amazon-web-servicesamazon-vpcazure-virtual-machineazure-virtual-networkgateway

Azure VM to AWS Transit Gateway Connectivity

Question:

I have an AWS VPC with a Transit Gateway set up, and I would like to establish private connectivity between an EC2 instance in AWS and a virtual machine in Azure.

Is it possible to configure cross-cloud connectivity between an Azure Virtual Network and an existing AWS Transit Gateway?

Solution

  • As far as I know, this can be achieved by establishing a connection between the Azure VNet and the AWS Transit Gateway using VPN (Virtual Private Network) connectivity!

    You should follow these steps:

    1. Create a Virtual Network Gateway in Azure: In the Azure portal, create a Virtual Network Gateway and specify the Azure VNet to which it should be connected. Configure the necessary settings, such as VPN type (Policy-based or Route-based) and routing.

    2. Obtain Azure Gateway Public IP: Once the Virtual Network Gateway is created, note down the public IP address assigned to it. This IP will be used when configuring the AWS Transit Gateway.

    3. Configure VPN in AWS Transit Gateway: In the AWS console, navigate to the Transit Gateway service and configure a VPN attachment. Specify the necessary details, including the Azure Gateway IP address, routing, and authentication settings.

    4. Configure Routing: Update the route tables in both the AWS Transit Gateway and the Azure VNet to ensure the correct routing between the networks. Add the necessary routes to direct traffic to the appropriate VPN connection.

    5. Configure IPSec/IKE Parameters: Configure the IPSec/IKE parameters on both the Azure and AWS sides to ensure compatible encryption and authentication settings for the VPN connection.

    6. Establish the VPN Connection: Initiate the connection establishment process on both the Azure and AWS sides. This involves configuring the shared secret (pre-shared key) and verifying the connection status.

    7. Test Connectivity: Once the VPN connection is established, you can test the connectivity between the EC2 instance in AWS and the Azure virtual machine by attempting to communicate over their private IP addresses.

    Something to keep in mind if you have VPN tunnels going to AWS. You are limited to 1.25Gbps IPSEC throughput. VGW enforces the 1.25Gbps “bottleneck” only when it serves as an endpoint of a IPSec tunnel (take a look here).