Site to Site VPN between AZURE and AWS using Azure Virtual WAN ( Active/Active BPG Configuration )

This article will help in how to configure a site-to-site VPN between Azure Virtual WAN HUB and AWS utilizing the Internet Key Exchange version 2 (IKEv2) for the tunnel setup.

We will use  Azure and AWS portal to set up Virtual WAN and then  Site on AWS side.

Virtual vWAN.

Azure Virtual WAN is a networking service that brings much networking, security, and routing functionalities together to provide a single operational interface. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN connectivity, remote user VPN (Point-to-site) connectivity.

For Detail see - https://docs.microsoft.com/en-us/azure/virtual-wan/virtual-wan-about

Source-Microsoft

First, we will create  Azure Virtual WAN & Virtual WAN Hub

1.First create a resource group in the Azure portal with the desired region.

2.After creating the resource group search for virtual wan.

3.Select create.

4.Specify the resource group and region you wish to deploy the Virtual WAN resource to. Specify a name for your Virtual WAN resource and click Review + Create.

6.Click Create to start provisioning the Virtual WAN resource.

7.Once the resource is created, click Go to resource to navigate to your Virtual WAN resource.

8.On the Virtual WAN resource, select New Hub from the top menu.

9.Specify the name of the Hub and an address space that can be used for all the networking components Virtual WAN will deploy into the Virtual Hub. Click Next: Site to Site >

10.On the Site to Site tab, toggle Yes, you want to provision a VPN Gateway and specify the scale units you need. Click the Review + create button when done.

11.Once validation is passed, click on create.

12.Go to virtual wan.

13.Click on VPN (Site to Site) and click on Create VPN Gateway, specify the scale units you need. Click the Review + create button when done.

14.Click the Create button to start provisioning the Hub and VPN Gateway. Please note this can take up to 30 minutes to complete.

Configure customer BGP IP Address for Virtual WAN VPN Gateway Instances.

15.Once provisioning is completed, navigate back to the Virtual WAN resource. You can do this by clicking the “search” icon and searching for Virtual WAN.

16.Select your Virtual WAN resource.

17.You will now see the Virtual WAN Hub resource you provisioned. Select the Virtual WAN Hub.

18.On the Virtual WAN Hub, click on the View/Configure link.

19.On the View/Configure Gateway Configuration blade, specify 169.254.21.2 as the Custom BGP IP address for Instance 0 and 169.254.22.2 as the Custom BGP IP address for Instance 1. Notate the Public IP address uses for Instance 0 and 1 and then click Edit and Confirm to apply the changes.

Create Virtual WAN VPN Site

20.On the Virtual WAN Hub, click Create a new VPN Site.

21.Specify a name for your VPN Site to define the connection connecting to AWS. Click Next: Links >

   Region- South Central US

   Name- AWS-MUM-VPC-VPG

   Device Vendor- AWS

22.On the Links tab, add two entries with the following values (to tell VWAN how to connect to each of the AWS Site-to-Site connections). Note: this is very similar to AWS’ Customer Gateway section.

AWS Link 1:

• Link Name - AWS_Tunnel_0
• Link Speed - 1000
• Link Provider Name -  AWS
• Link IP address - 2.2.2.2 (this is a placeholder value until we configure the AWS side)
• Link BGP address - 169.254.21.1
• Link ASN - 64512

AWS Link 2:

• Link Name - AWS_Tunnel_1
• Link Speed - 1000
• Link Provider Name - AWS
• Link IP address - 3.3.3.3(this is a placeholder value until we configure the AWS side)
• Link BGP address - 169.254.22.1
• Link ASN - 64512

Click Next: Review + Create >

23.Click Create.

24.Click Go to resource once the links have finished being created.

Configure Phase 1/2 Proposals

25.Select your Virtual WAN hub on the Virtual WAN Overview blade.

26.Click on Hubs > (select hub) > VPN (Site to Site) .

27. Then clear the Hub association filter as highlighted. Click on Clear all filters.

28.Check the box for the new VPN Site Name and click the Connect VPN sites button

29. Preshared key - mytestkeyconnect    //same will be used in the AWS side as well.

 Specify the following configuration:

• Protocol: IKEv2
• IPSec: Custom
• IKE Phase 1:
  • Encryption: GCMAES256
    • GCM algorithm is more efficient and can improve throughput on the Azure Gateways
  • Integrity/PRF: SHA256
  • DH Group: DHGroup14
• IKE Phase 2 (ipsec):
  • IPSec Encryption: AES256
    • AWS does not support GCM algorithm for IPSec integrity at time of writing this, but if it is available, you may want to opt for that
  • IPSec Integrity: SHA256
  • PFS Group: PFS14

Click Connect

Configure AWS

Prerequisites

We assume you have a VPC already (in my case, mine is called AWS-MUM-VPC), a corresponding set of subnets for your servers, and a routing table associated to your VPC.

Create the Customer Gateways

30.Customer Gateways in AWS are the equivalent of a local network gateway that you’d associate with a connection for a traditional VPN Gateway in Azure. It is also the equivalent of a defined Site Link for Azure’s Virtual WAN VPN configuration.

In this section, you will need to create two Customer Gateways. Specify the corresponding instance value obtained from the Configure Customer BPG IP address section. When creating the Customer Gateways ensure Dynamic routing is enabled and the BGP ASN is specified as 65515.

Azure VPN Gateway Instance 0 - 40.78.95.135

Azure VPN Gateway Instance 1 - 40.78.90.86

Configuration for the second Customer Gateway using the Instance 1 Gateway Public IP address.

Create a Virtual Private Gateway

31.Next, we need to create an AWS Virtual Private Gateway. This is the equivalent of Azure’s VPN Gateway.

32.Attach the Virtual Gateway to AWS-MUM-VPC.

33.

Create VPN Connections

We need to create two VPN Connections, each VPN Connection linked to its corresponding Customer Gateway and VPC.

On the Inside IPv4 CIDR for Tunnel 1 on the first VPN Connection, ensure you use 169.254.21.0/30 as the BGP Peer addresses and 169.254.21.4/30 for the second tunnel. Due to the way that the VPN Connection works, we are using a placeholder value of 169.254.21.4/30 tunnel, which will never be used in practice since we cannot point it to leverage Azure’s secondary VPN Gateway instance. This value must be specified as if we define the secondary BGP Peer address that will be created for the second instance in VWAN, you will receive an error that overlapping address space exists between this VPN Connection and the secondary VPN connection we create in AWS.

Use the same secret key that was used on the azure side - mytestkeyconnect.

34.When creating the second VPN connection, ensure 169.254.22.0/30 is specified for Inside IPv4 CIDR for Tunnel 1 and 169.254.22.4/30 is specified for Inside IPv4 CIDR for Tunnel 2 (which is again a placeholder value that won’t be used).

Use the same secret key that was used on the azure side - mytestkeyconnect.

Configure Route Table to Propagate Routes

35.To allow the learned routes from BGP to propagate to the VPC, you need to enable route propagation on your Route Table.

Navigate to Route Tables and select your Route Table and click the Route Propagation tab and select Edit route propagation.

36.To get tunnel IP from AWS.Go to Site-Site-VPN-Connection and then select the connection and then tunnel detail and then note down outside IP address of Tunnel 1.

Tunnel 1 IP- 3.7.162.73

37.Repeat the same for the second connection.

Tunnel 1 IP - 13.127.237.64

Update Azure

Update Azure Site Link IP addresses

38.As per the Configure Phase 1/2 Proposals section for Azure Virtual WAN, you specified 2.2.2.2 and 3.3.3.3 as a placeholder value for the Public IP addresses of the AWS VPN Gateway instances. We will need to update these addresses with the proper values.

Navigate to your Virtual WAN instance and select your Virtual WAN hub

39.Select VPN (Site to site) and choose to click on the Site name you created.

40.Click on the three dots (ellipsis) for AWS_Tunnel1 and click Edit Link.

41.Specify the proper IP address for Tunnel 1 on AWS Site-to-Site connection 1. Click Confirm

42.Click on the three dots (ellipsis) for AWS_Tunnel2 and click Edit Link.

43.Specify the proper IP address for Tunnel 1 on AWS Site-to-Site connection 2. Click Confirm.

44.Verify connectivity

On the Azure Side, you should see the VPN Site’s Connectivity status change to Connected

45.On the AWS side, you can validate for each Site to Site VPN connection that you see Tunnel 1‘s status as UP and Tunnel 2‘s status as DOWN (remember, Tunnel 2 will always be listed as down because a fictitious BGP is specified).

46.Here you can see the secondary Site-to-Site connection with the same status: UP for Tunnel 1, DOWN for Tunnel 2.

Peer a vNET to HUB in Azure.

46.Go to virtual network connection on vWAN page.

47.Click on Add connection. Select the details and then click on create.

48.Once peering is done you will able to see the peering connection.

You can also select a Virtual Machine that may have a virtual network attached to the VWAN Hub and validate you see learned routes from the VWAN Hub (and AWS) propagated into the VNet.

Tip: You can see the same route twice as we have both VPN Gateway instances BGP Peers actively connected to AWS. In the event you lose a peer, you would only see one route to one gateway listed.