Build HA VPN connections between GCP and AWS in command lines
VPNs are important ways to construct Hybrid-Cloud/Multi-Cloud. In addition to the common VPN between Public Cloud and On-premises Infrastructure, building connections between two different Public Clouds using VPNs is also very important and more difficult. Due to the numerous steps, the process of setting up a VPN through GUI operations can be dizzying. The command-line method can improve the efficiency and accuracy of establishing a VPN, and can better understand the relationship between the various steps and various components.
This article will walk you through building a HA VPN connection between GCP and AWS step-by-step. All steps are divided into three parts:
- Part I: Prepare for Network Environments and VM Instances
- Part II: Build VPN Connections between GCP and AWS
- Part III: Clean VPN Components and Cloud Environments
And I created diagrams to show the relationship between the various parts involved in the steps. The target gateway on the AWS side can use either VPN Gateway or Transit Gateway. Due to the slight differences in the creation and setup of gateways, I use two diagrams to represent them separately.
Part I: Prepare for Network Environments and VM Instances
The first part is an auxiliary one, creating a VM instance in AWS and GCP respectively, so as to verify the VPN connectivity from these two instances after the VPN is built. The individual steps in this section are listed here:
1.1 Setup AWS Network Environment
1.2 Create AWS VM Instance
1.3 Setup GCP Network Environment
1.4 Create GCP VM Instance
Clearly, steps (1.1, 1.2) for AWS and steps (1.3, 1.4) for GCP are independent. But each platform needs to build a Network Environment first, and then create a VM instance (1.1 → 1.2, 1.3 → 1.4).
The parts involved in the steps in AWS are shown in the upper part of the “aws” cloud in the figure. Here are noted in the step 1.1:
- The first command sets the region; AWS requires VPC to be located in a region, and VPN components associated with the VPC also need to be located in the same region; here I set the region to us-west-1, and you can use other regions for your need; please refer to Region Maps and Region Services;
- The CIDR blocks of AWS VPC and Subnet are set to 192.168.0.0/16 and 192.168.1.0/24 respectively; you can also use other internal network segments, but it should be noted that they must be distinguished from the CIDR blocks of the VPN connected GCP Subnet ;
- The Internet Gateway is created here, just for login to EC2 instances in the VPC through the Internet from our own local network;
Some notes for the step 1.2:
- The key-pair file generated here is necessary to log in to the EC2 instance with ssh;
- AMI_ID specifies the image type required to generate an instance; for more related knowledge, please refer to AMI types; among them, “Name=virtualization-type, Values=hvm” set for filtering images is required;
- Any IP address (0.0.0.0/0) set in the security group can ping this instance via ICMP protocol; and considering the security, I limit only my own local IP address 123.118.7.149/32 to log in with ssh; this allows you to log into the instance directly from local with the following command:
ssh -i "$KEY_NAME.pem" ubuntu@$INSTANCE_IPThe components involved in GCP steps (1.3, 1.4) are shown in the pink part of the GCP box in the figure, along with NETWORK. The step 1.3 is relatively simple:
- Unlike AWS’s VPC, which is limited to one Region, GCP’s VPC/NETWORK can cover multiple Regions: as shown in the figure, SUBNET_REGION where the Subnet and VM Instance are located in our steps is “us-east1”, but REGION where the VPN-related components are located later is “us-central1”
- The CIDR block of Subnet here is 10.1.1.0/24, which is obviously different from the network segment of VPC (192.168.0.0/16) and Subnet (192.168.1.0/24) in AWS.
It is also very simple to create a VM instance in step 1.4
- Similar to AWS’s security group settings, firewall rules for ICMP and SSH protocols are set here: all IP addresses can ping this instance through ICMP protocol; and the CIDR restricted by SSH is the network segment of IAP, so IAP TCP forwarding can be used locally to access this instance:
gcloud compute ssh $VM_NAME --tunnel-through-iapPart II: Build VPN Connections between GCP and AWS
This part is the main content of this article. Referring to the code in the last section, we can divide it into 4 big steps, :
2.1 Create GCP VPN Components
2.2 Create AWS VPN Components
2.3 Back to GCP to Add More Components
2.4 Test and Verify VPN and Its Tunnels
Each subsequent step needs to get the necessary information from the environment variables given by the previous step, and the last step is to test and verify this VPN, so there are sequential dependencies (2.1 → 2.2 → 2.3 → 2.4).
The components involved in step 2.1 are presented in the light blue box of GCP, excluding the components related to Tunnels in the yellow box. Actually, they are Router and HA VPN Gateway. Note that:
- The thick blue arrow line shows that the information is extracted from the HA VPN Gateway and assigned to two environment variables; these two environment variables are important input parameters for subsequent AWS VPN settings;
- The extraction method is to first define a variable “cmd” containing a command, and then use “eval” to execute the command;
Step 2.2 is to create and set up the VPN components in AWS, and add Custom Gateway, located in the lower half of the “aws” box in the figure. Note that:
- CUSTOM_GATEWAY_m need the environment variable INTERFACE_m_IP_ADDRESS from the previous step;
- The target Gateway of VPN can use either VPN_GATEWAY or TRANSIT_GATEWAY — therefore, I created two diagrams above;
- The differences on settings of TRANSIT_GATEWAY:
— The IP_ADDRESS_RANGE of the Subnet where the VM instances are located on the GCP side needs to be explicitly added to the routing table, but VPN_GATEWAY is added to the routing table through route propagation without IP_ADDRESS_RANGE;
— TRANSIT_GATEWAY needs to be attached with Subnet in addition to VPC; - There are two thick blue arrow lines here, showing that important information is extracted from two VPN_CONNECTION_m and assigned to multiple (4*4=16) environment variables; these environment variables will be important input parameters for subsequent GCP VPN settings ;
- The extraction method is similar to that in step 2.1, and also defines variables containing commands — since it is extracted from two VPN_CONNECTIONs, here are two variables “cmd0” and “cmd1”, and then “eval” is also used to execute the commands defined by these two variables ;
Step 2.3 is to use the environment variables obtained in the previous step to define and supplement VPN components on GCP side. After all the commands in the file are executed, the HA VPN Connection between GCP and AWS is completely established, and you’re done!
The test in step 2.4 can verify the establishment and normal operations of the VPN, please refer to Google Cloud’s technical document “Build HA VPN connections between Google Cloud and AWS”. Alternatively, we can verify the VPN with VM instances on both AWS and GCP in Part I.
- Log in to the AWS instance and ping yourself:
- Log in to the GCP instance and ping yourself::
- Ping the GCP instance from the AWS instance:
- Ping the AWS instance from the GCP instance:
Great! This HA VPN connection between GCP and AWS is fully working. Just because these two instances span regions (the AWS instance is in us-west-1, and the GCP instance is in us-east1), it can be seen that the ping delay is relatively long (> 80ms).
Part III: Clean VPN Components and Cloud Environments
This is also an auxiliary part. Similar to Part I, it is also divided into steps of the respective parts of GCP and AWS:
3.1 Remove GCP VPN Components
3.2 Remove GCP VM Instance and Network Environment
3.3 Remove AWS VPN Components
3.4 Remove AWS VM Instance and Network Environment
Similarly, the steps in GCP (3.1, 3.2) and AWS (3.3, 3.4) are independent of each other, but the two steps of each are in order (3.1 → 3.2, 3.3 → 3.4).
