Sunday, August 16, 2020

Connect AWS VPC and Azure VNET using native Site to Site VPN without 3rd party Network Appliances

If you are the one who manages multi-cloud environment primarily having workloads on Amazon Web Services (AWS) and Microsoft Azure, you might know that it was not possible to use the native Site-to-Site (IPSEC) VPN options to connect AWS VPC with Azure Vnet unless there was a 3rd party network appliance on either AWS or Azure network.


AWS in 2019 has enabled support for IKEv2 (Internet Key Exchange) for Site-to-Site VPN connections which enabled the option to securely connect AWS VPC and Azure Vnet directly with native gateway services and connection options.


If pre-requisites are in place, the whole process involves 3 steps and takes less than an hour to successfully build a highly reliable and performant Site-to-Site (IPSEC) VPN.

For the sake of simplicity and ease of setup, I am using the AWS default VPC ( in N. Virginia (US-East-1) and Vnet in Azure ( in Southeast Asia (Asia Pacific) region. I have also  setup GatewaySubnet ( to setup the Virtual Network Gateway in Azure.

Lets quickly jump into the pre-requisites and then we will go through the steps


1. A Virtual network (Vnet) in Azure
2. A GatewaySubnet in Azure Vnet
3. A Virtual Network Gateway in Azure (route-based VPN type)

1. A VPC in AWS 
2. A Virtual Private Gateway in AWS
Below is the sequence of steps to follow to setup the connectivity between AWS and Azure

Step-1 (Azure) 

1. Create Virtual Network Gateway, Can take 45 to 60 mins to create

2. Get the Public IP Address of the Virtual Network Gateway


Step-2 (AWS) 

1. Create Customer Gateway

2. Create VPN Connection using the Public IP Address from Azure in Step-1 

3. Download VPN connection configuration file

4. Get the Public IP Address of the AWS VPN from the file 

5. Make note of Pre-Shared Key from the downloaded configuration file


Step-3 (Azure) 

1. Create Local Network Gateway with IP address from AWS configuration file from Step-2

2. Add Connection to the Virtual Network Gateway

Wait for few minutes and the connection status would be UP and Connected and Resources can talk to each other over the Secure tunnel

Below are the screen shots from my setup for quick reference.


Create Virtual Network Gateway in Azure (Step-1)

Create Customer Gateway in AWS (Step-2)
 Create VPN Connection in AWS (Step-2)

Create Local  Network Gateway in Azure (Step-3)

Add Connection in Azure (Step-3)

Connection Status in Azure

VPN Connection Status in AWS