
what is going on everyone thanks for joining
the azure academy today we are going to build the best multi-cloud vpn between azure
and aws and we're starting right now i'm Dean Cefola and this is the azure academy
now we have covered a lot on vpns on this channel already but this one is unique because we're going
to connect azure with aws and that means that we may have some people who are unfamiliar with
either side of those two clouds so we're going to show everything in detail today and if you look
below the video in the description section you'll find i've got a resources link that goes out to
the azure documentation and that covers everything step by step for your future reference and that
documentation was written by a teammate of mine Ricardo Martins and i've got his linkedin in the
description below as well so be sure to follow him and thank him for writing up this entire solution
that we're gonna walk through today so why would you want to have a multi-cloud vpn well you could
use it for daily operations because you're just in a multi-cloud setup in your company or maybe
you want to migrate from one cloud to the other so for that you'd need some kind of connectivity
between them and that's where a vpn can come in vpns are also great for encrypting
traffic between two different locations so no matter what your scenario we're gonna get
it done for you today so why is this going to be the very best vpn that you could build well you
could have built a vpn on top of virtual machines in either azure or aws for a few years now just
build an ubuntu server and install something like openvpn server and you've been good to go but the
problem with a single vm like that just cannot scale out or scale up they're not made that way
but an appliance can and so today we're going to be leveraging the azure virtual network gateway
it is a managed scalable appliance which means that with the click of a button you can
double your amount of bandwidth throughput and scale the system to accommodate whatever your
needs are so you can make this a point-to-site vpn and it supports a bunch of different
clients from the azure native client to openvpn as we've done videos on in the past or
a site-to-site vpn like we're going to do today to connect two different locations you could also
connect your on-prem with the cloud in the same way this same gateway appliance is also what
azure express route could be built on top of so we've got a lot of different options in this
managed service and that means that we need to fulfill some requirements one of being that we
need a azure subscription and an aws account as well as a virtual network and a vpc so that
we have something to connect our vpns to and then we'll need some vms for testing so let's go over
to the azure portal and get started now as with all of our videos you'll see down in the youtube
timeline here that there are different chapter sections so that you can jump around if you're
already familiar with how to do this process but if this is your very first time using azure
you'll want to go to azure.microsoft.com and then click the try azure for free button over there and
then you'll see up here you can start for free or buy now so if you start for free basically you
get 12 months of azure with 200 a month as azure credits but of course if you already have an
azure subscription then you can just go to portal.azure.com and sign in so when you click
start for free you'll be seeing this screen and then you can sign in if you already have a login
if not you can go right there to create one now i'm going to skip through this part of the process
and let you do that on your own if you need to and i'll just sign in now in azure once you have
signed in at the very top you'll want to search for resource groups now if you already have your
resource group that you want to use and you've already got a pre-existing virtual network then
you can skip ahead to the next chapter everything in azure needs to be stored within a resource
group which is basically a metadata container so let's create for ourselves a new resource
group and we'll just do that by clicking the new plus there and then every resource group needs
to be stored in a subscription so go ahead and select your appropriate subscription and then your
resource group needs a name we'll call this one rg for resource group dash azure dash aws and
then we'll store that in a particular region in this case i'll choose east us because that's near
where i am then go ahead and click next and this is where we can add some tags this is additional
metadata that we can add to our resource group so that we can do other stuff with it later for
example some automation tasks or where we can add additional information like what application this
is related to what our environment is who owns it what the cost code is all that kind of good stuff
when you've added all of your appropriate tags go ahead and click the next review button then azure
will validate that everything looks good and then go ahead and click create now this should only
take a couple seconds to build this resource group and then we can build our first resource go ahead
and click the go to resource button that shows up and now we are inside our resource group so all
of the resources we're going to build on the azure side are going to live in this resource group
and we're going to start with building a virtual network so at the top go ahead and click add
and then you'll type in virtual network into the marketplace go ahead and select that and then hit
create give your virtual network a name and choose an appropriate region and generally you want
to keep these resources as close to yourself as possible so you have the best latency experience
so i'll call my virtual network v-net dash azure and i'll store that in the east us and click next
for our ip addresses every virtual network has boundaries and those are the ip address ranges
that you select v-net can have multiple ip address ranges in this case we just need one
ip address range and i'll make that 172.10.0 now we need to add a new subnet into our
address space so we have some room to work go ahead and click to add a new subnet and then
over here we need to give the subnet a name and a ip address range this is how large your subnet is
so this subnet range of course needs to be within the address space of the entire virtual network so
i'll just call this subnet dash 0 1 and i'll make the ip address range 172.10.1.0.24 and we don't
need any of the services at this point so go ahead and click add now let's hit next and this is the
security section we don't need to add any of these items right now but of course you can always go
back and do that at a later time so let's click next again add some appropriate tags for this
network and then go ahead and click the review and create button azure will once again validate
that everything you've done looks good and go ahead and create and that'll be done in just a
moment and then click the go to resource button and there is our virtual network so at the top you
can see our ip address range that we selected and go to subnets over there on the left and you can
see your subnet range as well let's go back to our resource group because now we're going to build
our vpn gateway let's go ahead and click the add button type in virtual network gateway select that
and then hit the create button we'll call this one vpn azure dash aws choose your appropriate region
i'll choose east us and then there's that toggle for either a vpn gateway or an express route
gateway in this case we want vpn and then you can choose which type of vpn you want policy or
route based we're going to choose route base today and then we have our skus this is the capacity
and bandwidth that your vpn would have and when i click the drop down for the skus you can see we've
got numbers one through five and then again one through five with an az the difference between
the two is the first one through five have to do with building inside one availability zone and
the others are spread across multiple availability zones that means you get a little more high
availability in case something happened to one of the zones in azure your vpn would still
be able to be up so for the moment here i'm just going to select vpn gateway 3 with an availability
zone just because i'm going to show you this next feature and that is the generation and the docs
will go into this in more detail but generation 2 systems have more bandwidth throughput features
etc than generation 1 features so if those are important to you then you'll want to be sure to
select something that's in generation 2.
Just for today's example however i'm going to choose
vpn gateway 1 which is restricted to generation 1 because i just don't need a lot of bandwidth for
this example then the next drop down is for our virtual network and you'll want to select the
network that you just created and when you do that it should automatically select the first
ip address space and that would be that 172.10 space that we selected but notice it's got a slash
24 not a slash 16. that's because azure is smart enough to know that we created a subnet already at
172.10.1.0.24 so it knows that that first slash 24 is available for us to build our gateway subnet
which is a requirement for the gateway appliance so it's already done that for us now the next
thing is we need a public ip address and that's so our vpn has something to talk to the world with if
you have an existing public ip go ahead and select that otherwise you can just type in the name of
your new public ip and just to make sure i can find it later and know that it's associated
with this vpn i'll call it pip for public ip address dash vpn azure dash aws and if we scroll
down the next thing we have to choose is if we want our vpn gateway to be active active or active
passive now active active means that you can have more simultaneous connections and by the way
active active does not cost any more than active passive it's simply your preference now
in my case i don't need it to be active active it's just my lab and this is just an example
if you need more bandwidth reliability high availability etc go ahead and select enabled for
that but i'm going to leave mine disabled today and then we have configuring bgp now bgp for those
who don't know is the border gateway protocol and this is something that gives us a lot more
flexibility and intelligence for how things are going to be routed and accepted or blocked on
our network for today's example because we're connecting azure to aws i'm not going to enable
bgp but if you're creating a site-to-site vpn for your on-prem network and your on-prem
appliance supports bgp then you can go ahead and enable that but i'm going to leave it disabled
today and go ahead and click next and add my tags and because these resources are all related to the
same project i'm adding the same tags just to keep everything uniform and then go ahead and hit next
azure has once again validated that everything we did was good and go ahead and hit create now the
vpn gateway will take a little while to build so while it's doing that let's jump over to aws
and just like before if you already have an aws account feel free to skip ahead in the chapters
but for those of you who are new to aws you'll want to go to aws.amazon.com and then over here in
the top corner you want to select complete sign up and then on the sign in screen go ahead and click
over there where it says create a new aws account and go ahead and fill out the form or if you have
an existing account go ahead and click the sign in now i'm not going to walk you through the rest
of this sign in process just like before on azure so let's log in to my aws account and get
started and now that we're logged into the aws management console we want to go to the search
box at the very top and just type vpc and then go ahead and click that first entry and now in
the first box for vpcs we want to click on that and then over here we want to click on
create vpc and we need to give it a name so i'll call it my vpc-01 and then we need
an ip address range and i'll make this 10.10.
For our ipv6 block we'll just leave that set to
no and our tenancy will be default and then you can add some tags and when you're done with that
go ahead and click create vpc and now we need to create a subnet so over on the left go ahead and
click subnets and then up top here click create subnet and from the drop down over there go ahead
and select the appropriate vpc should be the one you just created and i'll call this my subnet 0
1 and then for my availability zone i'll go ahead and select us east 1a and then the cider range for
our subnet will be 10.10.1.0 slash 24 and then add your tags and go ahead and click the create button
now we're going to create a customer gateway this is what's going to point to the public ip address
of our vpn in azure so go ahead and scroll down over on the left and there you'll find your
virtual private network and in there choose customer gateway then at the top go ahead and hit
create so we need to give it a name so cg dash aws dash azure and then for the ip address we have to
go back to the azure portal real quick and grab that public ip and back in the azure portal there
is our public ip address we'll go ahead and click that and then up top there is the public ip so
we'll copy that and go back to aws and just paste that in the ip address field and then go ahead and
click create customer gateway once that's done you can hit close and there is our gateway and now
on the left just under that we want to select our virtual private gateway this is what's going
to complete that connection so click on create virtual private gateway and then we need a name
how about vpg dash aws dash azure then for our asn we'll just leave it as amazon default and then
hit create once that's done hit close and now we need to attach our virtual private gateway to the
vpc so go ahead and right click on it and select attach to vpc in the drop down select the id of
your vpc and click attach and now over on the left we want to go to the site to site vpn connections
and go ahead and click create vpn connection we're almost there once again we need a name vpn
aws azure and then for our gateway type choose virtual private gateway under our virtual private
gateway drop down menu go ahead and select the id of the appropriate gateway the one we just created
and then we want this to be an existing gateway and again choose the right one from the drop down
for your routing options we're going to choose static and the static ip address range is going to
be the range from azure so this is 172.10.1.0.24 the tunnel version will be for ipv4 and then at
the bottom go ahead and hit create once that's done at the top here you can click download
configuration and for your vendor choose generic platform should also be generic and then
the software should be vendor agnostic and then hit the download button and that configuration
file is going to have the pre-shared key and the public key for each of the two ipsec tunnels
that aws just created now this file also contains the virtual private gateway information but you
can see that in the aws portal here in the site to site vpn configuration go ahead and click over
there on tunnel details and there you can see the tunnel's public ip addresses as well as the status
currently it's down so how can we fix that we need to go back to azure and what we need to do is add
a local network gateway now the purpose of that is usually to see what your on-prem ip address range
is but in this case it's going to be what our aws ip address range is so the two networks
can complete the connection so at the top go ahead and click add and then in the search
box type local network gateway select that from the drop down and then go ahead and hit the create
button and surprisingly enough we'll call this lng dash azure aws our endpoint will be a ip address
and then we need to know which ip we're going to use so back to the aws management console and
i'll just copy the ip address from the very first tunnel and back to azure and then paste
that in the ip address field and now we need an ip address range this is going to be that cider
block from our vpc so put in here 10.10.0.0.16. at the bottom make sure that your subscription
and resource group are correct and for your region this does need to be in the same region as the
virtual network gateway and your virtual network so that they can all communicate together and hit
the create button and in just a minute you'll have your local network gateway and now we need to
finish the whole process with a vpn connection so go ahead and click on the virtual network
gateway and then way over there on the left you've got connections and at the top click add
and we'll call this connection dash azure dash aws change your connection type from v-net to v-net
and select site to site ipsec the virtual network gateway has already been selected for us but go
ahead and choose your local network gateway and remember that's the lng dash azure dash aws and
now we need the shared key from the first tunnel and that's in the downloaded configuration file
and the only other setting you need to verify for sure is that ike v2 is selected and then go ahead
and hit ok and that will establish your connection and in just a few minutes of some handshaking
you will see in your virtual network gateway that you are now connected and we can go back to
aws and verify this by looking at our site to site connections tunnel details and you can see our
first tunnel there is showing a status of up now we need to add a route to send our traffic from
aws to azure so if we scroll all the way up to the top and then over there on the left you want to
select your route tables right click on your route and then go ahead and select edit routes now over
there go ahead and click the add route button and you want to type in that azure ip address range
and then for your target go ahead and hit the drop down and at the very bottom select the virtual
private gateway and that'll list all of the vpgs that you have and select the appropriate one in
our case we just have one and to finish go ahead and hit save routes now you do have a secondary
tunnel that we do want to set up a connection for as well and it'll be the same process as we just
did so we'll go through this one a little faster back in the azure portal go ahead and click
add and type in that local network gateway again and select it and then hit create we'll
call this one lng dash asher aws dash standby and for our ip address you guessed it back to
aws and we'll scroll all the way down on the left click on the site to cite vpn connections copy
the ip address from our second tunnel and back to azure paste that in the ip address field and then
the address space will be our vpc's cider block verify again that you have the right subscription
resource group and region hit create okay almost done let's go back to the virtual network gateway
and on the left again choose your connections and at the top hit add connection and our name is
going to be connection dash azure dash aws dash standby our connection type will be site-to-site
ipsec again the virtual network gateway has already been selected so select your local network
gateway choose our lng-standby and now we need our second pre-shared key from our configuration make
sure that ikev2 is selected and hit ok and in just a few minutes of the old handshake we've got
another good connection and we can verify that back in aws that both tunnels are now up now since
virtual machines in aws do not get access to the internet by default we need to create an internet
gateway in order to do the testing so over on the left scroll back up to the top and then go ahead
and click the internet gateway and then up here go ahead and click create and we'll call it the my
dash internet dash gateway and then i've added my tags and then hit create and then up here click
the actions button and select attach to vpc and click in the box select your vpc's id and then
click attach internet gateway all right great job everyone we've got a working vpn we just need to
test it so we need a virtual machine on both sides in order to verify that the tunnel is working
so we're going to go up to the very top left and click on services and then right underneath all
services we have compute and you want to click on ec2 and then right over there you want to click
on the launch instance button and because i'm in a free aws subscription i'm going to click over
there in the filter for the free tier only but you can obviously do this with any vm that you want
and then i'm going to scroll down a little bit and i'm going to go with the ubuntu server version
20 and then hit select and the t2 micro free tier enabled has already been selected for me and i'm
going to click that configuration button over here and just verify that the network and subnet that
you've got selected are the ones that are actually attached to our vpn solution and then all the
other settings are good for me today so i'm just going to hit this review and launch button so
everything looks good to me and i'm going to hit the launch button you're going to need to create
a new key pair so in the first box i'll select create a new key pair and then you just give it a
name and i'll just call it vpn key pair and then click this download key pair button now be careful
because this is your only opportunity to get this key pair so be sure that you save it and when
you've done that click launch instance now while that's going through and finishing let's jump back
to azure and build a vm over there and back in the same resource group we've been doing everything
else go ahead and click add at the top and since we built an ubuntu vm in aws let's build that
first windows server over here in azure we'll give it a name and then region because we only have one
vm on the azure side for this test we don't need the availability options our image has already
been selected as server 2016 so we'll scroll down and our vm size has already been selected with
two cpu cores and eight gigs of ram i think that's just fine for a quick test like this then we'll
enter our credentials now of course there's many more settings that we could get into but i'm
just going to hit the review and create button since this is just a quick test our validation
has passed and hit create and in just a minute or so our vm is done building now what we have right
over here is our private ip address that's on our subnet where our vpn is located and then we have
a public ip address and we're going to use that to connect over rdp to this windows vm and you can do
that real easy just by clicking the connect button at the top and since this is a windows system
click rdp and then hit the button over there to download your rdp file and once you've opened that
just go ahead and hit connect now i'm going to use putty in order to ssh over to my aws virtual
machine so that's already installed over there and you can see that i've got my pim file as well
that i've downloaded from aws and i've already converted that with puttygen into a dot ppk file
now remember we don't have an inbound ip address on our ec2 instance so the only way we connect to
it is over the vpn tunnel so i'm going to go with my user at the private ip address of that ec2
instance and we'll just click open and there we go we're connected to 10.10.1.112 and i've loaded
that side by side with the windows command prompt and you can see our private ip address over there
is 172.10.1.4 and let's ping that from the aws side and there you go active ping response
the vpn tunnel is up and it is working now of course you can add plenty of enhancements from
here so you can do dns resolution across or even active directory authentication and build
yourself your enterprise across your multi-cloud vpn so thanks for joining us today on this
first venture into the multi-cloud world i don't know if we'll do a whole lot of these
depends on your feedback it was certainly a great experience for me to learn all that i did
on the aws side of things so give me some comments down below if you are using multi-cloud how you do
it what you do and what you're interested in in a future video here at the azure academy don't
forget to click subscribe like comment share all of that good stuff and if you want to see more
stuff on azure networking i've got my playlist right over there so you can keep on learning as
well as the latest video at the azure academy thanks very much for joining us for today's video
and we will catch you next week happy learning