Connecting AWS VPC to Azure VNet using IPsec Tunnel

Step by step: Connect Azure Vnet to an Existing AWS VPC powered by a StrongSwan instance.

Here is how you can connect Amazon VPC to Azure VNet using a secure tunnel.

Updated: This blog post has been updated thanks to the comments of @Thermi6

Hi Folks,

My current workplace is planning a migration from AWS to Azure. As we all know, migrating from one cloud provider with multiple servers to another provider is a complex task. In our case we wanted to move one environment at a time. This way we can move the whole stack for lets say TEST environment to Azure and validate our changes.

In this blog post i will show how to create a site to site IPSec tunnel that connects VPC (Virtual Private Cloud) hosted in AWS to VNet (Virtual Network) in Azure. Using this setup we can have servers in both clouds have full connectivity over IPsec tunnel.

We are a full Linux shop so we selected an Ubuntu running Strongswan as the point of tunel on the AWS side and Azure Virtual Gateway on Azure side.

So lets get started…

Setting up your VPC

If you already have a VPC setup, go ahead and skip this scetion.

Using the AWS concolse, create a new vpc, i am going to use 172.30.0.0/16:

Create a new subnet in the given VPC. I am going to use 172.30.0.0/24:

Then launch a new EC2 Ubuntu instance in the VPC and subnet created in step above :

Click on Launch new instance :

Select Ubunt 16.04 LTS from the list :

Select the VPC we created above and check if Auto-assign IP is selected :

Copy the Public IP once the instance is launched, we will be using it in next steps:

Disable source/destination checking on the instance

Now, by default a new instance launced in Subnet will get an public IP, If you have changed the default behaviour you will have to allocate a new Elastic IP address and associate it with the instance.

Its usually a good idea to change or add the hostname of your EC2 instance to its /etc/hosts file as StrongSwan’s ipsec command tries to look for the current instance’s hostname:

vim /etc/hostname
vim /etc/hosts
sudo service hostname restart

Deploying the Azure VNet and Gateway

  • We are going to use the Resource Group deployment model. So go ahead and create a Resource group and name it as Azure2Aws :
  • Next add a Virtual Network (VNet) in the resource group :
  • Fill in the required details. For the Azure side of things i am going to create subnet in the address range of 172.40.0.0/24. So that we donot have issue with the subnet on AWS side.
  • In the Virtual Network change the Gateway subnet to 172.40.200.0/29
  • Next add a Virtual Network Gateway in the resource Group

Click create in the Virtual network gateway blade, fill in the info as below. (It may take upto 30 mins to allocate this gateway)

Note down the Public IP Address of the Virtual network Gateway. We will need it later.

  • Next add a Local Network Gateway in Azure2Aws:

Fill the information of AWS VPC (IP Address assigned to our strongswan server). Put 172.30.0.0/16 in the address space, this is the address space of our VPC

  • Wait till the Local network Gateway is created. Once it is created, in the settings of local network gateway create a new connection.

Give ita a name Azure2awsconnect, attach the Virtual network gateway we created earlier. Add a secure PSK, DO NOT use abcde12345 in production environment.

Update: This blog post assumes that all your networking is in 172.30.0.0/16 subnet, Your AWS size is on 172.30.0.0/24 and Azure side is on 172.40.0.0/24, if your network topology is different you may have to manually setup routes

Setup Strongswan

  • First install strongswan on your ubuntu instance
sudo apt-get install update
sudo apt-get install strongswan
  • Modify /etc/strongswan/ipsec.conf with these settings
conn azure
  authby=secret
  type=tunnel
  leftsendcert=never
  left=[IP Address of this Server]
  leftsubnet=172.30.0.0/16
  right=[IP Address of Azure Gateway]
  rightsubnet=172.40.0.0/24
  keyexchange=ikev2
  ikelifetime=10800s
  keylife=57m
  keyingtries=1
  rekeymargin=3m
  compress=no
  auto=route

Update: Old revision had auto=start changed it to auto=route

  • Here are the keys you should change for your specific deployment:

    • left - The local ip address of the strongswan server
    • leftsubnet - The local subnet of the VPC
    • right - The public IP address of the Azure VNet Gateway
    • rightsubnet - The local subnet of the Azure VNet (not to be confused with the gateway subnet)
  • Now we need to configure StrongSwan with the shared secret key. Modify the file at /etc/strongswan/ipsec.secrets and add the line:

[STRONGSWAN LOCAL IP] [AZURE VNET GATEWAY PUBLIC IP] : PSK "[YOUR SHARED KEY]"

  • The shared key should be the same as one we gave in Local network Gateway connection.

  • For the strong swan instance to forward traffic between Azure VNet and AWS VPC, we’ll have to enable forwarding. On the EC2 instance, uncomment or add the following line to the file, /etc/sysctl.conf:

    net.ipv4.ip_forward=1
    

    Update : Depending on your kernel version, you might also have to add net.ipv4.conf.all.rp_filter=2

  • Restart strongswan for changes to get reflected

    sudo service strongswan restart
    

Testing the Connection

We can test this connection by creating a VM in the Azure VNet and pinging it from our Strongswan server.

Lets say the ip for the Azure VM is 172.40.0.5

From the AWS instance try

ping 172.40.0.5
64 bytes from 172.40.0.5: icmp_seq=892 ttl=62 time=26.1 ms
64 bytes from 172.40.0.5: icmp_seq=893 ttl=62 time=26.2 ms
64 bytes from 172.40.0.5: icmp_seq=894 ttl=62 time=25.8 ms
...
64 bytes from 172.40.0.5: icmp_seq=929 ttl=62 time=25.4 ms

You should see the same thing as well when you ping the the Azure instance to AWS

ping 172.30.0.10
64 bytes from 172.30.0.10: icmp_seq=892 ttl=62 time=26.1 ms
64 bytes from 172.30.0.10: icmp_seq=893 ttl=62 time=26.2 ms
64 bytes from 172.30.0.10: icmp_seq=894 ttl=62 time=25.8 ms
...
64 bytes from 172.30.0.10: icmp_seq=929 ttl=62 time=25.4 ms
comments powered by Disqus