Site-to-Site VPN Between GCP and AWS Cloud (Dynamic Routing)

This tutorial demonstrates how to create highly available VPN connections between Google Cloud and Amazon Web Services (AWS) for direct communication between VPC networks across the two cloud platforms.

This tutorial assumes that you’re familiar with basic concepts of virtual private cloud (VPC) networks, Border Gateway Protocol (BGP), virtual private networks (VPNs), and IPsec tunnels.

Google Cloud provides a?highly available (HA) VPN?service to connect your VPC network to environments running outside of Google Cloud, such as on-premises or on AWS through an IPsec VPN connection. HA VPN provides an?SLA of 99.99% service availability?when configured based on Google best practices.

Architecture overview

The architecture described in this document includes the following components:

• Cloud Router: A fully distributed and managed Google Cloud service to provide dynamic routing using BGP for your VPC networks.
• HA VPN gateway: A Google-managed VPN gateway running on Google Cloud. Each HA VPN gateway is a regional resource that has two interfaces, each with its own external IP addresses: interface 0 and 1.
• VPN tunnels: Connections from the HA VPN gateway to the peer VPN gateway on AWS through which encrypted traffic passes.
• Peer VPN gateway: Two?AWS Site-to-Site VPN endpoints, which can be from an AWS virtual private gateway or AWS transit gateway.

Objectives

• Create a VPC network on Google & AWS Cloud.
• Create an HA VPN gateway and Cloud Router on Google Cloud.
• Create customer gateways on AWS.
• Create a VPN connection with dynamic routing on AWS.
• Create an external VPN gateway and VPN tunnels on Google Cloud.
• Verify and test the VPN connection between VPC networks on Google Cloud and AWS.

Step 1 — Create a VPC network on Google & AWS Cloud.

VPC on Google Cloud:

gcloud compute networks create gcp-vpc \
   --subnet-mode=custom \
   --bgp-routing-mode=global 


gcloud compute networks subnets create gcp-vpc-sub1-us-central1 \
  --network gcp-vpc  \
  --range 172.21.1.0/24 \
  --region us-central1 \
  --enable-flow-logs \
  --enable-private-ip-google-access


gcloud compute networks subnets create gcp-vpc-sub2-euro-west2 \
  --network gcp-vpc  \
  --range 172.21.2.0/24 \
  --region europe-west2 \
  --enable-flow-logs \
  --enable-private-ip-google-access

gcloud compute networks list
gcloud compute networks describe gcp-vpc
gcloud compute networks subnets list --filter gcp-vpc

gcloud compute firewall-rules create gcp-vpc-ssh-allow \
    --network gcp-vpc \
    --action allow \
    --direction ingress \
    --rules tcp:22,icmp \
    --source-ranges 39.51.35.31/32 \
    --priority 1000 \
    --enable-logging \
    --target-tags gcp-vpc-ssh-allow


gcloud compute firewall-rules create gcp-vpc-internal-allow \
    --network  gcp-vpc \
    --action allow \
    --direction ingress \
    --rules tcp,udp,icmp,ipip \
    --source-ranges 172.21.0.0/16 \
    --priority 1100
        

Create Two VMS (Public & Private VMs)

gcloud compute instances create public-us-vm \
   --image-family ubuntu-2204-lts \
   --image-project ubuntu-os-cloud \
   --boot-disk-size 20GB \
   --subnet gcp-vpc-sub1-us-central1 \
   --private-network-ip 172.21.1.11 \
   --zone us-central1-b \
   --project gcp-prod-project-377414 \
   --tags gcp-vpc-ssh-allow 


gcloud compute instances create private-euro-vm \
   --image-family centos-7 \
   --image-project centos-cloud \
    --machine-type e2-medium \
   --boot-disk-size 20GB \
   --subnet gcp-vpc-sub2-euro-west2 \
   --private-network-ip 172.21.2.20 \
   --zone europe-west2-a \
   --project gcp-prod-project-377414 \
   --no-address        

VPC on AWS Cloud:

aws ec2  create-vpc  --cidr-block  192.168.0.0/16  --output table 

aws ec2 modify-vpc-attribute --vpc-id vpc-0adfd6b9e963d85e7 --enable-dns-support "{\"Value\":true}"

aws ec2 modify-vpc-attribute --vpc-id vpc-0adfd6b9e963d85e7 --enable-dns-hostnames "{\"Value\":true}"

aws  ec2 create-tags --resources  vpc-0adfd6b9e963d85e7 --tags Key=Name,Value=AWS-VPC


aws  ec2  create-subnet --vpc-id  vpc-0adfd6b9e963d85e7 --cidr-block  192.168.1.0/24 --availability-zone  us-east-1a
aws  ec2  create-subnet --vpc-id  vpc-0adfd6b9e963d85e7  --cidr-block  192.168.2.0/24 --availability-zone  us-east-1b

aws  ec2 create-tags --resources subnet-07c82f715b726e54f --tags Key=Name,Value=AWS-VPC-PubSub1
aws  ec2 create-tags --resources subnet-0cac30b89fc5e3ec5 --tags Key=Name,Value=AWS-VPC-PvtSub1

aws ec2 modify-subnet-attribute --subnet-id   subnet-07c82f715b726e54f    --map-public-ip-on-launch

aws ec2 create-internet-gateway --output json

aws  ec2 create-tags --resources igw-09a332ea3a9ec7f0f --tags Key=Name,Value=AWS-IGW

aws ec2 attach-internet-gateway --vpc-id  vpc-0adfd6b9e963d85e7 --internet-gateway-id igw-09a332ea3a9ec7f0f  --region us-east-1


aws ec2 describe-internet-gateways --output table

aws ec2 create-route-table --vpc-id vpc-0adfd6b9e963d85e7


aws  ec2 create-tags --resources rtb-06db711fbb21b8891 --tags Key=Name,Value=PublicRT

aws  ec2 create-tags --resources rtb-041d2652c6f984e15 --tags Key=Name,Value=PrivateRT

aws ec2 create-route --route-table-id rtb-06db711fbb21b8891 --destination-cidr-block 0.0.0.0/0 --gateway-id igw-09a332ea3a9ec7f0f

aws ec2 describe-route-tables --route-table-id rtb-06db711fbb21b8891


aws ec2 associate-route-table  --subnet-id subnet-07c82f715b726e54f  --route-table-id  rtb-06db711fbb21b8891     For AWS-VPC-PubSub1
aws ec2 associate-route-table  --subnet-id subnet-0cac30b89fc5e3ec5  --route-table-id  rtb-041d2652c6f984e15     For AWS-VPC-PvtSub1

gcloud compute networks create nw1-vpc --subnet-mode custom        

Create Two VMS on AWS Cloud(Public & Private VMs)

Step 2—Create an HA VPN gateway and Cloud Router on Google Cloud.

Note: Now no Longer Classic VPN in GCP support Connection for on-prem and other cloud

Create Cloud Router

Google Compute Engine VPN gateway

Name:cloud-router

Network?: gcp-vpc

Region: us-central1

Google ASN: 64514

Create HA VPN:

Note : Public IP of GCP VPN Gateway (35.242.119.108)

Note: Depend on you create one or two tunnel on GCP Cloud

vpn gateway name: gcp-aws-connection

Network:gcp-vpc

Region:us-central1

Note: Only Create Cloud HA VPN gateway in later steps?(Step-7)?we can create Add VPN Tunnels.

Step 3— Create customer gateways on AWS.

The customer gateway is the representation, in AWS, of the far side of Other side VPN connection. This is basically the IP address AWS will be contacting.

Enter the name of Customer gateway

Put GCP Static Public IP in Customer gateway IP Address Field

Click Create a customer gateway.

Step 4— Create “Virtual Private Gateway” on AWS Cloud

A virtual private gateway is the representation of a “VPN concentrator” in AWS. Think of it as the AWS side of the connection between the two networks — the gate out of the AWS VPC.

Step 5— Attach Virtual Private Gateway to the VPC

In the Virtual Private Gateway screen, select your new gateway and click “Attach to VPC”.

Each VPC can only be connected to a single Virtual Private Gateway.

Click on “Create Virtual Private Gateway”

Choose a Name of VPG.

ASN Number(AWS Side): 64512

Step 5 — Create the “VPN Connection” in AWS

We’re ready to connect the two gateways.

Name tag:?aws-gcp-connection

Target Gateway Type:?Virtual Private Gateway

Virtual Private Gateway:?VPG ID

Customer Gateway:?Existing

Customer Gateway ID:?CD ID

Routing Options:?Dynamic

Local IPv4 network CIDR:?192.168.0.0/16 (AWS-VPC)

Remote IPv4 network CIDR:?172.21.0.0/16 (GCP-VPC)

Tunnel 1:

Pre-shared key for tunnel 1 : Abcd1234

Tunnel 2:

Pre-shared key for tunnel 1 : Abcd1234

Step 6— Download the Configuration from AWS

Vendor:?Generic

Platform:?Generic

Software:?Vendor Agnostic

In this download file following parameters are important:

1: Internet Key Exchange Configuration (From Download File)

- IKE version : IKEv1

— Authentication Method : Pre-Shared Key

— Pre-Shared Key : Abcd1234

— Authentication Algorithm : sha1

— Encryption Algorithm : aes-128-cbc

— Lifetime : 28800 seconds

— Phase 1 Negotiation Mode : main

— Diffie-Hellman : Group 2

3: Tunnel interface configuration (From Download File)

Outside IP Addresses:

— Customer Gateway :?35.242.119.108 (GCP HA Public IP)

— Virtual Private Gateway :?34.230.180.215 (AWS HA Public IP)

Inside IP Addresses

— Customer Gateway : 169.254.153.186/30

— Virtual Private Gateway : 169.254.153.185/30

Step 7— Create an external VPN gateway and VPN tunnels on Google Cloud.

ADD VPN Tunnel(Create a Single VPN tunnel)

peer VPN gateway name:?aws-peer-side

Name: aws-peer-side

Interfaces: 34.230.180.215?(AWS HA Public IP)

Assoicated Cloud VPN gateway interface

35.242.119.108 (GCP HA Public IP)

Assoicated peer VPN gateway interface

34.230.180.215 (AWS HA Public IP)

IKE Version: IKEv1

IKE pre-shared key:?Abcd1234

BGP Connection:

Name: bgp-connection

Peer ASN:?64512?(Virtual Private Gateway ASN -AWS Side)

Allocate BGP IPV4 address (Manually)

Cloud Router BGP IPV4 address:?169.254.153.186 (Customer Gateway)

BGP Peer IPV4 address:?169.254.153.185 (Virtual Private Gateway)

GCP Side Connection Established

AWS Side Connection Established

Step 8— Route Propagation in AWS Cloud

Edit Routing table of Subnet

GCP Public (172.21.1.0/24) & Private Subnet(172.21.2.0/24) route propagated on both Route tables of AWS VPC.

Step 9— Route Propagation in Google Cloud

Automatically aws-vpc cidr propagated in gcp-vpc Routes

Step 10— Update Firewall Rule in GCP Cloud

GCP VPC CIDR 172.21.0.0/16

AWS VPC CIDR 192.168.0.0/16

gcloud compute firewall-rules update  gcp-vpc-internal-allow  --source-ranges 172.21.0.0/16,192.168.0.0/16        

Step 11— Update Security Group Rules in AWS Cloud

GCP subnet CIDR 172.21.0.0/16

Public SG:

Private SG:

Step 12— Test Connectivity

ON AWS EC2

AWS Public EC2 Can ping both private & Public VM in Google Cloud

ON GCP VM

GCP Public VM Can ping both private & Public EC2 Instances in AWS Cloud

Step 12 — Test Dynamic Routing

Create another Subnet in GCP Cloud in different region

gcloud compute networks subnets create gcp-vpc-sub3-asia-southeast1 \
  --network gcp-vpc \
  --range 172.21.3.0/24  \
  --region asia-southeast1 \
  --enable-flow-logs \
  --enable-private-ip-google-access        

Create VM

gcloud compute instances create private-asia-vm \
   --image-family centos-7 \
   --image-project centos-cloud \
    --machine-type e2-medium \
   --boot-disk-size 20GB \
   --subnet gcp-vpc-sub3-asia-southeast1 \
   --private-network-ip 172.21.3.30 \
   --zone asia-southeast1-c \
   --project gcp-prod-project-377414 \
   --no-address        

Automatically 172.21.3.0/24 Subnet Route Propagated in Both Routing tables in AWS Cloud

ON AWS EC2 (Ping & SSH New VM in Google Cloud)