to create two Local Network Gateways on Azure, one for each tunnel.

In the Azure Portal, go to Local Network Gateway > Create.
Local Network Gateway 1 (for the first tunnel):

ASN: Set to 64512 (AWS ASN).
BGP Peer IP Address: Enter 169.254.21.1(AWS BGP peer IP for the first tunnel).

Name: AWSLocalNetworkGatewayBGP-Tunnel1
Public IP Address: Enter the public IP for the first AWS VPN tunnel (from the configuration file).
BGP Settings: Go to the Advanced Tab, select Yes for Configure BGP Settings, then:

Note: You do not need to specify an address space when creating the Local Network Gateway. Only the public IP and BGP settings are required.

 

 

 

 

      3. Local Network Gateway 2 (for the second tunnel):

Name: AWSLocalNetworkGatewayBGP-Tunnel2
Public IP Address: Enter the public IP for the second AWS VPN tunnel.
BGP Settings: Go to the Advanced Tab, select Yes for Configure BGP Settings, then:

ASN: Set to 64512 (AWS ASN).
BGP Peer IP Address: Enter 169.254.22.1 (AWS BGP peer IP for the second tunnel).
Note: Enter the ASN first, followed by the BGP Peer IP Address in this order.

 

 

 

3.2. Create the VPN Connection for Both Tunnels

Go to Azure Portal > Virtual Network Gateway > Connections > + Add.
For the first tunnel:

Primary Custom BGP Address: Enter 169.254.21.2 for Tunnel 1.

Name: AzureAWSVPNConnectionBGP-Tunnel1
Connection Type: Site-to-site (IPsec).
Virtual Network Gateway: Select AzureVPNGatewayBGP.
Local Network Gateway: Select AWSLocalNetworkGatewayBGP-Tunnel1.
Shared Key (PSK): Use the shared key from the AWS VPN configuration file for tunnel 1.
IKE Protocol: Ensure that IKEv2 is selected.
Enable BGP: Mark the checkbox to enable.
After selecting Enable BGP, check the box for Enable Custom BGP Addresses and set:

IPSec/IKE Policy: Set this to Default.
Use Policy-Based Traffic Selector: Set to Disabled.
DPD (Dead Peer Detection) Timeout: Set the Timeout in Seconds to 45 seconds.
Connection Mode: Leave this as Default (no need to change to initiator-only or responder-only).

In about 3 minutes, you can check the VPN connection established.

 

 

 

Repeat the same process for the second tunnel:

Name: AzureAWSVPNConnectionBGP-Tunnel2
Local Network Gateway: Select AWSLocalNetworkGatewayBGP-Tunnel2.
Shared Key (PSK): Use the shared key from the AWS VPN configuration file for tunnel 2.
Enable BGP: Mark the checkbox to enable.
Check the box for Enable Custom BGP Addresses and set:

Primary Custom BGP Address: Enter 169.254.22.2 for Tunnel 2.

 

 

 

 

In about 3 minutes, you can check the VPN connection established.

 

3.3. Ensure the VPN is established

From Site-to-Site VPN connections on AWS, go to Tunnel details and check that the Tunnel 1 is UP:
      

 

      2. From Azure side, check if the status of the VPN connections is Connected:

            

 

 

In BPG peers, you can see the BGP peers and the BGP learned routes:

 

Step 4: Add Routes and Configure Security

 

4.1. AWS Route Table Configuration

In AWS Console, go to Route Tables and select the route table for your AWS VPC.
Navigate to Route Propagation and select Edit Route Propagation.
Enable route propagation to ensure that BGP dynamically propagates the routes between AWS and Azure, removing the need for manual static route entries. Almost instantaneously after enabling the route propagation, you will be able to see the new routes

 

 

 

4.2. Add an Internet Gateway (IGW)

Note: An Internet Gateway (IGW) is required for the EC2 instance to be accessible via its public IP address. Without the IGW, the EC2 instance won’t be reachable over the public internet, preventing you from logging into the EC2 using their public IP address. This is the sole purpose of deploying the IGW.

 

4.3. Set Security Group and NSG Rules

AWS Security Group: Ensure that the Security Group for the AWS EC2 instance allows ICMP (ping), SSH, and any other necessary protocols.
Azure NSG (Network Security Group): Ensure that the NSG attached to the Azure VM’s NIC allows inbound traffic from AWS for the required protocols, such as ICMP and SSH.

Step 5: Test Connectivity Between Azure and AWS VMs

To test connectivity between Azure and AWS, first deploy a virtual machine in the appropriate subnet on each cloud provider—an EC2 instance on AWS and a VM on Azure. Once both machines are running, connect to each VM using their respective public IP addresses. After logging in, use the private IP addresses of both instances to run a ping test and verify private network connectivity between them.

If you decided to not create the IGW to make the EC2 VM accessible over the internet, you can just login into the Azure VM using their public IP address and test unilaterally running the ping command against the private IP of the EC2 VM.

 

5.1. Ensure ICMP Traffic Is Allowed

Both the AWS Security Group and the Azure NSG (Network Security Group) should allow ICMP (ping) traffic for proper testing of connectivity between the virtual machines.

 

5.2. Test Connectivity with ping

From the Azure VM, ping the AWS VM using its private IP.
From the AWS VM, ping the Azure VM using its private IP.

Ensure that the pings are successful in both directions to verify that the VPN tunnels are functioning correctly.

Troubleshooting Common Issues

 

BGP Not Establishing

Double-check that the BGP peer IP addresses and ASNs are correctly configured for both tunnels.
Ensure that BGP is enabled on both the Azure Virtual Network Gateway and the AWS VPN connection.
Ensure that route propagation is enabled on AWS, allowing dynamic routes to be exchanged through BGP.

No Inbound Traffic on Azure VPN Gateway

Verify that AWS route propagation is enabled and that the Azure routes are correctly learned from AWS.
Check the NSG rules on Azure to ensure inbound traffic is allowed from AWS.

Dead Peer Detection (DPD) Issues

Mismatched DPD settings may cause tunnels to drop. Ensure that both Azure and AWS have consistent DPD configurations. The recommended DPD Timeout for both Azure and AWS is 45 seconds.

Tunnel Status Showing as Down

If one or both tunnels show as down, ensure that the IKEv2/IPsec policies match on both sides. Double-check the encryption algorithms, hashing functions, and Diffie-Hellman group settings between Azure and AWS for Phase 1 and Phase 2.
Restart the VPN connection on both Azure and AWS to re-initiate the tunnels.

Conclusion

 

By following this guide, you’ve successfully set up a VPN connection between Azure and AWS using BGP with two tunnels for redundancy. This configuration ensures robust and reliable connectivity between the two clouds, with dynamic route propagation handled by BGP. The use of managed services minimizes operational overhead and simplifies management.

 

For more advanced configurations, such as custom IPsec/IKE policies, enabling failover, or using BGP with Active-Active Mode, refer to the official documentation for Azure VPN Gateway.

 

​Microsoft Tech Community – Latest Blogs –Read More 

Tags:

Related posts

Announcing the General Availability of Windows Server IoT 2025!
2024-11-05

Announcing the General Availability of Windows Server IoT 2025!

Power Automate to update columns for content stored in a document library
2024-11-05

Power Automate to update columns for content stored in a document library

America’s Partner Blog | Partners Make More Possible: Education
2024-11-05

America’s Partner Blog | Partners Make More Possible: Education

Leave a Reply

Your email address will not be published. Required fields are marked *

Adobe
Google for Education
IBM
Matlab
Microsoft
Wordpress
Visual Paradigm
Opensource

Portal Application Package Repository Telkom University, for internal use only, empower civitas academica in study and research.

Information

Contact Us

Copyright © Telkom University. All Rights Reserved. ch