Google Cloud VPN Interop Guide Using Cloud VPN With Amazon Web ServicesTM Virtual Private Gateway
Disclaimer: This interoperability guide is intended to be informational in nature and are examples only. Customers should verify this information via testing. Amazon Web Services, AWS, and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.
Contents Introduction Topology Preparation Overview Getting Started IPsec Parameters Policy Based IPsec VPN Configuration - AWS Creating the VPC Configuring the VPN Configuration - GCP UI Configuration - GCP CLI Create the VPN Gateway Create the VPN Tunnel IPsec VPN Using Cloud Router Configuration - AWS Creating the VPC Configuring the VPN Cloud Router VPN Tunnel Configuration - Google Cloud Router CLI Create the VPN Gateway Reserve a Static IP Create the Cloud Router Create the VPN Tunnel Add the BGP Link Local Interface Add the BGP Peering Session Testing the Site-to-Site VPN Verify Connectivity Test the Tunnel
Introduction This guide walks you through the process of configuring the AWS Virtual Private Gateway for integration with the Google Cloud VPN service. This information is provided as an example only. If utilizing this guidance to configure your AWS implementation, be sure to substitute the correct IP information for your environment.
Topology This guide will describe three VPN topologies: 1. A site-to-site policy based IPsec VPN tunnel configuration using static routing 2. A site-to-site route based IPsec VPN tunnel configuration 3. A site-to-site IPsec VPN tunnel configuration using the Google Cloud Router and BGP
Preparation Overview The configuration samples which follow include numerous value substitutions provided for the purposes of example only. Any references to IP addresses, device IDs, shared secrets or keys, account information or project names should be replaced with the appropriate values for your environment when following this guide. This guide is intended to assist in the creation of IPsec connectivity to the Google Cloud. The following is a high level overview of the configuration process which will be covered: ● ● ● ● ● ●
Configuring the Amazon Virtual Private Gateway Configuring the Amazon Customer Gateway Configuring the Google Cloud Platform VPN Setting up the VPN Connection Connecting to GCP Testing the tunnel
The IPsec connectivity will utilize the pre-shared key generated by AWS for authentication.
Getting Started The first step is to establish the base networking environment in AWS. The basis of networking in AWS is the Virtual Private Cloud (VPC). Amazon provides documentation for getting started with AWS networking. The basic concepts to understand are: ● ● ●
Virtual Private Cloud – customer defined private network space in AWS. Virtual Private Gateway – the VPN concentrator on the Amazon side of the VPN connection. Customer Gateway – AWS reference to the remote IPsec end point. In this case the Google Cloud Platform VPN gateway.
IPsec Parameters For the AWS IPsec configuration, the following details will be used: Parameter
Value
IPsec Mode
ESP+Auth Tunnel mode (Site-to-Site)
Auth Protocol
Pre-shared Key
Key Exchange
IKEv1
Start
auto
Perfect Forward Secrecy
on
(PFS)
Dead Peer Detection
aggressive
(DPD)
INITIAL_CONTACT (uniqueids)
on
The IPsec configuration used in this guide is specified below: Phase
Phase 1
Phase 2
Cipher Role
Cipher
Encryption
aes-256
Integrity
sha-256
prf
sha1-96
Diffie-Hellman (DH)
Group 14 (modp_2048)
Phase 1 lifetime
36,000 seconds (10 hours)
Encryption
aes-cbc-256
Integrity
sha-256
Policy Based IPsec VPN Configuration - AWS To get started, login to the AWS Management Console and select V PC from the main services menu. New AWS accounts will all have a default VPC. For this exercise, create a new VPC to connect to the Google Cloud Platform using the VPC Wizard:
Creating the VPC The VPC Wizard steps through the creation and configuration of a new VPC. The first step is to select an IP subnet topology. There are options for various combinations of private and public IP addressing, with or without VPN connectivity. Once selected this cannot be changed. For the test environment Select a Private Subnet Only VPC with Hardware VPN Access:
The next step is to configure the VPC settings:
The following settings must be configured: ● IP CIDR Block: this is the CIDR block for the VPC. It cannot be changed once set. For this test, enter 10.0.0.0/16 ● VPC Name: this is the name of the VPC. For this test, enter GCP-Test ● Private Subnet: this is the first subnet allocated from the private IP CIDR block used for AWS services including EC2. Enter 1 0.0.1.0/24 which is the network on the AWS side that we want to connect to GCP. ● Availability Zone: this is the AWS Availability Zone into which the VPC will be deployed. We will leave this set to no preference ● Private Subnet Name: a friendly name for the private subnet. We will set this to AWS-VPC ● S3 Endpoint: EC2 to S3 connectivity requires a public network link. This option deploys an S3 API gateway endpoint into the selected private subnet. This exercise will not require an S3 endpoint ● Enable DNS Hostnames: this option enabled automatic DNS hostname assignment via DHCP for the private subnet. We will leave DNS hostnames enabled ● Hardware Tenancy: this option allows you to select a dedicated instance type for the VPN gateway for higher scale. Use the default option After completing the form, click Next t o proceed to Step 3.
Configuring the VPN To configure the VPN enter the C ustomer Gateway IP which is the IP address assigned to the Google Cloud Platform VPN gateway created in the Configuration - GCP section:
In addition to the Customer Gateway IP, enter a Customer Gateway name and a VPN Connection name. Next choose a Routing Type for the VPN connection. This section of the guide covers static route type VPN so Static should be selected. Enter the Google Cloud Platform subnet CIDR block under IP Prefix and click Add:
With all required configuration completed, click C reate VPC to create the new VPC and finish the Wizard. VPC creation will take a minute or two to complete. Once completed the management console status will be updated:
The newly created VPC can now be selected from the Dashboard in order to collect the configuration detail required to complete the GCP configuration:
The last step is to collect the IP addresses of the AWS Virtual Gateway and pre-shared keys used for IKE authentication automatically generated by AWS. This information is stored in the configuration file which can be downloaded by clicking D ownload Configuration. Several device specific options are available for configuration format. For GCP, select Generic:
The configuration file is an ASCII text file. The auto-generated pre-shared key will be listed under Pre-Shared Key. A sample configuration file is provided below for reference: Amazon Web Services Virtual Private Cloud
VPN Connection Configuration ================================================================================ AWS utilizes unique identifiers to manipulate the configuration of a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier and is associated with two other identifiers, namely the Customer Gateway Identifier and the Virtual Private Gateway Identifier. Your VPN Connection ID Your Virtual Private Gateway ID Your Customer Gateway ID
: vpn-c1c6d9d3 : vgw-f670afe8 : cgw-3548972b
A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). It is important that both tunnel security associations be configured. IPSec Tunnel #1 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : auto-generated-pre-shared-key - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2
Configuration - GCP UI In the Google Cloud Platform Developers Console, select the project into which the VPN will be deployed, or create a new project. More information on creating and managing projects can be found here. To view the current network configuration for the project, select Networking from the main services menu in the Developer Console:
In GCP all projects start with a single network named d efault at time of creation. The default network is configured with a private IP space and a set of base firewall rules. The default network provides a sufficient starting point for creating a site-to-site IPsec VPN. More information on networking within the Google Cloud Platform can be found in the N etworking section of the Google Compute Engine documentation. To configure the AWS side of the VPN, two values are needed from GCP: ● ●
Customer Gateway IP Address: the public IP address of the VPN gateway in Google Cloud Routing Type/IP Prefix: the private IP address space associated with the Google Cloud Platform Network
The address space is shown in the network overview and in this example is 10.240.0.0/16:
To get the Customer Gateway IP address, create a Google Cloud VPN gateway. From the Networking menu, select VPN. Any existing VPN gateways will be listed in the main information panel. If no VPN gateways have been created, an option will be provided to create one:
Click Create a VPN to initiate the VPN creation workflow:
The VPN has several user configurable properties: ● Name: a representative name for the VPN connection (must be lowercase) ● Description: free form text describing the gateway (optional) ● Network: the network to which the VPN gateway will be attached ● Region: the region into which the VPN gateway will be deployed ● IP address: the static public IP address which will be assigned to the VPN gateway. A new static IP address can also be allocated at this stage:
Enter the AWS Virtual Private Gateway IP and the pre-shared key collected in the C onfiguration - AWS section and click create. The Remote Network IP Ranges should include b oth the VPC CIDR block as well as any configured subnets. N ote that AWS requires IKEv1:
AWS utilizes two tunnels for redundancy. The above steps should be repeated for each tunnel documented in the AWS configuration file.
Configuration - GCP CLI Cloud VPN can also be configured using the g cloud command line tool. Command line configuration requires two steps. First the VPN Gateway is created, then the tunnels are created referring to the VPN Gateway.
Create the VPN Gateway gcloud compute target-vpn-gateways create gcp-to-aws --network to-lab --region us-central1
Create the VPN Tunnel AWS utilizes two tunnels for redundancy. Repeat this step for each tunnel: gcloud compute vpn-tunnels create m y-tunnel --shared-secret M ySharedSecret --peer-address on-prem-IP --target-vpn-gateway gcp-to-aws --local-traffic-selector gcp-CIDR --remote-traffic-selector o n-prem-CIDR
IPsec VPN Using Cloud Router Configuration - AWS To get started, login to the AWS Management Console and select V PC from the main services menu. New AWS accounts will all have a default VPC. For this exercise a new VPC is being created to connect to the Google Cloud Platform using the V PC Wizard:
Creating the VPC The VPC Wizard steps through the creation and configuration of a new VPC. The first step is to select an IP subnet topology. There are options for various combinations of private and public IP addressing, with or without VPN connectivity. Once selected this cannot be changed. For the test environment, will Select a Private Subnet Only VPC with Hardware VPN Access:
The next step is to configure the VPC settings:
The following settings must be configured: ● IP CIDR Block: this is the CIDR block for the VPC. It cannot be changed once set. For this test, enter 10.0.0.0/16 ● VPC Name: this is the name of the VPC. For this test, enter GCP-Test ● Private Subnet: this is the first subnet allocated from the private IP CIDR block used for AWS services including EC2. Enter 1 0.0.1.0/24 which is the network on the AWS side that we want to connect to GCP. ● Availability Zone: this is the AWS Availability Zone into which the VPC will be deployed. We will leave this set to no preference ● Private Subnet Name: a friendly name for the private subnet. We will set this to AWS-VPC ● S3 Endpoint: EC2 to S3 connectivity requires a public network link. This option deploys an S3 API gateway endpoint into the selected private subnet. This exercise will not require an S3 endpoint ● Enable DNS Hostnames: this option enabled automatic DNS hostname assignment via DHCP for the private subnet. We will leave DNS hostnames enabled ● Hardware Tenancy: this option allows you to select a dedicated instance type for the VPN gateway for higher scale. Use the default option After completing the form, click Next t o proceed to Step 3.
Configuring the VPN To configure the VPN enter the C ustomer Gateway IP which is the IP address assigned to the Google Cloud Platform VPN gateway created in the Configuration - GCP section:
In addition to the Customer Gateway IP, enter a Customer Gateway name and a VPN Connection name. Next choose a Routing Type for the VPN connection. This section of the guide covers VPN with BGP route management, so Dynamic should be selected. Enter the Google Cloud Platform subnet CIDR block under IP Prefix and click A dd:
With all required configuration completed, click C reate VPC to create the new VPC and finish the Wizard. VPC creation will take a minute or two to complete. Once completed the management console status will be updated:
The newly created VPC can now be selected from the Dashboard in order to collect the configuration detail required to complete the GCP configuration:
AWS utilizes two tunnels for redundancy. The last step is to collect the IP addresses of the AWS Virtual Gateway and the pre-shared keys used for IKE authentication automatically generated by AWS. These configuration details can be downloaded by clicking D ownload Configuration. Several device specific options are available for configuration format. For GCP, select Generic:
The configuration file is an ASCII text file. The auto-generated pre-shared key will be listed under Pre-Shared Key and cannot be user defined. The link local address for BGP peering will be listed under Inside Addresses and also cannot be user defined. Configuration - Google Cloud Router UI
Google Cloud Router enables dynamic Border Gateway Protocol (BGP) route updates between your Google Cloud Platform network and your on-premise network. For the initial release, Cloud Router supports BGP for Cloud VPN o nly. Cloud Router works with both legacy networks and Subnetworks.
Cloud Router The first step in configuring the Google Cloud Platform for site-to-site VPN connectivity utilizing BGP and the Google Cloud Router is to create a new cloud router. From the Developer Console, select Networking and then C loud Routers. From the workspace select C reate Router:
All parameters needed to create a new cloud router are entered on this page. A detailed description of each parameter is provided below:
● ●
Name: the name of the cloud router. Description: a brief description of the cloud router.
● ● ●
Network: the GCP network the cloud router will attach to. N ote: this is the network on route information will be managed. Region: the home region of the cloud router. N ote: the cloud router must be in the same region as the subnetworks it is connecting. Google ASN: the BGP Autonomous System Number assigned to the cloud router. Use the ASN assigned by the Amazon VPC Creation Wizard to the Customer Gateway configuration from the configuration file downloaded in the final step of the C onfiguration - AWS section of this document: BGP -
Configuration Options: Customer Gateway ASN Virtual Private Gateway ASN Neighbor IP Address Neighbor Hold Time
: 65000 : 7224 : 169.254.12.185 : 30
The newly created instance will appear in the list of Cloud Routers. Click C onfigure under VPN Gateway to create the VPN tunnel. AWS utilizes dual redundant IPsec VPN tunnels. Two tunnels will be created, matching the AWS configuration.
VPN Tunnel All parameters needed to create a new VPN connection are entered on this page. AWS utilizes two tunnels for redundancy. The following step should be repeated for each tunnel documented in the AWS configuration file. A detailed description of each parameter is provided below:
The following parameters are required for the VPN gateway: ● Name: the name of the VPN gateway. ● Description: a brief description of the VPN connection. ● Network: the GCP network the VPN gateway will attach to. N ote: t his is the network to which VPN connectivity will be made available. ● Region: the home region of the VPN gateway. N ote: the VPN gateway must be in the same region as the subnetworks it is connecting. ● IP address: the static public IP address which will be used by the VPN gateway. An existing, unused, static public IP address within the project can be assigned, or a new one can be created. The following parameters are required for each Tunnel which will be managed by the VPN gateway: ● Remote peer IP address: t he public IP address of the on premises VPN appliance which will be used to connect to Cloud VPN. ● IKE version: the IKE protocol version. AWS requires IKEv1 ● Shared secret: a shared secret used for mutual authentication by the VPN gateways. Provided in the configuration file downloaded in the final step of the C onfiguration - AWS section of this document. ● Routing options: Cloud VPN supports multiple routing options for the exchange of route information between the VPN gateways. For this example D ynamic (BGP) is being used. Static Routes were covered earlier in this guide. ● Cloud Router: the Cloud Router instance associated with this VPN tunnel created in the Cloud Router section. ● BGP session: the BGP configuration to be used by the Cloud Router for this VPN tunnel. Click the pencil to create a new configuration:
The following parameters are required to configure the BGP session: ● Name: the name of the BGP session ● Peer ASN: Provided in the configuration file downloaded in the final step of the Configuration - AWS section of this document as the “Virtual Private Gateway ASN”: BGP -
●
Configuration Options: Customer Gateway ASN Virtual Private Gateway ASN Neighbor IP Address Neighbor Hold Time
: 65000 : 7224 : 169.254.12.185 : 30
Google BGP IP address, Peer BGP IP address: Provided in the configuration file downloaded in the final step of the Configuration - AWS section of this document. Inside IP Addresses - Customer Gateway - Virtual Private Gateway
: 169.254.12.186/30 : 169.254.12.185/30
Once all of the BGP session info has been entered, click S ave and continue to complete. When all information for the tunnels has been entered successfully, click C reate on the Create a VPN connection form to create the new dual tunnel VPN connection.
Configuration - Google Cloud Router CLI Cloud VPN can also be configured using the g cloud command line tool. Command line configuration requires multiple steps.
Create the VPN Gateway Create the VPN gateway. Make note of the chosen name (my-gateway), network and region for use in future steps: gcloud compute target-vpn-gateways create m y-gateway --project m y-project -network my-network --region my-region
Reserve a Static IP Reserve a static IP address in the Google Cloud Platform network and region where the VPN gateway was created. Make a note of the created address for use in future steps. gcloud compute addresses create vpn-static-ip --project m y-project --region m y-region
Create the Cloud Router The Amazon VPC Creation Wizard automatically assigns a BGP ASN (65000) to the Customer Gateway. This asn should be used for m y-asn
gcloud beta compute --project m y-project routers create m y-router --region m y-region --network my-network --asn m y-AWS-provided-customer-gateway-asn
Create the VPN Tunnel Create the VPN tunnel referencing the V PN gateway and C loud Router created earlier. Make note of the chosen tunnel name for use in future steps. The peer-address should be set to the AWS Virtual Private Gateway IP and the s hared-secret s hould be set to the AWS assigned pre-shared key, both provided in the configuration file downloaded in the final step of the Configuration - AWS section of this document. AWS utilizes two tunnels for redundancy. The following step should be repeated for each tunnel documented in the AWS configuration file. gcloud beta compute --project m y-project vpn-tunnels create m y-tunnel --region my-region --ike-version 1 --target-vpn-gateway m y-gateway --peer-address my-AWS-virtual-private-gateway-IP --shared-secret m y-AWS-provided-PSK -router my-router
Add the BGP Link Local Interface Update the configuration of the Cloud Router created earlier to add a virtual interface (--interface-name) for the BGP peer referencing the VPN tunnel created above. The BGP interface IP address must be the link-local IP address provided by Amazon as the C ustomer Gateway Inside IP in the configuration file downloaded in the final step of the C onfiguration AWS section of this document. gcloud beta compute --project m y-project routers add-interface m y-router --interface-name my-if --ip-address m y-AWS-provided-Customer-Gateway-inside-IP --mask-length 30 --vpn-tunnel m y-tunnel --region m y-region
Add the BGP Peering Session Update the Cloud Router config to add the BGP peer to the interface. Use the ASN and peer IP address provided by Amazon as the V irtual Private Gateway ASN and the Virtual Private Gateway Inside IP in the configuration file downloaded in the final step of the C onfiguration AWS section of this document. gcloud beta compute --project m y-project routers add-bgp-peer m y-router --peer-name bgp-peer1 --interface-name m y-if --peer-ip-address my-AWS-provided-virtual-private-gateway-inside-IP --peer-asn my-AWS-provided-virtual-private-gateway-ASN --region m y-region
Testing the Site-to-Site VPN Verify Connectivity To verify that Cloud Router has successfully initiated BGP peering with AWS, check the Cloud Router status in the Developer Console:
To verify that the IPsec tunnel has been successfully initiated, check the VPN status in the Developer Console:
On the AWS side, verify that the configured Tunnel is up. Note that the unconfigured tunnel will remain Down. This is expected:
Test the Tunnel With the site-to-site VPN online the tunnel is now ready for testing. To test, create virtual machines in both AWS EC2 and Google Compute Engine. Instructions for creating EC2 virtual machines can be found here. To learn how to create virtual machines in Google Compute Engine, visit the Getting Started Guide. Once virtual machines have been deployed on both platforms an ICMP echo test can ensure network connectivity. Note that on AWS Security Groups provide firewall capabilities for EC2 instances. The default security group for a new instance does not allow ICMP. A security group rule for ICMP must be added in order for this test to work. A demonstration of a functional tunnel is below. EC2 virtual machine pinging the virtual machine in GCE:
GCE virtual machine pinging the virtual machine in EC2: