Here is how you can connect Amazon VPC to Azure VNet using a secure tunnel.
Updated: This blog post has been updated thanks to the comments of @Thermi6
My current workplace is planning a migration from AWS to Azure. As we all know, migrating from one cloud provider with multiple servers to another provider is a complex task. In our case we wanted to move one environment at a time. This way we can move the whole stack for lets say TEST environment to Azure and validate our changes.
In this blog post i will show how to create a site to site IPSec tunnel that connects VPC (Virtual Private Cloud) hosted in AWS to VNet (Virtual Network) in Azure. Using this setup we can have servers in both clouds have full connectivity over IPsec tunnel.
We are a full Linux shop so we selected an Ubuntu running Strongswan as the point of tunel on the AWS side and Azure Virtual Gateway on Azure side.
So lets get started…
Setting up your VPC
If you already have a VPC setup, go ahead and skip this scetion.
Using the AWS concolse, create a new vpc, i am going to use
Create a new subnet in the given VPC. I am going to use
Then launch a new EC2 Ubuntu instance in the VPC and subnet created in step above :
Click on Launch new instance :
Select Ubunt 16.04 LTS from the list :
Select the VPC we created above and check if Auto-assign IP is selected :
Copy the Public IP once the instance is launched, we will be using it in next steps:
Disable source/destination checking on the instance
Now, by default a new instance launced in Subnet will get an public IP, If you have changed the default behaviour you will have to allocate a new Elastic IP address and associate it with the instance.
Its usually a good idea to change or add the hostname of your EC2 instance to its
/etc/hosts file as StrongSwan’s ipsec command tries to look for the current instance’s hostname:
vim /etc/hostname vim /etc/hosts sudo service hostname restart
Deploying the Azure VNet and Gateway
- We are going to use the Resource Group deployment model. So go ahead and create a Resource group and name it as Azure2Aws :
- Next add a Virtual Network (VNet) in the resource group :
- Fill in the required details. For the Azure side of things i am going to create subnet in the address range of
184.108.40.206/24. So that we donot have issue with the subnet on AWS side.
- In the Virtual Network change the Gateway subnet to
- Next add a Virtual Network Gateway in the resource Group
Click create in the Virtual network gateway blade, fill in the info as below. (It may take upto 30 mins to allocate this gateway)
Note down the Public IP Address of the Virtual network Gateway. We will need it later.
- Next add a Local Network Gateway in Azure2Aws:
Fill the information of AWS VPC (IP Address assigned to our strongswan server). Put
172.30.0.0/16 in the address space, this is the address space of our VPC
- Wait till the Local network Gateway is created. Once it is created, in the settings of local network gateway create a new connection.
Give ita a name
Azure2awsconnect, attach the Virtual network gateway we created earlier. Add a secure PSK, DO NOT use
abcde12345 in production environment.
Update: This blog post assumes that all your networking is in
172.30.0.0/16 subnet, Your AWS size is on
172.30.0.0/24 and Azure side is on
220.127.116.11/24, if your network topology is different you may have to manually setup routes
- First install strongswan on your ubuntu instance
sudo apt-get install update sudo apt-get install strongswan
/etc/strongswan/ipsec.confwith these settings
conn azure authby=secret type=tunnel leftsendcert=never left=[IP Address of this Server] leftsubnet=172.30.0.0/16 right=[IP Address of Azure Gateway] rightsubnet=18.104.22.168/24 keyexchange=ikev2 ikelifetime=10800s keylife=57m keyingtries=1 rekeymargin=3m compress=no auto=route
Update: Old revision had
auto=start changed it to
Here are the keys you should change for your specific deployment:
- left - The local ip address of the strongswan server
- leftsubnet - The local subnet of the VPC
- right - The public IP address of the Azure VNet Gateway
- rightsubnet - The local subnet of the Azure VNet (not to be confused with the gateway subnet)
Now we need to configure StrongSwan with the shared secret key. Modify the file at
/etc/strongswan/ipsec.secretsand add the line:
[STRONGSWAN LOCAL IP] [AZURE VNET GATEWAY PUBLIC IP] : PSK "[YOUR SHARED KEY]"
The shared key should be the same as one we gave in Local network Gateway connection.
For the strong swan instance to forward traffic between Azure VNet and AWS VPC, we’ll have to enable forwarding. On the EC2 instance, uncomment or add the following line to the file, /etc/sysctl.conf:
Update : Depending on your kernel version, you might also have to add
Restart strongswan for changes to get reflected
sudo service strongswan restart
Testing the Connection
We can test this connection by creating a VM in the Azure VNet and pinging it from our Strongswan server.
Lets say the ip for the Azure VM is
From the AWS instance try
ping 22.214.171.124 64 bytes from 126.96.36.199: icmp_seq=892 ttl=62 time=26.1 ms 64 bytes from 188.8.131.52: icmp_seq=893 ttl=62 time=26.2 ms 64 bytes from 184.108.40.206: icmp_seq=894 ttl=62 time=25.8 ms ... 64 bytes from 220.127.116.11: icmp_seq=929 ttl=62 time=25.4 ms
You should see the same thing as well when you ping the the Azure instance to AWS
comments powered by Disqus
ping 172.30.0.10 64 bytes from 172.30.0.10: icmp_seq=892 ttl=62 time=26.1 ms 64 bytes from 172.30.0.10: icmp_seq=893 ttl=62 time=26.2 ms 64 bytes from 172.30.0.10: icmp_seq=894 ttl=62 time=25.8 ms ... 64 bytes from 172.30.0.10: icmp_seq=929 ttl=62 time=25.4 ms