I want to configure an AWS Site-to-Site VPN tunnel between AWS and Google Cloud Platform using a dynamic BGP routing protocol.
Resolution
To configure a Site-to-Site VPN tunnel between AWS and the Google Cloud Platform, do the following:
- On the Google Cloud Platform side, configure the virtual private cloud (VPC) network and its firewall rules.
- On the AWS side, configure the Amazon Virtual Private Cloud (Amazon VPC), subnets, and routing.
Google Cloud Platform configuration
- Open the Google Cloud Platform console.
- Navigate to Hybrid connectivity, choose Cloud router, and then choose Create a cloud router.
- Enter the details for your cloud router.
- Under Network, add the Google Cloud Platform VPC.
- For the Google ASN, enter the details of your private Autonomous System Number (ASN).
- For Routes, choose Advertise all subnets visible to the cloud router. This is the default setting. Then choose Create.
- In the navigation pane, choose Hybrid connectivity again, and then choose High-Availability VPN Gateway.
- On the Create Cloud HA VPN Gateway, enter your details, and then create a VPN.
- After you've created the high availability VPN gateway, the Google Cloud Platform console provides two interface IP addresses. You can use these IP addresses as customer gateway IP addresses on the AWS side. To access the IP addresses, navigate to Hybrid connectivity, and then choose VPN. The IP addresses are listed under interfaces. Note these IP addresses to use when configuring settings on the AWS side. If you're configuring a single VPN connection on the AWS side, then you need only one of these IP addresses.
AWS configuration
- Open the Amazon VPC console and create a customer gateway.
- On the Create a customer gateway page, for IP address, enter the interface IP address that you previously noted from the Google Cloud Platform console.
- Create a virtual private gateway using the Amazon default ASN.
- Create a Site-to-Site VPN connection. For Virtual private gateway, enter the name of the virtual private gateway that you created in the previous step. For Customer gateway ID, enter the ID of the customer gateway that you created in step 1.
- In the Tunnel Options section, choose Use Default Options. For IKE version, make sure that ikev1 is turned off.
- Download the generic Site-to-Site VPN configuration file from the console.
Configure VPN gateway using the downloaded configuration file
Use the configuration file that you downloaded to enter the following details in the Google Cloud Platform console:
- Open the Google Cloud Platform console.
- Configure a VPN connection by creating a peer VPN gateway. To do this, choose Hybrid Connectivity on the navigation pane, and then choose Create a VPN.
- For peer VPN gateway, choose On-prem or Non Google Cloud. For Peer VPN gateway name, enter the name of your peer, and for Interfaces choose one interface.
- For Interface 0 IP address, enter the Tunnel-A outside IP from the configuration file.
- Under Routing options, for Associated Cloud VPN gateway interface, enter the IP address of the customer gateway that you created.
- For Associated peer VPN gateway interface, enter the Tunnel-A outside IP, and then for Name, enter the VPN interface name.
- For IKE version, choose IKEv2, and then for IKE pre-shared key, enter the pre-shared key from the configuration file.
- Choose Create.
Configure BGP and confirm that tunnel status is UP
- Open the Google Cloud Platform console.
- Configure a BGP by creating a BGP session. To do this, choose Hybrid Connectivity on the navigation pane, and then choose VPN. This lists all available VPN connections.
- Choose the VPN connection that you created previously, and then choose BGP Session to configure the connection.
- For peer ASN, enter the AWS VGW default ASN (64512) from the downloaded configuration file. For BGP Peer IP, enter the VGW inside IP, and for Cloud Router BGP IP, enter the CGW inside IP from the downloaded configuration file.