登录查看更多内容

HA Site-to-Site VPN Between GCP(VPC Peering) and AWS Cloud (Dynamic Routing)

Aslam Chandio

Cloud Engineer || 3x GCP Certified || 6x Azure Certified || 1x AWS Certified || 1x VMware Certified || Docker & Kubernetes|| Terraform || Linux || MCSA Certified ||

发布日期: 2023年5月29日

Google Cloud provides a?highly available (HA) VPN?service to connect your VPC network to environments running outside of Google Cloud, such as on-premises or on AWS through an IPsec VPN connection. HA VPN provides an?SLA of 99.99% service availability?when configured based on Google best practices.

Architecture overview

The architecture described in this document includes the following components:

Cloud Router: A fully distributed and managed Google Cloud service to provide dynamic routing using BGP for your VPC networks.
HA VPN gateway: A Google-managed VPN gateway running on Google Cloud. Each HA VPN gateway is a regional resource that has two interfaces, each with its own external IP addresses: interface 0 and 1.
VPN tunnels: Connections from the HA VPN gateway to the peer VPN gateway on AWS through which encrypted traffic passes.
Peer VPN gateway: Two?AWS Site-to-Site VPN endpoints, which can be from an AWS virtual private gateway or AWS transit gateway.

Objectives

Create a Two Peered VPC network on Google & AWS Cloud.
Create an HA VPN gateway and Cloud Router on Google Cloud.
Create TWO customer gateways on AWS.
Create a VPN connection with dynamic routing on AWS.
Create an external VPN gateway and VPN tunnels on Google Cloud.
Verify and test the VPN connection between VPC networks on Google Cloud and AWS.

Step 1 — Create a VPC on Google Cloud

VPC on Google Cloud:

nw1-vpc


gcloud compute networks create nw1-vpc --subnet-mode custom  --bgp-routing-mode=global

gcloud compute networks create nw1-vpc \
   --subnet-mode=custom \
   --bgp-routing-mode=global

gcloud compute networks subnets create nw1-vpc-sub1-us-central1 \
  --network nw1-vpc \
  --range 192.168.1.0/24 \
  --region us-central1 \
  --enable-flow-logs \
  --enable-private-ip-google-access


gcloud compute networks subnets create nw1-vpc-sub2-us-east4 \
  --network nw1-vpc \
  --range 192.168.2.0/24 \
  --region us-east4 \
  --enable-flow-logs \
  --enable-private-ip-google-access


gcloud compute networks subnets create nw1-vpc-sub3-euro-west2 \
  --network nw1-vpc \
  --range 192.168.3.0/24 \
  --region europe-west2 \
  --enable-flow-logs \
  --enable-private-ip-google-access

gcloud compute networks list
gcloud compute networks describe nw1-vpc
gcloud compute networks subnets list --filter network:nw-vpc


gcloud compute firewall-rules create nw1-vpc-ssh-allow \
    --network nw1-vpc \
    --action allow \
    --direction ingress \
    --rules tcp:22,icmp \
    --source-ranges 39.51.76.162/32 \
    --priority 1000 \
    --enable-logging \
    --target-tags nw1-vpc-ssh-allow

gcloud compute firewall-rules create nw1-vpc-internal-allow \
    --network  nw1-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 192.168.0.0/16 \
    --priority 1100

gcloud compute firewall-rules list --filter network:nw1-vpc

nw2-vpc


gcloud compute networks create nw2-vpc --subnet-mode custom

gcloud compute networks subnets create nw2-vpc-sub1-us-central1 \
  --network nw2-vpc \
  --range 172.28.1.0/24 \
  --region us-central1 \
  --enable-flow-logs \
  --enable-private-ip-google-access

gcloud compute networks subnets create nw2-vpc-sub2-us-east4 \
  --network nw2-vpc \
  --range 172.28.2.0/24 \
  --region us-east4 \
  --enable-flow-logs \
  --enable-private-ip-google-access


gcloud compute networks subnets create nw2-vpc-sub3-me-central1 \
  --network nw2-vpc \
  --range 172.28.3.0/24 \
  --region me-central1 \
  --enable-flow-logs \
  --enable-private-ip-google-access


gcloud compute networks describe nw2-vpc
gcloud compute networks subnets list  --filter network:nw2-vpc

gcloud compute firewall-rules create nw2-vpc-ssh-allow \
    --network nw2-vpc \
    --action allow \
    --direction ingress \
    --rules tcp:22,icmp \
    --source-ranges 39.51.89.238/32 \
    --priority 1000 \
    --enable-logging \
    --target-tags nw2-vpc-ssh-allow


gcloud compute firewall-rules create nw2-vpc-internal-allow \
    --network  nw2-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 172.28.0.0/16 \
    --priority 1100


gcloud compute firewall-rules list --filter network:nw2-vpc

Step 2— Create a VPC Peering on Google Cloud

gcloud compute networks peerings create nw1-vpc-to-nw2-vpc \
    --network nw1-vpc \
    --peer-project dev-project-7144 \
    --peer-network nw2-vpc \
    --stack-type IPV4_ONLY \
    --export-subnet-routes-with-public-ip

gcloud compute networks peerings create nw2-vpc-to-nw1-vpc \
    --network nw2-vpc \
    --peer-project dev-project-7144 \
    --peer-network nw1-vpc \
    --stack-type IPV4_ONLY \
    --export-subnet-routes-with-public-ip

gcloud compute networks peerings list

gcloud compute firewall-rules create nw1-vpc-peering-allow \
    --network  nw1-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 172.28.0.0/16 \
    --priority 1200

gcloud compute firewall-rules create nw2-vpc-peering-allow \
    --network  nw2-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 192.168.0.0/16 \
    --priority 1200

Step 3— Create four VMS (Public & Private VMs) in both VPCs

gcloud compute instances create nw1vpc-publicvm1 \
   --image-family ubuntu-2204-lts \
   --image-project ubuntu-os-cloud \
   --boot-disk-size 20GB \
   --subnet nw1-vpc-sub1-us-central1 \
   --private-network-ip 192.168.1.60 \
   --zone us-central1-b \
   --project dev-project-7144 \
   --tags nw1-vpc-ssh-allow

gcloud compute instances create nw1vpc-privatevm2 \
   --image-family centos-7 \
   --image-project centos-cloud \
   --boot-disk-size 20GB \
   --subnet nw1-vpc-sub3-euro-west2 \
   --private-network-ip 192.168.3.30 \
   --zone  europe-west2-c \
   --project dev-project-7144 \
   --no-address


gcloud compute instances create nw2vpc-publicvm1 \
   --image-family centos-stream-8 \
   --image-project  centos-cloud \
   --boot-disk-size 20GB \
   --subnet nw2-vpc-sub2-us-east4 \
   --private-network-ip  172.28.2.200 \
   --zone us-east4-c \
   --project dev-project-7144 \
   --tags nw2-vpc-ssh-allow


gcloud compute instances create nw2vpc-privatevm2 \
   --image-family ubuntu-2204-lts \
   --image-project ubuntu-os-cloud \
   --machine-type e2-medium \
   --boot-disk-size 20GB \
   --subnet nw2-vpc-sub3-me-central1 \
   --private-network-ip 172.28.3.66 \
   --zone me-central1-a \
   --project dev-project-7144 \
   --no-address

Step 4— Create a VPC on AWS Cloud

Refer to my previous blog.

Step 5— Create an HA VPN gateway and Cloud Router on Google Cloud.


gcloud compute routers create cloud-router \
    --project dev-project-7144
    --region us-central1 \
    --network nw1-vpc \
    --asn 64514

gcloud compute routers list
gcloud compute routers  describe cloud-router --region us-central1

gcloud compute vpn-gateways create gcp-aws-connection \
    --network nw1-vpc \
    --region us-central1  \
    --stack-type IPV4_ONLY

gcloud compute vpn-gateways list
gcloud compute vpn-gateways describe gcp-aws-connection

Name:cloud-router

Network?: nw1-vpc

Region: us-central1

Google ASN: 64514

Note : Public IP of GCP VPN Gateway?35.242.122.219 & 35.220.77.237

Note: Depend on you create one or two tunnel on GCP Cloud

vpn gateway name: gcp-aws-connection

Network:nw1-vpc

Region:us-central1

Step 6— Create Two customer gateways on AWS.

The customer gateway is the representation, in AWS, of the far side of Other side VPN connection. This is basically the IP address AWS will be contacting.

Enter the name of Customer gateway

Put GCP Static Public IP in Customer gateway IP Address Field

& Google ASN

Click Create a customer gateway.

Step 7— Create “Virtual Private Gateway” on AWS Cloud

A virtual private gateway is the representation of a “VPN concentrator” in AWS. Think of it as the AWS side of the connection between the two networks — the gate out of the AWS VPC.

Step 8— Attach Virtual Private Gateway to the VPC

In the Virtual Private Gateway screen, select your new gateway and click “Attach to VPC”.

Each VPC can only be connected to a single Virtual Private Gateway.

Click on “Create Virtual Private Gateway”

Choose a Name of VPG.

ASN Number(AWS Side): 64512

Step 9— Create the TWO “VPN Connection” in AWS

We’re ready to connect the two gateways.

aws-gcp-connection1

Name tag:?aws-gcp-connection1

Target Gateway Type:?Virtual Private Gateway

Virtual Private Gateway:?VPG ID

Customer Gateway:?Existing

Customer Gateway ID:?CD ID (AWS-CG1)

Routing Options:?Dynamic

Tunnel 1:

Pre-shared key for tunnel 1 : Abcd1234

aws-gcp-connection2

Name tag:?aws-gcp-connection2

Target Gateway Type:?Virtual Private Gateway

Virtual Private Gateway:?VPG ID

Customer Gateway:?Existing

Customer Gateway ID:?CD ID (AWS-CG2)

Routing Options:?Dynamic

Tunnel 1:

Pre-shared key for tunnel 1 : Abcd1234

Step 10— Download the Configguration from AWS

Vendor:?Generic

Platform:?Generic

Software:?Vendor Agnostic

In this download file following parameters are important:

For aws-gcp-connection1

1: Internet Key Exchange Configuration (From Download File)

IKE version : IKEv2
— Authentication Method : Pre-Shared Key
— Pre-Shared Key : Abcd1234
— Authentication Algorithm : sha1
— Encryption Algorithm : aes-128-cbc
— Lifetime : 28800 seconds
— Phase 1 Negotiation Mode : main
— Diffie-Hellman : Group 2

3: Tunnel interface configuration (From Download File)

Outside IP Addresses:

— Customer Gateway : 35.242.122.219?(GCP HA Public IP)

领英推荐

Mastering Security in Azure Compute: Virtual Machine…

Data & Analytics 2 个月前

AZURE Cloud Monthly Updates Newsletter – September…

Santhosh (Santhoshkumar) Anandakrishnan 5 个月前

7 Advantages of Choosing Microsoft Azure

Automation Everywhere 2 年前

— Virtual Private Gateway : 3.213.135.175?(AWS HA Public IP)

Inside IP Addresses

— Customer Gateway : 169.254.109.182/30

— Virtual Private Gateway : 169.254.109.181/30

For aws-gcp-connection2

1: Internet Key Exchange Configuration (From Download File)

IKE version : IKEv2
— Authentication Method : Pre-Shared Key
— Pre-Shared Key : Abcd1234
— Authentication Algorithm : sha1
— Encryption Algorithm : aes-128-cbc
— Lifetime : 28800 seconds
— Phase 1 Negotiation Mode : main
— Diffie-Hellman : Group 2

3: Tunnel interface configuration (From Download File)

Outside IP Addresses:

— Customer Gateway : 35.220.77.237?(GCP HA Public IP)

— Virtual Private Gateway : 3.212.115.97?(AWS HA Public IP)

Inside IP Addresses

— Customer Gateway : 169.254.151.110/30

— Virtual Private Gateway : 169.254.151.109/30

Step 11— Create an external VPN gateway on Google Cloud.

gcloud compute external-vpn-gateways create aws-peer-side \
    --interfaces 0=3.213.135.175,1=3.212.115.97

gcloud compute external-vpn-gateways list
gcloud compute external-vpn-gateways describe aws-peer-side

Virtual Private Gateway : 3.212.115.97?(AWS HA Public IP) from aws-gcp connection1

Virtual Private Gateway : 3.212.115.97?(AWS HA Public IP) from aws-gcp connection2

Step 12— Create Two VPN tunnels on Google Cloud.

ADD VPN Tunnel

gcloud compute vpn-tunnels create gcp-aws-tunnel0 \
    --peer-external-gateway=aws-peer-side \
    --peer-external-gateway-interface=0  \
    --region=us-central1 \
    --ike-version=2 \
    --shared-secret=Abcd1234 \
    --router=cloud-router \
    --vpn-gateway=gcp-aws-connection \
    --interface=0


gcloud compute vpn-tunnels create gcp-aws-tunnel1 \
    --peer-external-gateway=aws-peer-side \
    --peer-external-gateway-interface=1  \
    --region=us-central1 \
    --ike-version=2 \
    --shared-secret=Abcd1234 \
    --router=cloud-router \
    --vpn-gateway=gcp-aws-connection \
    --interface=1

gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels describe gcp-aws-tunnel0
gcloud compute vpn-tunnels describe gcp-aws-tunnel1

Step 13 — Create Two Interfaces in Cloud Router on Google Cloud.

gcloud compute routers add-interface cloud-router \
  --interface-name=if-tunnel0-to-nw1-vpc \
  --vpn-tunnel=gcp-aws-tunnel0 \
  --ip-address=169.254.109.182 \
  --mask-length 30 \
  --region=us-central1


gcloud compute routers add-interface cloud-router \
  --interface-name=if-tunnel1-to-nw1-vpc \
  --vpn-tunnel=gcp-aws-tunnel1 \
  --ip-address=169.254.151.110 \
  --mask-length 30 \
  --region=us-central1

Cloud Router BGP IP Address

— Customer Gateway : 169.254.109.182 from?aws-gcp-connection1

— Customer Gateway : 169.254.151.110 from?aws-gcp-connection2

Step 14— Create Two BGP Sessions in Cloud Router on Google Cloud.

gcloud compute routers add-bgp-peer cloud-router \
 --peer-name=bgp-peer-connection \
 --peer-asn=64512 \
 --interface=if-tunnel0-to-nw1-vpc \
 --peer-ip-address=169.254.109.181 \
 --region=us-central1

gcloud compute routers add-bgp-peer cloud-router \
 --peer-name=bgp-peer-connection1 \
 --peer-asn=64512 \
 --interface=if-tunnel1-to-nw1-vpc \
 --peer-ip-address=169.254.151.109 \
 --region=us-central1

gcloud compute vpn-gateways describe gcp-aws-connection

Peer BGP IP Addresses (AWS Side BGP Address)

— Virtual Private Gateway : 169.254.109.181 from?aws-gcp-connection1

— Virtual Private Gateway : 169.254.151.109 from?aws-gcp-connection2

GCP Side Connection Established

AWS Side Connection Established

Step 15— Route Propagation in AWS Cloud

Edit Routing table of Subnet

Automatically GCP subnets cidr propagated in AWS vpc in Route Table

Step 16— Route Propagation in Google Cloud

Automatically AWS vpc cidr propagated in gcp-vpc Routes

Step 17 — Update Firewall Rule in GCP Cloud (nw1-vpc)

gcloud compute firewall-rules create nw1-vpc-vpn-allow \
    --network  nw1-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 10.100.0.0/16 \
    --priority 1400

Step 18— Update Security Group Rules in AWS Cloud

GCP subnet CIDR nw1-vpc 192.168.0.0/16

GCP subnet CIDR nw2-vpc 172.28.0.0/16

Test Connectivity

Step 19— Test Connectivity

ON AWS EC2

AWS Public EC2 Can ping & ssh both private & Public VM in Google Cloud

ON GCP VM

Problem???

AWS EC2 VM cant ping to nw2-vpc vm due to VPC?peering does not support transitive peering relationships.

Importing and exporting custom routes (On GCP Side)

Step 20— Edit peering connection in GCP Cloud

Now Route propagted in peering connections

Step 21 — Edit Cloud Router setting in GCP Cloud

Add Manually routes for Peering Connection 172.28.0.0/16?(nw2-vpc)

Step 22— Route Propagation in AWS Cloud

Automatically learn new route (172.28.0.0/16) from gcp cloud router

Step 23— Update Firewall Rule in GCP Cloud (nw2-vpc)

gcloud compute firewall-rules create nw2-vpc-vpn-allow \
    --network  nw2-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 10.100.0.0/16 \
    --priority 1400

Step 24 — Test Connectivity

ON AWS EC2

AWS Public EC2 Can ping & ssh peered vpc network in GCP Cloud

ON GCP VM

Step 25 — Delete Resources

gcloud compute vpn-tunnels list
gcloud compute vpn-tunnels delete gcp-aws-tunnel0
gcloud compute vpn-tunnels delete gcp-aws-tunnel1

gcloud compute external-vpn-gateways delete aws-peer-side

gcloud compute vpn-gateways list
gcloud compute vpn-gateways delete gcp-aws-connection

gcloud compute routers list
gcloud compute routers delete cloud-router

gcloud compute networks peerings list
gcloud compute networks peerings delete nw1-vpc-to-nw2-vpc --network nw1-vpc
gcloud compute networks peerings delete nw2-vpc-to-nw1-vpc --network nw2-vpc

The End

#googlecloudplatform #gcp #cloudnetworking #cloudservices #cloudcomputing?#PCNE #cloud #network #networkengineer #gcpengineer #awsengineer #awsnetworking #havpn #dynamicrouting #cloudrouter

要查看或添加评论，请登录

Aslam Chandio的更多文章

Highly Available Kubernetes Cluster with Kubeadm using HAProxy LoadBalancer

2024年10月16日

Highly Available Kubernetes Cluster with Kubeadm using HAProxy LoadBalancer

This artical explains different approaches to setting up a highly available Kubernetes cluster using kubeadm: With…

3 条评论
Google Cloud | Shared VPC | GKE: Provisioning GKE Private Cluster in Shared VPC using Terraform

2024年10月7日

Google Cloud | Shared VPC | GKE: Provisioning GKE Private Cluster in Shared VPC using Terraform

This guide shows how to create two Google Kubernetes Engine (GKE) clusters, in separate projects, that use a Shared…

3 条评论
Create an AKS Cluster With Application Gateway (AGIC) using Add-On(Greenfield) with External DNS & Lets Encrypt

2024年2月16日

Create an AKS Cluster With Application Gateway (AGIC) using Add-On(Greenfield) with External DNS & Lets Encrypt

There are times where a simple NGINX load balancer is not enough for our needs, and that’s where an application gateway…

2 条评论
Deploy Terraform Code using GitHub Actions with OpenID Connect (OIDC) identity providers (GCP Cloud)

2024年2月1日

Deploy Terraform Code using GitHub Actions with OpenID Connect (OIDC) identity providers (GCP Cloud)

Overview: OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Google Cloud Platform…

6 条评论
Deploy Terraform Code using GitHub Actions with OpenID Connect (OIDC) identity providers (AWS Cloud)

2023年12月11日

Deploy Terraform Code using GitHub Actions with OpenID Connect (OIDC) identity providers (AWS Cloud)

Overview: OpenID Connect (OIDC) allows your GitHub Actions workflows to access resources in Amazon Web Services (AWS)…

1 条评论
Networking Concepts in Azure Kubernetes Service (AKS) - Part1

2023年9月19日

Networking Concepts in Azure Kubernetes Service (AKS) - Part1

In a container-based, microservices approach to application development, application components work together to…
HA Site-to-Site VPN Between GCP and Azure Cloud (Dynamic Routing)

2023年8月29日

HA Site-to-Site VPN Between GCP and Azure Cloud (Dynamic Routing)

This tutorial demonstrates how to create highly available (HA) virtual private network (VPN) connections between Google…
Cloud SQL with Private IP & Cloud SQL Auth proxy using Terraform IAAC in Google Cloud

2023年6月12日

Cloud SQL with Private IP & Cloud SQL Auth proxy using Terraform IAAC in Google Cloud

Introduction While relational databases still offer basic authentication, many of our clients are realizing that this…

1 条评论
How to Create Infrastructure as Code (IaaC) with Packer and Terraform on Google Cloud

2023年6月2日

How to Create Infrastructure as Code (IaaC) with Packer and Terraform on Google Cloud

Everyone wants to adopt Infrastructure as Code to configure and automate the infrastructure of their application as it…
Site-to-Site VPN Between GCP and AWS Cloud (Dynamic Routing)

2023年4月13日

Site-to-Site VPN Between GCP and AWS Cloud (Dynamic Routing)

This tutorial demonstrates how to create highly available VPN connections between Google Cloud and Amazon Web Services…

5 条评论

See all articles

Architecture overview

Objectives

Step 1 — Create a VPC on Google Cloud

Step 2— Create a VPC Peering on Google Cloud

Step 3— Create four VMS (Public & Private VMs) in both VPCs

Step 4— Create a VPC on AWS Cloud

Step 5— Create an HA VPN gateway and Cloud Router on Google Cloud.

Step 6— Create Two customer gateways on AWS.

Step 7— Create “Virtual Private Gateway” on AWS Cloud

Step 8— Attach Virtual Private Gateway to the VPC

Step 9— Create the TWO “VPN Connection” in AWS

Step 10— Download the Configguration from AWS

领英推荐

Step 11— Create an external VPN gateway on Google Cloud.

Step 12— Create Two VPN tunnels on Google Cloud.

Step 13 — Create Two Interfaces in Cloud Router on Google Cloud.

Step 14— Create Two BGP Sessions in Cloud Router on Google Cloud.

Step 15— Route Propagation in AWS Cloud

Step 16— Route Propagation in Google Cloud

Step 17 — Update Firewall Rule in GCP Cloud (nw1-vpc)

Step 18— Update Security Group Rules in AWS Cloud

Step 19— Test Connectivity

Problem???

Step 20— Edit peering connection in GCP Cloud

Step 21 — Edit Cloud Router setting in GCP Cloud

Step 22— Route Propagation in AWS Cloud

Step 23— Update Firewall Rule in GCP Cloud (nw2-vpc)

Step 24 — Test Connectivity

Step 25 — Delete Resources

Aslam Chandio的更多文章

Highly Available Kubernetes Cluster with Kubeadm using HAProxy LoadBalancer

Google Cloud | Shared VPC | GKE: Provisioning GKE Private Cluster in Shared VPC using Terraform

Create an AKS Cluster With Application Gateway (AGIC) using Add-On(Greenfield) with External DNS & Lets Encrypt

Deploy Terraform Code using GitHub Actions with OpenID Connect (OIDC) identity providers (GCP Cloud)

Deploy Terraform Code using GitHub Actions with OpenID Connect (OIDC) identity providers (AWS Cloud)

Networking Concepts in Azure Kubernetes Service (AKS) - Part1

HA Site-to-Site VPN Between GCP and Azure Cloud (Dynamic Routing)

Cloud SQL with Private IP & Cloud SQL Auth proxy using Terraform IAAC in Google Cloud

How to Create Infrastructure as Code (IaaC) with Packer and Terraform on Google Cloud

Site-to-Site VPN Between GCP and AWS Cloud (Dynamic Routing)

社区洞察

其他会员也浏览了

ioTips: Best Practices for Amazon Virtual Private Cloud (VPC)

AWS Networking: VPC, Internet Gateway, NAT Gateway, Route Table, Network ACL, Security Group, and Endpoints.

Unlocking the Cloud: A Journey Through AWS Regions, AZs, and VPCs

Securing AWS and Cloud Deployments

A Lesson in Cloud Grammar: When Singular Names Mean Plural Resources

Real-World Applications of Dynamic or Private Ports (49152–65535) in Different Companies

AWS Network Services Part.1

How to Set Up Virtual Networks (VNET) on Microsoft Azure

AWS PrivateLink Endpoints Across Regions and Cloud Providers: Can I do it?

Google Cloud Shared VPC