HA Site-to-Site VPN Between GCP and Azure Cloud (Dynamic Routing)
Aslam Chandio
Cloud Engineer || 3x GCP Certified || 6x Azure Certified || 1x AWS Certified || 1x VMware Certified || Docker & Kubernetes|| Terraform || Linux || MCSA Certified ||
This tutorial demonstrates how to create highly available (HA) virtual private network (VPN) connections between Google Cloud and Microsoft Azure. You can use these HA VPN services for direct communication between Virtual Private Cloud (VPC) networks in Google Cloud and Microsoft Azure Virtual Network Gateways.This document assumes that you're familiar with the basic concepts of VPC networks, Border Gateway Protocol (BGP), VPNs, and Internet Protocol Security (IPsec) tunnels.
Architecture overview
The architecture described in this document includes the following components:
- Cloud Router: A fully distributed and managed Google Cloud service to provide dynamic routing using BGP for your VPC networks.
- HA VPN gateway: A Google-managed VPN gateway running on Google Cloud. Each HA VPN gateway is a regional resource that has two interfaces, each with its own external IP addresses: interface 0 and 1.
- VPN tunnels: Connections from the HA VPN gateway to the peer VPN gateway on Azure through which encrypted traffic passes.
- Peer VPN gateway: Two?Azure Site-to-Site VPN endpoints, which can be from an AWS virtual private gateway or AWS transit gateway.
Objectives
- Create a VPC network on Google & Azure Cloud.
- Create an HA VPN gateway and Cloud Router on Google Cloud.
- Create TWO Local Network Gateway on Azure Cloud.
- Create a VPN (Virtual Network Gateway) connection with dynamic routing on Azure.
- Create an external VPN gateway and VPN tunnels on Google Cloud.
- Verify and test the VPN connection between VPC networks on Google and Azure Cloud.
Step 1 — Create a VPC on Google Cloud
VPC on Google Cloud:
nw1-vpc
gcloud compute networks create nw1-vpc --subnet-mode custom --bgp-routing-mode=global
gcloud compute networks create nw1-vpc \
--subnet-mode=custom \
--bgp-routing-mode=global
gcloud compute networks subnets create nw1-vpc-sub1-us-central1 \
--network nw1-vpc \
--range 10.30.1.0/24 \
--region us-central1 \
--enable-flow-logs \
--enable-private-ip-google-access
gcloud compute networks subnets create nw1-vpc-sub2-us-east4 \
--network nw1-vpc \
--range 10.30.2.0/24 \
--region us-east4 \
--enable-flow-logs \
--enable-private-ip-google-access
gcloud compute networks subnets create nw1-vpc-sub3-euro-west2 \
--network nw1-vpc \
--range 10.30.3.0/24 \
--region europe-west2 \
--enable-flow-logs \
--enable-private-ip-google-access
gcloud compute networks list
gcloud compute networks describe nw1-vpc
gcloud compute networks subnets list --filter network:nw-vpc
Firewall on GCP
gcloud compute firewall-rules create nw1-vpc-ssh-allow
--network nw1-vpc \
--action allow \
--direction ingress \
--rules tcp:22,icmp \
--source-ranges 39.51.76.162/32 \
--priority 1000 \
--enable-logging \
--target-tags nw1-vpc-ssh-allow
gcloud compute firewall-rules create nw1-vpc-internal-allow \
--network nw1-vpc \
--action allow \
--direction ingress \
--rules tcp,udp,icmp,ipip \
--source-ranges 10.30.0.0/16 \
--priority 1100\
gcloud compute firewall-rules list --filter network:nw1-vpc
Step 2— Create Two VMS (Public & Private VMs) in GCP Side
gcloud compute instances create nw1vpc-publicvm1 \
--image-family ubuntu-2204-lts \
--image-project ubuntu-os-cloud \
--boot-disk-size 20GB \
--subnet nw1-vpc-sub1-us-central1 \
--private-network-ip 10.30.1.10 \
--zone us-central1-b \
--project dev-project-7144 \
--tags nw1-vpc-ssh-allow
gcloud compute instances create nw1vpc-privatevm2 \
--image-family centos-7 \
--image-project centos-cloud \
--boot-disk-size 20GB \
--subnet nw1-vpc-sub3-euro-west2 \
--private-network-ip 10.30.3.30 \
--zone europe-west2-c \
--project dev-project-7144 \
--no-address
Step 3— Create a vNet on Azure Cloud
Vnet
az group create --name prod-rg --location eastus
az network vnet create -g prod-rg \
? ? ? ? ? ? ? ? ? ? ? ?-n Prod_vNet_EastUS \
? ? ? ? ? ? ? ? ? ? ? ?--address-prefix 10.150.0.0/16 \
? ? ? ? ? ? ? ? ? ? ? ?--subnet-name Prod-vNet-Subnet1 \
? ? ? ? ? ? ? ? ? ? ? ?--subnet-prefix 10.150.10.0/24
az network vnet subnet create -g prod-rg \
--vnet-name Prod_vNet_EastUS \
--name Prod-vNet-Subnet2 \
--address-prefixes 10.150.20.0/24
az network vnet subnet create -g prod-rg \
--vnet-name Prod_vNet_EastUS \
--name GatewaySubnet \
--address-prefixes 10.150.25.0/27
NSG Firewall on Azure
az network nsg create --resource-group prod-rg --name prod-public-nsg? --location eastus
az network nsg create --resource-group prod-rg --name prod-private-nsg? --location eastus
az network vnet subnet update? --resource-group prod-rg
--vnet-name Prod_vNet_EastUS? --name Prod-vNet-Subnet1 --network-security-group prod-public-nsg
az network vnet subnet update? --resource-group prod-rg \
--vnet-name Prod_vNet_EastUS? --name Prod-vNet-Subnet2 --network-security-group prod-private-nsg
NSG Rule on Prod-Public-NSG
az network nsg rule create -g prod-rg --nsg-name prod-public-nsg -n ssh-allow --priority 100
? ? --source-address-prefixes 39.51.76.162/32 --source-port-ranges '*' \
? ? --destination-address-prefixes 10.150.10.0/16 --destination-port-ranges 22? ?--access Allow \
? ? --protocol Tcp --direction Inbound --description "Allow from specific IP address ranges on 22."\
NSG Rules on Prod-Private-NSG
az network nsg rule create -g prod-rg --nsg-name prod-private-nsg -n all-deny --priority 500
? ? --source-address-prefixes '*'? --source-port-ranges '*' \
? ? --destination-address-prefixes '*' --destination-port-ranges '*'? --access Deny \
? ? --protocol Tcp --direction Inbound --description "Deny For Allow Except Public Subnet."
az network nsg rule create -g prod-rg --nsg-name prod-private-nsg -n ssh-allow --priority 100 \
? ? --source-address-prefixes 10.150.10.0/16 --source-port-ranges '*' \
? ? --destination-address-prefixes 10.150.20.0/16 --destination-port-ranges 22? ?--access Allow \
? ? --protocol Tcp --direction Inbound --description "Allow from specific IP address ranges on 22."
az network nsg rule list --resource-group prod-rg --nsg-name prod-public-nsg -o table
az network nsg rule list --resource-group prod-rg --nsg-name prod-private-nsg -o table
Step 4— Create Two VMS (Public & Private VMs) on Azure Side
Public & Private Keys
ssh-keygen
? ? -m PEM \
? ? -t rsa \
? ? -b 4096 \
? ? -f ~/.ssh/my-keys??\
Public-VM
az vm create \
? --resource-group prod-rg \
? --name public-linux \
? --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest \
? --vnet-name Prod_vNet_EastUS \
? --subnet Prod-vNet-Subnet1 \
? --nsg? "" \
? --public-ip-sku Standard \
? --public-ip-address-allocation static \
? --public-ip-address publiclinuxvm-pip \
? --private-ip-address 10.150.10.4 \
? --admin-username azureuser \
? --os-disk-name publiclinuxvm-disk \
? --os-disk-size-gb 30 \
? --size Standard_B1ms \
? --ssh-key-value ~/.ssh/my-keys.pub
Private-VM
az vm create \
? --resource-group prod-rg \
? --name private-linux \
? --image Canonical:0001-com-ubuntu-server-jammy:22_04-lts-gen2:latest \
? --vnet-name Prod_vNet_EastUS \
? --subnet Prod-vNet-Subnet1 \
? --nsg "" \
? --public-ip-address "" \
? --private-ip-address 10.150.20.20 \
? --admin-username azureuser \
? --os-disk-name privatelinuxvm-disk \
? --os-disk-size-gb 30 \
? --size Standard_B1ms \
? --ssh-key-value ~/.ssh/my-keys.pub
Step 5— Create an HA VPN gateway and Cloud Router on Google Cloud.
gcloud compute routers create vpn-gcp-router \
--project dev-project-7144 \
--region us-central1 \
--network nw1-vpc \
--asn 64514
gcloud compute routers list
gcloud compute routers describe cloud-router --region us-central1
gcloud compute vpn-gateways create gcp-vpngw \
--network nw1-vpc \
--region us-central1 \
--stack-type IPV4_ONLY
gcloud compute vpn-gateways list
gcloud compute vpn-gateways describe gcp-vpngw
Name: vpn-gcp-router
Network?: nw1-vpc
Region: us-central1
Google ASN: 64514
Note : Public IP of GCP VPN Gateway?
INTERFACE0?: 35.242.107.4
INTERFACE1?: 34.157.237.227
Note: Depend on you create one or two tunnel on GCP Cloud
vpn gateway name: gcp-vpn-gw
Network:nw1-vpc
Region:us-central1
Step 6— Create Virtual Network Gateways on Azure Cloud.
Name : azure-vpngw
Region : eastus
Gateway type: VPN
VPN type : Route-Based
SKU: VpnGw2AZ (VpnGw2,VpnGw3,VpnGw4,VpnGw5,VpnGw3AZ)
Note : You can chose any one as per your requirement
Generation : Generation2
Virtual network:?Prod_vNet_EastUS
Gateway subnet address range: GatewaySubnet (10.150.25.0/27)
Public IP address : vng-pip1 (Standard ,Static, Zonal-Redundant)
Public IP address : vng-pip2 (Standard ,Static, Zonal-Redundant)
Enable active-active mode : active
Autonomous system number (ASN) : 65515 (Azure ASN)
Custom Azure APIPA BGP IP address : 169.254.21.1??
Second Custom Azure APIPA BGP IP address : 169.254.22.1
Note : The valid ranges for Azure APIPA BGP IP addresses are?169.254.21.*?and?169.254.22.*.
View and record the external IP addresses for the active-active VPN gateway
- On the?Overview?page for the active-active gateway that you just created, locate the external IP addresses for the gateway.
- Record the IP addresses that you see on the screen:
- Record the first external IP address as?AZURE_GW_IP_0.
- Record the second external IP address as?AZURE_GW_IP_1.
Later on, this document refers to these IP addresses as?AZURE_GW_IP_0?and?AZURE_GW_IP_1.
AZURE_GW_IP_0.(vng-pip1) : 20.121.88.206 (INTERFACE0)?
AZURE_GW_IP_1.(vng-pip2) : 20.85.207.207 (INTERFACE1)?
AZURE_GW_IP_0 : 169.254.21.1
AZURE_GW_IP_1: 169.254.22.1
Step 7— Step 11— Create an external VPN gateway on Google Cloud.
gcloud compute external-vpn-gateways create AZURE_GW_NAME \
? ? ?--interfaces 0=AZURE_GW_IP_0,1=AZURE_GW_IP_1
AZURE_GW_IP_0.(vng-pip1) : 20.121.88.206 (INTERFACE0)?
AZURE_GW_IP_1.(vng-pip2) : 20.85.207.207 (INTERFACE1)?
gcloud compute external-vpn-gateways create azure-peer-side \
? ? --interfaces 0=20.121.88.206,1=20.85.207.207
gcloud compute external-vpn-gateways list
gcloud compute external-vpn-gateways describe azure-peer-side
Step 8— Create Two VPN tunnels on Google Cloud.
ADD First VPN Tunnel gcp-azure-tunnel-0
gcloud compute vpn-tunnels create gcp-azure-tunnel-0 \
? ? --peer-external-gateway=azure-peer-side \
? ? --peer-external-gateway-interface=0? \
? ? --region=us-central1 \
? ? --ike-version=2 \
? ? --shared-secret=Abcd1234 \
? ? --router=vpn-gcp-router \
? ? --vpn-gateway=gcp-vpngw \
? ? --interface=0
ADD First VPN Tunnel gcp-azure-tunnel-1
gcloud compute vpn-tunnels create gcp-azure-tunnel-1 \
? ? --peer-external-gateway=azure-peer-side \
? ? --peer-external-gateway-interface=1? \
? ? --region=us-central1 \
? ? --ike-version=2 \
? ? --shared-secret=Abcd1234 \
? ? --router=vpn-gcp-router \
? ? --vpn-gateway=gcp-vpngw \
? ? --interface=1
gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels describe gcp-azure-tunnel-0
gcloud compute vpn-tunnels describe gcp-azure-tunnel-1
Step 9 — Create Two Interfaces in Cloud Router on Google Cloud.
gcloud compute routers add-interface vpn-gcp-router \
? --interface-name=if-tunnel0-to-gcp-azure \
? --vpn-tunnel=gcp-azure-tunnel-0 \
? --ip-address=169.254.21.2 \
? --mask-length 30 \
? --region=us-central1
gcloud compute routers add-interface vpn-gcp-router \
? --interface-name=if-tunnel1-to-gcp-azure \
? --vpn-tunnel=gcp-azure-tunnel-1 \
? --ip-address=169.254.22.2? \
? --mask-length 30 \
? --region=us-central1
Cloud Router BGP IP Address (GCP BGP Side Private IPs)
— GCP Side : 169.254.21.2??
— GCP Side : 169.254.22.2?
Step 10— Create Two BGP Sessions in Cloud Router on Google Cloud.
gcloud compute routers add-bgp-peer vpn-gcp-router \
?--peer-name=bgp-peer-connection1 \
?--peer-asn=65515 \
?--interface=if-tunnel0-to-gcp-azure \
?--peer-ip-address=169.254.21.1? ?\
?--region=us-central1
gcloud compute routers add-bgp-peer vpn-gcp-router \
?--peer-name=bgp-peer-connection2 \
?--peer-asn=65515 \
?--interface=if-tunnel1-to-gcp-azure \
?--peer-ip-address=169.254.22.1 \
?--region=us-central1
Cloud Router BGP IP Address (Azure BGP Side Private IPs)
— Customer Gateway(GCP Side) : 169.254.21.1??
— Customer Gateway(GCP Side) : 169.254.22.1
gcloud compute vpn-gateways describe gcp-vpngw
Step 11— Create Two Local Network Gateway on Azure Cloud.
Name: local-gw1
领英推è
Endpoint: IP Address
IP address: 35.242.107.4 (INTERFACE0)?
Address Space(s): 10.30.0.0/16 (GCP VPC(Subnets) CIDR)
Configure BGP settings: YES
Autonomous system number (ASN): 64514 (GCP Router ASN Number)
BGP peer IP address: 169.254.21.2 (Cloud Router BGP IP Address)
Name: local-gw2
Endpoint: IP Address
IP address: 35.242.107.4 (INTERFACE1)?
Address Space(s): 10.30.0.0/16 (GCP VPC(Subnets) CIDR)
Configure BGP settings: YES
Autonomous system number (ASN): 64514 (GCP Router ASN Number)
BGP peer IP address: 169.254.22.2 (Cloud Router BGP IP Address)
Step 12— Create Two Connections on Azure Cloud.
Connection type: Site-to-site (IPSEC)
Name: azure-gcp-connection1
Region: eastus
virtual network gateway: azure-vpngw
local network gateway: local-gw1
Bellow Values Took from (Step 8)
Shared key (PSK) : Abcd1234
IKE Protocol: IKEv2
Enable BGP : Yes (Select Check Box)
Connection type: Site-to-site (IPSEC)
Name: azure-gcp-connetion2
Region: eastus
virtual network gateway: azure-vpngw
local network gateway: local-gw2
Bellow Values Took from (Step 8)
Shared key (PSK) : Abcd1234
IKE Protocol: IKEv2
Enable BGP : Yes (Select Check Box)
GCP Side Connection Established
Azure Side Connection Established
Check Status on Google cloud using command
gcloud compute routers get-status vpn-gcp-router \
? ?--region=us-central1 \
? ?--format='flattened(result.bgpPeerStatus[].name,
? ? ?result.bgpPeerStatus[].ipAddress, result.bgpPeerStatus[].peerIpAddress)'
Step 13 — Update Firewall Rule in GCP Cloud (nw1-vpc)
gcloud compute firewall-rules create nw1-vpc--azurevpn-allow \
? ? --network? nw1-vpc \
? ? --action allow \
? ? --direction ingress \
? ? --rules tcp,udp,icmp,ipip \
? ? --source-ranges 10.150.0.0/16 \
? ? --priority 1500
Step 14— Test Connectivity
ON GCP VM
GCP Public EC2 Can ping & ssh both private & Public VM in Azure Cloud
ON Azure VM
Problem???
Azure VM cant Ping or SSH to another vpc of gcp due to VPC?peering does not support transitive peering relationships.
Step 15— Create Database on Google Cloud
Create private service access
gcloud compute addresses create google-managed-services-nw1-vpc \
? ? --global \
? ? --purpose=VPC_PEERING \
? ? --addresses=10.88.0.0 \
? ? --prefix-length=16 \
? ? --description="DESCRIPTION" \
? ? --network=nw1-vpc
gcloud services vpc-peerings connect \
? ? --service=servicenetworking.googleapis.com \
? ? --ranges=google-managed-services-nw1-vpc \
? ? --network=nw1-vpc \
? ? --project=prod-project-335577
gcloud services vpc-peerings list? --network=nw1-vpc
gcloud sql instances create prod-mysql \
--database-version=MYSQL_8_0 \
--cpu=1 \
--memory=4GB \
--availability-type=REGIONAL \
--region=us-central1 \
--root-password=Abcde12345 \
--no-assign-ip \
--network=nw1-vpc \
--enable-bin-log
Cloud SQL Database Access from GCP VPC(nw1-vpc) 10.30.0.0/16
Cloud SQL Database Access from Azure vNet (10.150.0.0/16)
should azure vm can access cloud sql database (Wont be possible) due to VPC?peering does not support transitive peering relationships.
Step 16— Edit peering connection in GCP Cloud
edit vpc peering connection between nw1-vpc and cloud sql vpc
10.88.0.0/24 Route propagated using peering
10.150.0.0/16 Route propagated using gcp-azure-tunnel-0
10.150.0.0/16 Route propagated using gcp-azure-tunnel-1
Step 17 — Edit Cloud Router setting in GCP Cloud
Add Manually routes for Peering Connection 10.88.0.0/16?(cloudsql-vpc)
Edit Both local network gateway
Now you can access Cloud SQL Database from Azure vNet (10.150.0.0/16)
The End
Reference Links: