Multi-Cloud HA VPN Connection between AWS and GCP

Divya Kurothe

Published in

Level Up Coding

8 min readFeb 16, 2023

Let’s start from the very beginning…

What is VPN?

A VPN (or a Virtual Private Network) is a technology initially developed to serve businesses. Its primary function was to provide secure, cheap, and flexible solutions to protect corporate networks. It made work tools and data accessible to the employees and restricted access to everyone else.

Rather than relying on expensive hardware to set up closed-off networks, a VPN connection uses the open internet to safely transfer data via an encrypted tunnel. Since the internet is public by design, encryption serves as a deterrent for rogue agents lurking in the same environment.

Types of VPNs

Remote Access VPN: Remote access VPN is a temporary encrypted connection between the business’s datacenter and the user’s device. It becomes active only when the user enables it. Otherwise, it doesn’t have a permanent link. Businesses primarily use this type to securely access the applications and data in a central hub via a VPN tunnel. You can think of it as a VPN connection making a secure pathway from your device to access sensitive documents or company materials on the other end.

Site-to-site VPN: Site-to-site VPN is a permanent connection between multiple offices to create a unified network that is always on. It needs separate configuring for both networks, and it works best for cases when you have multiple remote sites. It can be configured on-premises routers or on firewalls.

Most common VPN protocols

VPNs are using tunnelling protocols that act as rules for sending the data. It provides detailed instructions on packaging the data and what checks to perform when it reaches its destination. These different methods directly affect the process speed and security. Here are the most popular ones.

Internet Protocol Security (IPSec): IPSec is a VPN tunnelling protocol that secures data exchange by enforcing session authentication and data packet encryption. It is twofold encryption — the encrypted message sits in the data packet, which is further encrypted again. IPSec protocol combines with other protocols for added security and frequently utilises Site-to-site VPN setups due to its high compatibility.

Layer 2 Tunnelling Protocol (L2TP): L2TP works by generating a secure tunnel between two L2TP connection points. Once established, it uses an additional tunnelling protocol to encrypt the sent data, i.e., IPSec. L2TP’s complex architecture helps to ensure high security of the exchanged data. It’s another popular choice for Site-to-site setups, especially when higher security is needed.

Point–to–Point Tunnelling Protocol (PPTP): PPTP is another tunnelling protocol that creates a tunnel with a PPTP cipher. However, since the creation of the cipher in the ’90s, the computing power has increased exponentially. Brute-forcing the cipher wouldn’t take too long to crack it to reveal the exchanged data. For this reason, technology rarely uses this cipher — a replacement containing more secure tunnelling protocols with more advanced encryption is preferable.

SSL and TLS: Secure Socket Layer and Transport Layer Security protocols are the same standard that encrypts HTTPS web pages. That way, the web browser acts as the client, and user access is limited to specific applications rather than the entire network. Since almost all browsers come equipped with SSL and TLS connections, no additional software is usually required. Usually, remote access VPNs use SSL/TLS.

OpenVPN: OpenVPN is an open-source enhancement of the SSL/TLS framework with additional cryptographic algorithms to make your encrypted tunnel even safer. It’s the go-to tunnelling protocol for its high security and efficiency. Though, compatibility and setup can be a bit hit or miss as you won’t be able to install it natively on many devices to form router to router VPN networks. So, the performance may vary.

Secure Shell (SSH): Like the other option, SSH generates an encrypted connection and allows port forwarding to remote machines via a secured channel. It is useful for accessing your office desktop via your laptop at home. While it does add additional flexibility, SSH channels should always be under close supervision to provide a direct entry point for breach. That’s why it’s a better fit only in remote access setups.

Setup VPN Connection between AWS and GCP

In this article we will be creating High Availability(HA) Virtual Private Network in GCP to establish site-to-site connection between the two clouds.

Architecture overview

The architecture described in this document includes the following components:

Cloud Router: A fully distributed and managed Google Cloud service to provide dynamic routing using BGP for your VPC networks.
HA VPN gateway: A Google-managed VPN gateway running on Google Cloud. Each HA VPN gateway is a regional resource that has two interfaces, each with its own external IP addresses: interface 0 and 1.
VPN tunnels: Connections from the HA VPN gateway to the peer VPN gateway on AWS through which encrypted traffic passes.
Peer VPN gateway: Two AWS Site-to-Site VPN endpoints, which can be from an AWS virtual private gateway or AWS transit gateway.

First, we need two VPCs, one each cloud.

In the VPN page, we need to configure HA VPN. Google Cloud provides a highly available (HA) VPN service to connect your VPC network to environments running outside of Google Cloud, such as on-premises or on AWS through an IPsec VPN connection. HA VPN provides an SLA of 99.99% service availability when configured based on Google best practices.

Here we got the two interfaces:

Interface 0: 34.124.45.5
Interface 1: 34.157.215.21

In AWS, navigate to Custom Gateways in the VPC section and create two custom gateways, one for each interface IP with ASN number 65000.

Next, we will create Virtual Private Gateway for which we will allocate ASN Number 65001 at the AWS end and attach it to our AWS VPC.

In the Route Table Configuration enable Route propagation for out Virtual Private Gateway

Create two Site-to-Site VPN Connections, one with each pre-created Customer Gateway and the Virtual Private Gateway.

Here we need to download the configuration of both the VPN Connections.

Open the downloaded configuration of the first VPN Connection and note the ‘Outside IP Addresses’ of the ‘Virtual Private Gateway’ for both the IPSec Tunnels.

IPSec Tunnel #1
===================
Outside IP Addresses:
  - Customer Gateway           : 34.124.45.5
  - Virtual Private Gateway    : 43.204.129.161

IPSec Tunnel #2
===================
Outside IP Addresses:
  - Customer Gateway           : 34.124.45.5
  - Virtual Private Gateway    : 43.205.21.91

Next, open the configuration file of the second VPN Connection and note its two ‘Outside IP Addresses’ as well.

IPSec Tunnel #1
===================
Outside IP Addresses:
  - Customer Gateway           : 34.157.215.21
  - Virtual Private Gateway    : 3.109.69.120

IPSec Tunnel #2
===================
Outside IP Addresses:
  - Customer Gateway           : 34.157.215.21
  - Virtual Private Gateway    : 13.235.148.230

Now, migrate to the peer VPN gateway page in the GCP console and select ‘four interfaces’ for VPN Gateway, and put these four recorded Virtual Private Gateway IPs and create.

In the Cloud VPN Gateway, click on ‘Add VPN Tunnel’ and select our peer VPN Gateway from the drop down. Create the router with following configuration:

Next, in the tunnel section, you can see four tunnels that we need to configure. For the first tunnel, migrate to the downloaded config file and get the value of the pre-shared key of IPSec Tunnel 1 (where the value of Virtual Private Gateway IP from the config file should be the same as Associate peer VPN gateway Interface). Repeat the same for all four tunnels and click on ‘create and continue’.

The last step here is to Configure BGP Session. So, we again need to migrate to the downloaded config file and get the following information for the first tunnel:

Inside IP Addresses
  - Customer Gateway           : 169.254.251.230/30
  - Virtual Private Gateway    : 169.254.251.229/30

In the Configure BGP Section, provide the AWS side of the ASN number 65001, and allocate the BGP IPv4 address manually which should be the internal IP addresses of Customer Gateway and Virtual Private Gateway.
Repeat the process for rest three tunnels.

In AWS VPN Connection also we can see status as UP for all the four tunnels.

Finally, we have configured the HA VPN, and we can now test the connectivity by deploying VMs in both the VPCs (AWS VPC and GCP VPC), and if we can ping from GCP VM to our AWS VM using its private IP, then we have successfully configured the VPN.