Efficiently way to use a dynamic BGP to create a VPN tunnel between AWS and Oracle Cloud Infrastructure

The article covers the Site-to-Site Tunnel configuration between AWS and Oracle Cloud Infrastructure (OCI), using dynamic BGP routing protocol. This article will be helpful to the engineers/organizations who are looking to incorporate multi-cloud architecture to have high availability setup. 

Prerequisite:

-       Configure Virtual Cloud Network (VCN), subnets and its security list/rules on Oracle Cloud Infrastructure side.

-       Configure Virtual Private Cloud (VPC), subnets, and routing on AWS side.

Architecture

                    

Configuration on AWS side:

1. First, create a Site-to-Site VPN Connection on AWS as only AWS allows you later to change the Customer Gateway using AWS console.  Note: You first need to create a “dummy” Customer Gateway, as you do not know the IP address of the OCI VPN gateway yet. You can specify pretty much anything you want, as you will later create a new Customer Gateway with the correct CGW IP and ASN.

2. Create a Virtual Private gateway in the AWS VPC console (and attach it to your VPC).

3. Create a site-to-site VPN connection in the AWS console by specifying the Customer gateway (created in step 1) and Virtual private gateway (Created in step 2). Make sure you have the Routing Options set to Dynamic (requires BGP). Under "Advanced Options for Tunnel 1" Enabling advanced encryption algorithms is optional. You can leave default as I did in below screenshot.

Important Note: Check that the Pre-Shared key ONLY contains Letters and Numbers. OCI does not support . and _ !! (while AWS does, but AWS does not support spaces). You can also specify your own Pre-shared keys, so you can make sure you only have Letters and Numbers.

4. While the VPN is being setup (takes a few minutes), you can download the configuration. You will need the information from that configuration file to setup the VPN tunnels on OCI side.

Configuration on OCI side:

5. The first thing in OCI you need to create is a “Customer-Premises Equipment” (it's like CGW on AWS side)

6. Create a "Dynamic Routing Gateway" and make sure you attach it to your VCN. (it's like VGW on AWS side).

7. After created the DRG make sure you attach it to your VCN. 

8. Now you can create a new Site-to-Site VPN connection by specifying the Customer-Premises Equipment (created in step 5) and Dynamic Routing Gateway (Created in step 6).

IMPORTANT: Before you click on “Create IPSec Connection”, click on the “Show Advanced Options”!!!
You need to configure the Tunnel 1 and Tunnel 2 Settings by entering the pre- shared key and BGP details from downloaded configuration file from AWS VPN Console.

Note: For tunnel 2, you can just to provide “dummy” information because configuring secondary tunnel is not possible with OCI. Do make sure you set routing type to BGP.

9. Once, VPN is created on OCI side, you will now see the Public IP address for the “AWS-Tunnel1”. In my case 129.123.7.54. With this you now need to go back to AWS and create a new Customer Customer Gateway.
   

Return to GCP console and configure VPN Gateway using downloaded configuration file ---------------------------------------------------------------

10. In AWS go to the Customer Gateways and click on “Create Customer Gateway”

Note: For this gateway, use the IP Address (129.123.7.54) of the Oracle VPN (not the dummy tunnel) and set the BGP ASN to Oracle = 31898 (Default BGP ASN of DRG).

11. Once the new Customer Gateway is created, go to the Site-to-Site VPN Connection and click on “Actions – > Modify VPN Connection”. Change the target type for the Customer Gateway, and select here the newly (correct) configured Custer Gateway (that is using the actual OCI VPN IP).

Note: AWS will update (modify) the VPN connection, this again takes a few minutes.

12. You are almost there! After AWS is done modifying the VPN Connection you should see on both sides that the tunnel is up.

AWS side Tunnel 1 and BGP UP:

OCI side Tunnel 1 is UP:

Bi-directional Connectivity test:

13. Once your VPN tunnel between OCI and AWS is now up and you have the correct routing, but both clouds by default do no allow any traffic to flow.

• In OCI make sure you configure the Security List or Network Security Group to allow the traffic you want to allow to flow between OCI and AWS.
• In AWS configure the Network ACLs and Security Groups to allow the traffic you want to allow to flow between OCI and AWS.

Ping test from AWS to OCI:

Ping test from OCI to AWS:

Configure Redundant VPN connection between AWS and OCI: As both AWS and OCI VPN services can only be configured with one on-premise IP address (CGW IP), we need to duplicate all the steps again to create a 2nd VPN connection, again with one active tunnel and one dummy tunnel. So, in case one of the Tunnels goes down the BGP routing will automatically route thru the other tunnel.