Site-to-Site VPN General Question

Question

Hi,

I have a site-to-site VPN setup from a network in Azure to AWS.

For some reason and I'm not entirely sure why, but it doesn't let me communicate end-to-end if the below settings configured on the Site-To-Site VPN Connection are set to anything but:

Local IPv4 network CIDR:
0.0.0.0/0

Remote IPv4 network CIDR
0.0.0.0/0

Perhaps it's my misunderstanding but surely you should set this to the specific networks on each side, for example and using just generic 10 network IP's for arguments sake:

Local IPV4 network CIDR:

10.20.1.0/24 - Let's assume this is the subnet configured on AWS

Remote IPV4 network CIDR:

10.230.1.0/24 - Let's assume this is the subnet configured in the vnet  on Azure side.

Surely this would allow traffic from 10.20.1.2/32 (let's say this is an EC2 instance)

to communicate end to with a Windows server at the other end IP:

10.230.1.5/32

Am I misunderstanding this or is there something I've missed, happy to discuss with anyone, I don't see it as an issue but it's bugging me it doesn't work the way I expect it to, Id rather have everything as restricted as possible rather than 0.0.0.0/0 but then again I suppose it is traversing over an IPSEC tunnel so it's not the end of the world..

Thanks in advance for any help,

Zack

Answer

Hey Zack,

While it sounds logical and it confused me at first when I was setting ups ages ago however, you need to swap Remote and Local IPs around. The Remote IP is what Address space Azure can access in the current AWS Networks. The local IP is what AWS can connect to in Azure.

So Remote IP = Remote Network can connect to this IP range in AWS.. ( AWS side CIDR range )

Local IP = Local Network can connect to these Network Ranges in Azure ( Customer gateway CIDR range )

Site-to-Site VPN General Question

Relevant content