Connect AWS Network to On-Premise Using Redundant IPSec VPN Tunnel with BGP Routing
What is IPSec VPN Tunnel on AWS?
AWS Site-to-Site VPN is a fully-managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. By default, instances that you launch into an Amazon VPC can’t communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.
Why Redundant VPN and use BGP (Border Gateway Protocol)?
To protect against a loss of connectivity in case your customer gateway device becomes unavailable, you can set up a second Site-to-Site VPN connection to your VPC and virtual private gateway or transit gateway by using a second customer gateway device. By using redundant Site-to-Site VPN connections and customer gateway devices, you can perform maintenance on one of your devices while traffic continues to failover the second customer gateway’s Site-to-Site VPN connection. But why BGP? by using BGP it’s possible to exchange routing information between your customer gateways via more than 1 Tunnel. Then it’s possible to use static routing? No, it’s not possible based on my research there is not possible to implement failover since when 1 tunnel is down it can’t failover to another tunnel, so you have to use BGP routing for full high available connections.
How is the Scenario?
We are trying to connect the AWS cloud to On-Prem (simulate with GCP). As you can see in the architecture system, we’ll build a redundant/high available VPN tunnel with 4 IPSec Tunnel and 2 Customer Gateway. We’ll test for connectivity and failover between AWS and GCP as a final result.
- AWS
Here will be used Customer Gateway represents a connection to on-premise, then AWS site-to-site VPN as the IPSec tunnel. To create the redundant connection on AWS will be used Transit Gateway/TGW (you can use Virtual Private Gateway which is a VPN connector on AWS of the site-to-site VPN connection). Why use TGW is it more flexible to create connections with many network connections such as VPC or on-premise networks.
- On-Premise
GCP support for creating a High Available VPN Gateway connection, so it will become the solution to simulate an on-premise network for redundant purposes. HA VPN Gateway will provide 2 interfaces as a gateway for the on-premise networks.
Pre-requisite:
- VPC in AWS environment (with the subnet, route table, internet gateway, etc) and instance inside of the VPC.
- VPC in Google Cloud Platform and virtual machine.
Step by Step:
This will be very nice hands-on for you, so don’t forget to prepare your coffee :) Here we go!!
- Create VPN Gateway on GCP as a Customer Gateway (On-Premise)
- In GCP we can create 2 Customer GW as On-Prem Gateway to make it High Available
- Fill the parameters such as Name, Network and Region
- After creating the VPN Gateway, GCP will give 2interfacese and will simulate as Customer Gateway On-Premise and will be configured in AWS
2. Create Customer Gateway, Site-to-Site VPN and Transit Gateway on AWS
- All the things above can be easily configure directly by create TGW Attachment, before that we have to create TGW first
Make another set as default, but the important this is we have to enable the ECMP for supporting the failover VPN. Please take a note that you can specify your TGW ASN by yourself with the range 64512–65534 or 4200000000–4294967294 but by default is 64512 (don’t specify ASN to make it default), it will be used for Peering BGP session on On-Premise. Here is the TGW that was created.
- Then create TGW Attachment for faster configuration
- Configure the VPN Attachment, fill the IP Address (interface 0) as an interface that created by GCP
Please take a note of the BGP ASN on TGW, it will be used for configuring BGP Session on On-Premise.
- Configure the tunnel option, we can make it handle by AWS or by ourselves. Make it default if we want AWS to handle it. Then Create
- It will create a Customer Gateway, Site-to-Site VPN and TGW Attachment. Repeat again the process for creating TGW Attachment with the IP Address using Interface 1 that is provided by GCP. Wait a few minutes until all is in an available state.
3. Add VPN Tunnel on GCP
- The status VPN Tunnel before configure on on-premise (DOWN)
- Then add VPN Tunnel on GCP
4. Add Peer GW (fill with IP Outside IPSec Tunnel on VPN AWS)
- Create Peer VPN GW
- Then create Peer VPN GW
Provide the name and interface of the VPN Tunnel that want to create, because we want to create a High Available tunnel with 2 VPN Tunnel with each having 2 Tunnel so we choose four interfaces and fill it with the IP Tunnel on AWS Side. Here is the IP Tunnel that should be added in Peer VPN GW, add all IPSec Tunnel on the interface Peer VPN Gateway.
5. Create router on-prem (cloud Router on GCP)
- Create new router, it’s like router on on-premise
- Specify the configuration and take a note that Google ASN has to be the same with Customer Gateway (in here is 65000, you can see in Customer GW detail on AWS)
NOTE: it should be same ASN on Router on-prem with ASN at CGW AWS
6. Configure VPN Tunnel
- Below the list of VPN Tunnel have to configure especially for BGP session
7. Create BGP Session
- Tunnel Configuration
Fill the Peer ASN (it should be the same as ASN on TGW AWS) It is recommended to make it manually option for creating Cloud Router BGP and BGP Peer also specified the Multi-Exit Discriminator (MED) for Failover Tunnel (value is 0 to 4,294,967,295). Here we specify (tunnel 1 : 10, tunnel 2 : 20, tunnel 3 : 30 and tunnel 4 : 40). The path with the lowest MED value is preferred. Fill with the configuration download from AWS (Inside IP on VPN Tunnel).
Note:
— CGW as a Cloud Router BGP
— VPGW as a BGP Peer
Continue with each CGW and VPG on IPSec..
8. Wait until status Tunnel and BGP is OK
- Check the tunnel and BGP status on GCP
- Also check on AWS VPN is UP for two VPN Tunnel (need around 5–10 minutes to UP)
- Then the TGW automatically propagated the TGW Routable
9. Test Connectivity via Private IP
- Before that, we have to create TGW Attachment for VPC Connection using TGW
- Check on Propagation and Association it should added for the VPC
- Route table automatically configure
As you can see the subnet for VPC on AW and On-Premise (GCP) is automatically added to TGW route table.
- Then, for testing connectivity we need to create an instance on AWS and GCP also added the routing table on AWS to subnet in GCP also allow connectivity on GCP via Firewall. Here is the route table on AWS:
- Also allow in inbound traffic on GCP
- Test Ping from AWS to On-Prem GCP via private IP
10. Test Failover VPN Tunnel
- Tunnel 1 should be preferred
Since the lowest MED is tunnel 1 so, it should tunnel 2, 3, 4 not received the test ping from AWS.
And the other tunnel should not receive packet
- Test to make Tunnel 1 Down
Make the tunnel 1 is Down with disabling the BGP Peer
Current status BGP on-Prem (waiting for peer)
Tunnel 1 on AWS is down
Note: It should traffic failover to Tunnel 2 and Ping test not stopped, let’s see for the failover it should Tunnel 2 now receive the packet.
Other Tunnel (3,4) not received the packet cause the Tunnel 2 have lowest MED.
Test Ping still running and not stopped
Important: BGP is used to failover between VPN, not the tunnel level, after following the step you must try to make VPN 1 (tunnel 1 and 2) down and it will failover to VPN 2 (tunnel 3 and 4).
Done, we success for connecting AWS Cloud to On-Premise Using Redundant VPN Tunnel. Hope this helps you! don’t forget to comment if any doubt and follow me for the further article :”)
References:
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html
https://cloud.google.com/architecture/build-ha-vpn-connections-google-cloud-aws
https://aws.amazon.com/premiumsupport/knowledge-center/backup-vpn-connection/
https://aws.amazon.com/premiumsupport/knowledge-center/vpn-configure-tunnel-preference/
