Blog Post

Startups at Microsoft
7 MIN READ

Dynamic Multi-Cloud Networking: Configuring a BGP-Enabled VPN Between Azure and AWS

rmmartins's avatar
rmmartins
Icon for Microsoft rankMicrosoft
Oct 28, 2024

Introduction

In my previous blog post, I demonstrated how to set up a basic VPN connection between Azure and AWS. This updated guide builds on that foundation by incorporating BGP (Border Gateway Protocol) to enable dynamic routing and redundancy across two VPN tunnels. By following this configuration, you can establish a more resilient multi-cloud VPN connection that supports automatic route exchanges between Azure VPN Gateway and AWS Virtual Private Gateway over IPsec tunnels. This approach ensures reliable connectivity and helps simplify network management between Azure and AWS environments.

 

Step 1: Set Up Your Azure Environment

 

1.1. Create a Resource Group

  1. Go to Azure Portal > Resource groups > Create.
  2. Select your subscription and region, and give the resource group a name like RG-AzureAWSVPN-BGP.

1.2. Create a Virtual Network (VNet) and Subnet

  1. In the Azure Portal, go to Virtual Networks > Create.
  2. Name the VNet AzureVNetBGP and specify an address space of 172.16.0.0/16.
  3. Under Subnets, create a subnet named Subnet-AzureVPN with the address range 172.16.1.0/24.
  4. Add a GatewaySubnet with a /27 address block (e.g., 172.16.254.0/27) for the VPN gateway.

 

1.3. Set Up the Azure VPN Gateway

  1. Go to +Create a resource, search for Virtual Network Gateway, and select Create.
  2. Fill in the details:
    • Name: AzureVPNGatewayBGP
    • Gateway Type: VPN
    • SKU: VpnGw1 (or higher for redundancy/performance).
    • Public IP Address: Create a new one and name it AzureVPNGatewayPublicIP.
    • Enable BGP: Yes.
    • ASN: Use an Autonomous System Number (ASN) for Azure, e.g., 65010.
    • Azure APIPA BGP IP Address: Use 169.254.21.2 for the first tunnel with AWS and 169.254.22.2 for the second tunnel with AWS. (See here for more details around choosing BGP APIPA addresses)

Note: For this example, we’ll create an Active-Standby setup so Active-Active Mode will not be enabled. If you wanted to change from active-standby to active-active later follow this: Configure active-active VPN gateways: Azure portal - Azure VPN Gateway | Microsoft Learn.

 

 

Step 2: Set Up Your AWS Environment with BGP 

 

2.1. Create a VPC and Subnet in AWS

  1. In the AWS Console, go to VPC > Create VPC.
  2. Use an address space (e.g., 10.0.0.0/16) for the AWS VPC.
  3. Under Subnets, create a subnet with a name like Subnet-AWSVPN and the address space 10.0.1.0/24 for your subnet.

2.2. Create an AWS Virtual Private Gateway (VGW)

  1. In the AWS VPC Console, go to Virtual Private Gateway and create a new VGW named AWS-VPN-VGW-BGP.
  2. Attach the VGW to the VPC.
  3. During the VGW creation, set the ASN for AWS. AWS will assign one by default (e.g., 64512), but you can customize this if needed.

2.3. Set Up a Customer Gateway (CGW)

  1. In the AWS Console, go to Customer Gateway, and create a CGW using the public IP address of the Azure VPN Gateway (obtained during the Azure VPN Gateway setup). Name it Azure-CGW-BGP.
  2. Set the BGP ASN for the Customer Gateway to 65010, the same ASN as set in Azure.

 

 

2.4. Create the Site-to-Site VPN Connection with BGP setting

  1. In AWS Console, go to Site-to-Site VPN Connections > Create VPN Connection.
  2. Select the Virtual Private Gateway created earlier.
  3. Select the Customer Gateway created earlier.
  4. Routing Options: Select Dynamic (requires BGP) to enable dynamic routing with BGP.
  5. Tunnels: AWS will automatically create two tunnels for redundancy.

 

 

2.4.1. Tunnel Configuration - Optional Settings

  • Under the Optional Tunnel Settings, configure the Inside IPv4 CIDR for each tunnel:
    • For Tunnel 1: Set the Inside IPv4 CIDR to 169.254.21.0/30.
    • For Tunnel 2: Set the Inside IPv4 CIDR to 169.254.22.0/30.

This ensures proper BGP peering between Azure and AWS for both tunnels.

 

 

 

 

2.4.3. Download the VPN Configuration File

  1. After the VPN is set up, download the configuration file.
  2. Select Generic for the platform and Vendor agnostic for the software.
  3. Select IKEv2 for the IKE version.

 

Step 3: Finish the Azure Side Configuration with the two tunnels and BGP setup

 

3.1. Create Two Local Network Gateways

To support two tunnels, you will need to create two Local Network Gateways on Azure, one for each tunnel.

  1. In the Azure Portal, go to Local Network Gateway > Create.
  2. Local Network Gateway 1 (for the first tunnel):
    • ASN: Set to 64512 (AWS ASN).
    • BGP Peer IP Address: Enter 169.254.21.1(AWS BGP peer IP for the first tunnel).

    • Name: AWSLocalNetworkGatewayBGP-Tunnel1
    • Public IP Address: Enter the public IP for the first AWS VPN tunnel (from the configuration file).
    • BGP Settings: Go to the Advanced Tab, select Yes for Configure BGP Settings, then:

Note: You do not need to specify an address space when creating the Local Network Gateway. Only the public IP and BGP settings are required.

 

 

 

 

      3. Local Network Gateway 2 (for the second tunnel):

    • Name: AWSLocalNetworkGatewayBGP-Tunnel2
    • Public IP Address: Enter the public IP for the second AWS VPN tunnel.
    • BGP Settings: Go to the Advanced Tab, select Yes for Configure BGP Settings, then:
      • ASN: Set to 64512 (AWS ASN).
      • BGP Peer IP Address: Enter 169.254.22.1 (AWS BGP peer IP for the second tunnel).
      • Note: Enter the ASN first, followed by the BGP Peer IP Address in this order.

 

 

 

3.2. Create the VPN Connection for Both Tunnels

  1. Go to Azure Portal > Virtual Network Gateway > Connections > + Add.
  2. For the first tunnel:
    • Primary Custom BGP Address: Enter 169.254.21.2 for Tunnel 1.
    • Name: AzureAWSVPNConnectionBGP-Tunnel1
    • Connection Type: Site-to-site (IPsec).
    • Virtual Network Gateway: Select AzureVPNGatewayBGP.
    • Local Network Gateway: Select AWSLocalNetworkGatewayBGP-Tunnel1.
    • Shared Key (PSK): Use the shared key from the AWS VPN configuration file for tunnel 1.
    • IKE Protocol: Ensure that IKEv2 is selected.
    • Enable BGP: Mark the checkbox to enable.
    • After selecting Enable BGP, check the box for Enable Custom BGP Addresses and set:
  • IPSec/IKE Policy: Set this to Default.
  • Use Policy-Based Traffic Selector: Set to Disabled.
  • DPD (Dead Peer Detection) Timeout: Set the Timeout in Seconds to 45 seconds.
  • Connection Mode: Leave this as Default (no need to change to initiator-only or responder-only).

In about 3 minutes, you can check the VPN connection established.

 

 

 

  1. Repeat the same process for the second tunnel:
    • Name: AzureAWSVPNConnectionBGP-Tunnel2
    • Local Network Gateway: Select AWSLocalNetworkGatewayBGP-Tunnel2.
    • Shared Key (PSK): Use the shared key from the AWS VPN configuration file for tunnel 2.
    • Enable BGP: Mark the checkbox to enable.
    • Check the box for Enable Custom BGP Addresses and set:
      • Primary Custom BGP Address: Enter 169.254.22.2 for Tunnel 2.

 

 

 

 

In about 3 minutes, you can check the VPN connection established.

 

3.3. Ensure the VPN is established

  1. From Site-to-Site VPN connections on AWS, go to Tunnel details and check that the Tunnel 1 is UP:
          

 

      2. From Azure side, check if the status of the VPN connections is Connected:

            

 

 

  1. In BPG peers, you can see the BGP peers and the BGP learned routes:

 

Step 4: Add Routes and Configure Security

 

4.1. AWS Route Table Configuration

  1. In AWS Console, go to Route Tables and select the route table for your AWS VPC.
  2. Navigate to Route Propagation and select Edit Route Propagation.
  3. Enable route propagation to ensure that BGP dynamically propagates the routes between AWS and Azure, removing the need for manual static route entries. Almost instantaneously after enabling the route propagation, you will be able to see the new routes

 

 

 

4.2. Add an Internet Gateway (IGW)

Note: An Internet Gateway (IGW) is required for the EC2 instance to be accessible via its public IP address. Without the IGW, the EC2 instance won’t be reachable over the public internet, preventing you from logging into the EC2 using their public IP address. This is the sole purpose of deploying the IGW.

 

4.3. Set Security Group and NSG Rules

  1. AWS Security Group: Ensure that the Security Group for the AWS EC2 instance allows ICMP (ping), SSH, and any other necessary protocols.
  2. Azure NSG (Network Security Group): Ensure that the NSG attached to the Azure VM’s NIC allows inbound traffic from AWS for the required protocols, such as ICMP and SSH.

Step 5: Test Connectivity Between Azure and AWS VMs


To test connectivity between Azure and AWS, first deploy a virtual machine in the appropriate subnet on each cloud provider—an EC2 instance on AWS and a VM on Azure. Once both machines are running, connect to each VM using their respective public IP addresses. After logging in, use the private IP addresses of both instances to run a ping test and verify private network connectivity between them.

If you decided to not create the IGW to make the EC2 VM accessible over the internet, you can just login into the Azure VM using their public IP address and test unilaterally running the ping command against the private IP of the EC2 VM.

 

5.1. Ensure ICMP Traffic Is Allowed

Both the AWS Security Group and the Azure NSG (Network Security Group) should allow ICMP (ping) traffic for proper testing of connectivity between the virtual machines.

 

5.2. Test Connectivity with ping

  1. From the Azure VM, ping the AWS VM using its private IP.
  2. From the AWS VM, ping the Azure VM using its private IP.

Ensure that the pings are successful in both directions to verify that the VPN tunnels are functioning correctly.

 

Troubleshooting Common Issues

 

  1. BGP Not Establishing
  • Double-check that the BGP peer IP addresses and ASNs are correctly configured for both tunnels.
  • Ensure that BGP is enabled on both the Azure Virtual Network Gateway and the AWS VPN connection.
  • Ensure that route propagation is enabled on AWS, allowing dynamic routes to be exchanged through BGP.
  1. No Inbound Traffic on Azure VPN Gateway
  • Verify that AWS route propagation is enabled and that the Azure routes are correctly learned from AWS.
  • Check the NSG rules on Azure to ensure inbound traffic is allowed from AWS.
  1. Dead Peer Detection (DPD) Issues
  • Mismatched DPD settings may cause tunnels to drop. Ensure that both Azure and AWS have consistent DPD configurations. The recommended DPD Timeout for both Azure and AWS is 45 seconds.
  1. Tunnel Status Showing as Down
  • If one or both tunnels show as down, ensure that the IKEv2/IPsec policies match on both sides. Double-check the encryption algorithms, hashing functions, and Diffie-Hellman group settings between Azure and AWS for Phase 1 and Phase 2.
  • Restart the VPN connection on both Azure and AWS to re-initiate the tunnels.

Conclusion

 

By following this guide, you’ve successfully set up a VPN connection between Azure and AWS using BGP with two tunnels for redundancy. This configuration ensures robust and reliable connectivity between the two clouds, with dynamic route propagation handled by BGP. The use of managed services minimizes operational overhead and simplifies management.

 

For more advanced configurations, such as custom IPsec/IKE policies, enabling failover, or using BGP with Active-Active Mode, refer to the official documentation for Azure VPN Gateway.

 

Updated Oct 28, 2024
Version 3.0
  • Ingo_Jobling's avatar
    Ingo_Jobling
    Brass Contributor

    Thank you for creating this tutorial.  It is very well documented and easy to follow.