Build the Best MultiCloud VPN at Scale

what is going on everyone thanks for joining 
the azure academy today we are going to build   the best multi-cloud vpn between azure 
and aws and we're starting right now i'm Dean Cefola and this is the azure academy 
now we have covered a lot on vpns on this channel   already but this one is unique because we're going 
to connect azure with aws and that means that we   may have some people who are unfamiliar with 
either side of those two clouds so we're going   to show everything in detail today and if you look 
below the video in the description section you'll   find i've got a resources link that goes out to 
the azure documentation and that covers everything   step by step for your future reference and that 
documentation was written by a teammate of mine   Ricardo Martins and i've got his linkedin in the 
description below as well so be sure to follow him   and thank him for writing up this entire solution 
that we're gonna walk through today so why would   you want to have a multi-cloud vpn well you could 
use it for daily operations because you're just   in a multi-cloud setup in your company or maybe 
you want to migrate from one cloud to the other   so for that you'd need some kind of connectivity 
between them and that's where a vpn can come in   vpns are also great for encrypting 
traffic between two different locations   so no matter what your scenario we're gonna get 
it done for you today so why is this going to be   the very best vpn that you could build well you 
could have built a vpn on top of virtual machines   in either azure or aws for a few years now just 
build an ubuntu server and install something like   openvpn server and you've been good to go but the 
problem with a single vm like that just cannot   scale out or scale up they're not made that way 
but an appliance can and so today we're going to   be leveraging the azure virtual network gateway 
it is a managed scalable appliance which means   that with the click of a button you can 
double your amount of bandwidth throughput   and scale the system to accommodate whatever your 
needs are so you can make this a point-to-site vpn   and it supports a bunch of different 
clients from the azure native client   to openvpn as we've done videos on in the past or 
a site-to-site vpn like we're going to do today   to connect two different locations you could also 
connect your on-prem with the cloud in the same   way this same gateway appliance is also what 
azure express route could be built on top of   so we've got a lot of different options in this 
managed service and that means that we need to   fulfill some requirements one of being that we 
need a azure subscription and an aws account   as well as a virtual network and a vpc so that 
we have something to connect our vpns to and then   we'll need some vms for testing so let's go over 
to the azure portal and get started now as with   all of our videos you'll see down in the youtube 
timeline here that there are different chapter   sections so that you can jump around if you're 
already familiar with how to do this process   but if this is your very first time using azure 
you'll want to go to and then   click the try azure for free button over there and 
then you'll see up here you can start for free or   buy now so if you start for free basically you 
get 12 months of azure with 200 a month as azure   credits but of course if you already have an 
azure subscription then you can just go to and sign in so when you click 
start for free you'll be seeing this screen and   then you can sign in if you already have a login 
if not you can go right there to create one now   i'm going to skip through this part of the process 
and let you do that on your own if you need to   and i'll just sign in now in azure once you have 
signed in at the very top you'll want to search   for resource groups now if you already have your 
resource group that you want to use and you've   already got a pre-existing virtual network then 
you can skip ahead to the next chapter everything   in azure needs to be stored within a resource 
group which is basically a metadata container   so let's create for ourselves a new resource 
group and we'll just do that by clicking the new   plus there and then every resource group needs 
to be stored in a subscription so go ahead and   select your appropriate subscription and then your 
resource group needs a name we'll call this one   rg for resource group dash azure dash aws and 
then we'll store that in a particular region in   this case i'll choose east us because that's near 
where i am then go ahead and click next and this   is where we can add some tags this is additional 
metadata that we can add to our resource group   so that we can do other stuff with it later for 
example some automation tasks or where we can add   additional information like what application this 
is related to what our environment is who owns it   what the cost code is all that kind of good stuff 
when you've added all of your appropriate tags go   ahead and click the next review button then azure 
will validate that everything looks good and then   go ahead and click create now this should only 
take a couple seconds to build this resource group   and then we can build our first resource go ahead 
and click the go to resource button that shows up   and now we are inside our resource group so all 
of the resources we're going to build on the azure   side are going to live in this resource group 
and we're going to start with building a virtual   network so at the top go ahead and click add 
and then you'll type in virtual network into the   marketplace go ahead and select that and then hit 
create give your virtual network a name and choose   an appropriate region and generally you want 
to keep these resources as close to yourself as   possible so you have the best latency experience 
so i'll call my virtual network v-net dash azure   and i'll store that in the east us and click next 
for our ip addresses every virtual network has   boundaries and those are the ip address ranges 
that you select v-net can have multiple ip   address ranges in this case we just need one 
ip address range and i'll make that 172.10.0 now we need to add a new subnet into our 
address space so we have some room to work   go ahead and click to add a new subnet and then 
over here we need to give the subnet a name and a   ip address range this is how large your subnet is 
so this subnet range of course needs to be within   the address space of the entire virtual network so 
i'll just call this subnet dash 0 1 and i'll make   the ip address range and we don't 
need any of the services at this point so go ahead   and click add now let's hit next and this is the 
security section we don't need to add any of these   items right now but of course you can always go 
back and do that at a later time so let's click   next again add some appropriate tags for this 
network and then go ahead and click the review   and create button azure will once again validate 
that everything you've done looks good and go   ahead and create and that'll be done in just a 
moment and then click the go to resource button   and there is our virtual network so at the top you 
can see our ip address range that we selected and   go to subnets over there on the left and you can 
see your subnet range as well let's go back to our   resource group because now we're going to build 
our vpn gateway let's go ahead and click the add   button type in virtual network gateway select that 
and then hit the create button we'll call this one   vpn azure dash aws choose your appropriate region 
i'll choose east us and then there's that toggle   for either a vpn gateway or an express route 
gateway in this case we want vpn and then you   can choose which type of vpn you want policy or 
route based we're going to choose route base today   and then we have our skus this is the capacity 
and bandwidth that your vpn would have and when i   click the drop down for the skus you can see we've 
got numbers one through five and then again one   through five with an az the difference between 
the two is the first one through five have to   do with building inside one availability zone and 
the others are spread across multiple availability   zones that means you get a little more high 
availability in case something happened to   one of the zones in azure your vpn would still 
be able to be up so for the moment here i'm just   going to select vpn gateway 3 with an availability 
zone just because i'm going to show you this next   feature and that is the generation and the docs 
will go into this in more detail but generation   2 systems have more bandwidth throughput features 
etc than generation 1 features so if those are   important to you then you'll want to be sure to 
select something that's in generation 2.

Just   for today's example however i'm going to choose 
vpn gateway 1 which is restricted to generation 1   because i just don't need a lot of bandwidth for 
this example then the next drop down is for our   virtual network and you'll want to select the 
network that you just created and when you do   that it should automatically select the first 
ip address space and that would be that 172.10   space that we selected but notice it's got a slash 
24 not a slash 16. that's because azure is smart   enough to know that we created a subnet already at so it knows that that first slash 24   is available for us to build our gateway subnet 
which is a requirement for the gateway appliance   so it's already done that for us now the next 
thing is we need a public ip address and that's so   our vpn has something to talk to the world with if 
you have an existing public ip go ahead and select   that otherwise you can just type in the name of 
your new public ip and just to make sure i can   find it later and know that it's associated 
with this vpn i'll call it pip for public ip   address dash vpn azure dash aws and if we scroll 
down the next thing we have to choose is if we   want our vpn gateway to be active active or active 
passive now active active means that you can have   more simultaneous connections and by the way 
active active does not cost any more than   active passive it's simply your preference now 
in my case i don't need it to be active active   it's just my lab and this is just an example 
if you need more bandwidth reliability high   availability etc go ahead and select enabled for 
that but i'm going to leave mine disabled today   and then we have configuring bgp now bgp for those 
who don't know is the border gateway protocol   and this is something that gives us a lot more 
flexibility and intelligence for how things are   going to be routed and accepted or blocked on 
our network for today's example because we're   connecting azure to aws i'm not going to enable 
bgp but if you're creating a site-to-site vpn   for your on-prem network and your on-prem 
appliance supports bgp then you can go ahead   and enable that but i'm going to leave it disabled 
today and go ahead and click next and add my tags   and because these resources are all related to the 
same project i'm adding the same tags just to keep   everything uniform and then go ahead and hit next 
azure has once again validated that everything we   did was good and go ahead and hit create now the 
vpn gateway will take a little while to build   so while it's doing that let's jump over to aws 
and just like before if you already have an aws   account feel free to skip ahead in the chapters 
but for those of you who are new to aws you'll   want to go to and then over here in 
the top corner you want to select complete sign up   and then on the sign in screen go ahead and click 
over there where it says create a new aws account   and go ahead and fill out the form or if you have 
an existing account go ahead and click the sign in   now i'm not going to walk you through the rest 
of this sign in process just like before on   azure so let's log in to my aws account and get 
started and now that we're logged into the aws   management console we want to go to the search 
box at the very top and just type vpc and then   go ahead and click that first entry and now in 
the first box for vpcs we want to click on that   and then over here we want to click on 
create vpc and we need to give it a name   so i'll call it my vpc-01 and then we need 
an ip address range and i'll make this 10.10.

For our ipv6 block we'll just leave that set to 
no and our tenancy will be default and then you   can add some tags and when you're done with that 
go ahead and click create vpc and now we need to   create a subnet so over on the left go ahead and 
click subnets and then up top here click create   subnet and from the drop down over there go ahead 
and select the appropriate vpc should be the one   you just created and i'll call this my subnet 0 
1 and then for my availability zone i'll go ahead   and select us east 1a and then the cider range for 
our subnet will be slash 24 and then add   your tags and go ahead and click the create button 
now we're going to create a customer gateway this   is what's going to point to the public ip address 
of our vpn in azure so go ahead and scroll down   over on the left and there you'll find your 
virtual private network and in there choose   customer gateway then at the top go ahead and hit 
create so we need to give it a name so cg dash aws   dash azure and then for the ip address we have to 
go back to the azure portal real quick and grab   that public ip and back in the azure portal there 
is our public ip address we'll go ahead and click   that and then up top there is the public ip so 
we'll copy that and go back to aws and just paste   that in the ip address field and then go ahead and 
click create customer gateway once that's done you   can hit close and there is our gateway and now 
on the left just under that we want to select   our virtual private gateway this is what's going 
to complete that connection so click on create   virtual private gateway and then we need a name 
how about vpg dash aws dash azure then for our   asn we'll just leave it as amazon default and then 
hit create once that's done hit close and now we   need to attach our virtual private gateway to the 
vpc so go ahead and right click on it and select   attach to vpc in the drop down select the id of 
your vpc and click attach and now over on the left   we want to go to the site to site vpn connections 
and go ahead and click create vpn connection   we're almost there once again we need a name vpn 
aws azure and then for our gateway type choose   virtual private gateway under our virtual private 
gateway drop down menu go ahead and select the id   of the appropriate gateway the one we just created 
and then we want this to be an existing gateway   and again choose the right one from the drop down 
for your routing options we're going to choose   static and the static ip address range is going to 
be the range from azure so this is   the tunnel version will be for ipv4 and then at 
the bottom go ahead and hit create once that's   done at the top here you can click download 
configuration and for your vendor choose   generic platform should also be generic and then 
the software should be vendor agnostic and then   hit the download button and that configuration 
file is going to have the pre-shared key and   the public key for each of the two ipsec tunnels 
that aws just created now this file also contains   the virtual private gateway information but you 
can see that in the aws portal here in the site   to site vpn configuration go ahead and click over 
there on tunnel details and there you can see the   tunnel's public ip addresses as well as the status 
currently it's down so how can we fix that we need   to go back to azure and what we need to do is add 
a local network gateway now the purpose of that is   usually to see what your on-prem ip address range 
is but in this case it's going to be what our aws   ip address range is so the two networks 
can complete the connection so at the top   go ahead and click add and then in the search 
box type local network gateway select that from   the drop down and then go ahead and hit the create 
button and surprisingly enough we'll call this lng   dash azure aws our endpoint will be a ip address 
and then we need to know which ip we're going to   use so back to the aws management console and 
i'll just copy the ip address from the very   first tunnel and back to azure and then paste 
that in the ip address field and now we need an   ip address range this is going to be that cider 
block from our vpc so put in here   at the bottom make sure that your subscription 
and resource group are correct and for your region   this does need to be in the same region as the 
virtual network gateway and your virtual network   so that they can all communicate together and hit 
the create button and in just a minute you'll have   your local network gateway and now we need to 
finish the whole process with a vpn connection   so go ahead and click on the virtual network 
gateway and then way over there on the left   you've got connections and at the top click add 
and we'll call this connection dash azure dash aws   change your connection type from v-net to v-net 
and select site to site ipsec the virtual network   gateway has already been selected for us but go 
ahead and choose your local network gateway and   remember that's the lng dash azure dash aws and 
now we need the shared key from the first tunnel   and that's in the downloaded configuration file 
and the only other setting you need to verify for   sure is that ike v2 is selected and then go ahead 
and hit ok and that will establish your connection   and in just a few minutes of some handshaking 
you will see in your virtual network gateway   that you are now connected and we can go back to 
aws and verify this by looking at our site to site   connections tunnel details and you can see our 
first tunnel there is showing a status of up now   we need to add a route to send our traffic from 
aws to azure so if we scroll all the way up to the   top and then over there on the left you want to 
select your route tables right click on your route   and then go ahead and select edit routes now over 
there go ahead and click the add route button and   you want to type in that azure ip address range 
and then for your target go ahead and hit the drop   down and at the very bottom select the virtual 
private gateway and that'll list all of the vpgs   that you have and select the appropriate one in 
our case we just have one and to finish go ahead   and hit save routes now you do have a secondary 
tunnel that we do want to set up a connection for   as well and it'll be the same process as we just 
did so we'll go through this one a little faster   back in the azure portal go ahead and click 
add and type in that local network gateway   again and select it and then hit create we'll 
call this one lng dash asher aws dash standby   and for our ip address you guessed it back to 
aws and we'll scroll all the way down on the left   click on the site to cite vpn connections copy 
the ip address from our second tunnel and back to   azure paste that in the ip address field and then 
the address space will be our vpc's cider block   verify again that you have the right subscription 
resource group and region hit create okay almost   done let's go back to the virtual network gateway 
and on the left again choose your connections and   at the top hit add connection and our name is 
going to be connection dash azure dash aws dash   standby our connection type will be site-to-site 
ipsec again the virtual network gateway has   already been selected so select your local network 
gateway choose our lng-standby and now we need our   second pre-shared key from our configuration make 
sure that ikev2 is selected and hit ok and in just   a few minutes of the old handshake we've got 
another good connection and we can verify that   back in aws that both tunnels are now up now since 
virtual machines in aws do not get access to the   internet by default we need to create an internet 
gateway in order to do the testing so over on the   left scroll back up to the top and then go ahead 
and click the internet gateway and then up here   go ahead and click create and we'll call it the my 
dash internet dash gateway and then i've added my   tags and then hit create and then up here click 
the actions button and select attach to vpc and   click in the box select your vpc's id and then 
click attach internet gateway all right great job   everyone we've got a working vpn we just need to 
test it so we need a virtual machine on both sides   in order to verify that the tunnel is working 
so we're going to go up to the very top left and   click on services and then right underneath all 
services we have compute and you want to click on   ec2 and then right over there you want to click 
on the launch instance button and because i'm   in a free aws subscription i'm going to click over 
there in the filter for the free tier only but you   can obviously do this with any vm that you want 
and then i'm going to scroll down a little bit   and i'm going to go with the ubuntu server version 
20 and then hit select and the t2 micro free tier   enabled has already been selected for me and i'm 
going to click that configuration button over here   and just verify that the network and subnet that 
you've got selected are the ones that are actually   attached to our vpn solution and then all the 
other settings are good for me today so i'm   just going to hit this review and launch button so 
everything looks good to me and i'm going to hit   the launch button you're going to need to create 
a new key pair so in the first box i'll select   create a new key pair and then you just give it a 
name and i'll just call it vpn key pair and then   click this download key pair button now be careful 
because this is your only opportunity to get   this key pair so be sure that you save it and when 
you've done that click launch instance now while   that's going through and finishing let's jump back 
to azure and build a vm over there and back in the   same resource group we've been doing everything 
else go ahead and click add at the top and since   we built an ubuntu vm in aws let's build that 
first windows server over here in azure we'll give   it a name and then region because we only have one 
vm on the azure side for this test we don't need   the availability options our image has already 
been selected as server 2016 so we'll scroll down   and our vm size has already been selected with 
two cpu cores and eight gigs of ram i think that's   just fine for a quick test like this then we'll 
enter our credentials now of course there's many   more settings that we could get into but i'm 
just going to hit the review and create button   since this is just a quick test our validation 
has passed and hit create and in just a minute or   so our vm is done building now what we have right 
over here is our private ip address that's on our   subnet where our vpn is located and then we have 
a public ip address and we're going to use that to   connect over rdp to this windows vm and you can do 
that real easy just by clicking the connect button   at the top and since this is a windows system 
click rdp and then hit the button over there to   download your rdp file and once you've opened that 
just go ahead and hit connect now i'm going to use   putty in order to ssh over to my aws virtual 
machine so that's already installed over there   and you can see that i've got my pim file as well 
that i've downloaded from aws and i've already   converted that with puttygen into a dot ppk file 
now remember we don't have an inbound ip address   on our ec2 instance so the only way we connect to 
it is over the vpn tunnel so i'm going to go with   my user at the private ip address of that ec2 
instance and we'll just click open and there we   go we're connected to and i've loaded 
that side by side with the windows command prompt   and you can see our private ip address over there 
is and let's ping that from the aws   side and there you go active ping response 
the vpn tunnel is up and it is working now   of course you can add plenty of enhancements from 
here so you can do dns resolution across or even   active directory authentication and build 
yourself your enterprise across your multi-cloud   vpn so thanks for joining us today on this 
first venture into the multi-cloud world i   don't know if we'll do a whole lot of these 
depends on your feedback it was certainly a   great experience for me to learn all that i did 
on the aws side of things so give me some comments   down below if you are using multi-cloud how you do 
it what you do and what you're interested in in a   future video here at the azure academy don't 
forget to click subscribe like comment share   all of that good stuff and if you want to see more 
stuff on azure networking i've got my playlist   right over there so you can keep on learning as 
well as the latest video at the azure academy   thanks very much for joining us for today's video 
and we will catch you next week happy learning

You May Also Like