Goals
The purpose of this guide is to create four distributed networks and combine them into one highly available logically connected network.
- Build with the top three cloud vendors (aws.amazon.com, azure.microsoft.com, cloud.google.com) and one On-Premise (pfsense.org) network
- Scale Mesh network topology to allow additional point-to-point connections
- Dynamic routing between Autonomous Systems (AS) using Border Gateway Protocol (BGP)
- Encrypt network traversal over Virtual Private Network (VPN) tunnels using Internet Protocol Security (IPSec)
Network
![4 Network](https://res.cloudinary.com/practicaldev/image/fetch/s--u4Uf4jHE--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/q7wp1jzytvr8btja9yul.png)
- Final mesh network topology architecture
AWS
![AWS](https://res.cloudinary.com/practicaldev/image/fetch/s--90RAgl8i--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/697l12huib89i2ofgeth.png)
Network
![VPC](https://res.cloudinary.com/practicaldev/image/fetch/s--0JXfxQMQ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zmju7bcyhseef1la2217.png)
- Create a Virtual Private Cloud Network in AWS
![VPC config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--vw7FsuxK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bouldzfosi9m03ptyerh.png)
![VPC config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--G1VmfvdX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/falc4m92wrcynjzz9nrb.png)
|
|
Resource to Create |
VPC and more |
Name |
vpc-aws |
IPv4 CIDR block |
172.16.11.0/24 |
Num of AZs |
2 |
Public |
0 |
Private |
2 |
NAT |
None |
Endpoint |
None |
Gateway
![Gateway](https://res.cloudinary.com/practicaldev/image/fetch/s--R9AroqxX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zj86i09i940cj3c316i8.png)
- Identify the IP address of the ISP
- Point to Point Identification and traffic passthrough
Customer Gateway
![Customer Gateway](https://res.cloudinary.com/practicaldev/image/fetch/s--Ufeed6NL--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/7tkbbt0ee03g7nscicn3.png)
|
|
Name |
pfsense |
BGP ASN |
65000 |
IP address |
4.4.4.4 |
Transit Gateway
![Transit Gateway config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--cseYFPaO--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w6d76bu8jt1t382hunjl.png)
![Transit Gateway config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--mVFIC0gU--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/hf6wo5k1kqu0zjqyot8d.png)
|
|
Name |
tg-aws |
Description |
tg-aws |
ASN |
64512 |
Route Table
![Update Route Table](https://res.cloudinary.com/practicaldev/image/fetch/s--wG1N-kCD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/9fd5549wyk1ktmyjuuxb.png)
DNS
![DNS](https://res.cloudinary.com/practicaldev/image/fetch/s--g1rEUZid--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8bpgftevhb2v9zpwsy0d.png)
- AWS will dedicate a reserved IP address x.x.x.2 for a VPC resolver
- Outbound Endpoints will allow you to forward DNS requests for resolvers on other networks
- Inbound Endpoints will allow resolvers on other networks to forward requests to AWS
Outbound Endpoint
![Outbound Endpoint config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--i9M85pCa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/g3k1lc38zpglx389culp.png)
![Outbound Endpoint config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--fh7E6lnx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/0mhog1yl8k4hq9n6mbe0.png)
![Outbound Endpoint config-c](https://res.cloudinary.com/practicaldev/image/fetch/s--v0U_ZYyk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h6kui5ocwmrkraravdld.png)
![Outbound Endpoint config-d](https://res.cloudinary.com/practicaldev/image/fetch/s--Zi7u-QPn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ozz91frj9shmpaqqxxcd.png)
|
|
Endpoint Name |
oe-aws |
VPC |
vpc-aws-vpc |
Security Group |
Default |
Endpoint Type |
IPv4 |
IP Address #1 |
AZ us-east-1, subnet 1, IPv4 |
IP Address #2 |
AZ us-east-2, subnet 2, IPv4 |
Rule Name |
onpremise |
Rule Rule Type |
Forward |
Domain Name |
firewall.lan |
VPC Rule |
vpc-aws-vpc |
Target IP #1 |
10.0.1.2:53 |
Target IP #2 |
10.0.4.2:53 |
Inbound Endpoint
![Inbound Endpoint config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--2mGcKHVd--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8uwh29flgy2i2sdim49o.png)
![Inbound Endpoint config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--XE5hBLPC--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/326yx45whx12fnlhh2mp.png)
|
|
Endpoint Name |
ie-aws |
VPC |
vpc-aws-vpc |
Security Group |
Default |
Endpoint Type |
IPv4 |
IP Address #1 |
AZ us-east-1, subnet 1, IPv4 |
IP Address #2 |
AZ us-east-2, subnet 2, IPv4 |
Site to Site
![Site to Site](https://res.cloudinary.com/practicaldev/image/fetch/s--hVJrpeGB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zvt915qdj5p5i0ugt6fa.png)
- Use IPsec tunnels to connect AWS to another datacenter
- Have a failover connection for High availability
![Site to Site config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--N_TpR89e--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h8tncl9iyayrf9jkrtmo.png)
![Site to Site config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--UZkxaojh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vhe52yfhn1yh3c11uyox.png)
![Site to Site config-c](https://res.cloudinary.com/practicaldev/image/fetch/s--2pMwaU5e--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/weqymsoyfd85gc6m4mrj.png)
![Site to Site config-d](https://res.cloudinary.com/practicaldev/image/fetch/s--Tgg7RCxn--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gxlsfa7g6wfbuxba512e.png)
|
|
AWS |
s2s-aws-pfsense |
Target gateway type |
Transit Gateway |
Transit Gateway |
TGW |
Customer Gateway |
CGW |
Routing Options |
Dynamic |
Tunnel inside IP |
IPv4 |
Inside IPv4 CIDR for tunnel 1 |
169.254.11.0/30 |
Pre-shared key for tunnel 1 |
strong password |
Inside IPv4 CIDR for tunnel 2 |
169.254.12.0/30 |
Pre-shared key for tunnel 2 |
strong password |
Status
![Status](https://res.cloudinary.com/practicaldev/image/fetch/s--vwT7GEnX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/55xwocp466bo0mengyqo.png)
- When BGP session is established, the status will go from down to up
SSM
![SSM](https://res.cloudinary.com/practicaldev/image/fetch/s--XE_i4Lpp--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xzleognbsktx6j3q9b80.png)
- Using AWS System Manager will allow remote access without opening any ssh ports
- Use to keep your network private
- Use to debug any connectivity issues
IAM Role Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ssm:DescribeAssociation",
"ssm:GetDeployablePatchSnapshotForInstance",
"ssm:GetDocument",
"ssm:DescribeDocument",
"ssm:GetManifest",
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:ListAssociations",
"ssm:ListInstanceAssociations",
"ssm:PutInventory",
"ssm:PutComplianceItems",
"ssm:PutConfigurePackageResult",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceAssociationStatus",
"ssm:UpdateInstanceInformation"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Action": [
"ec2messages:AcknowledgeMessage",
"ec2messages:DeleteMessage",
"ec2messages:FailMessage",
"ec2messages:GetEndpoint",
"ec2messages:GetMessages",
"ec2messages:SendReply"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
Endpoint
SSM Endpoint
![ssm Endpoint config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--t4_geFgh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/wkh0q1ahdiblg87z9c6m.png)
![ssm Endpoint config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--k0yo4AlR--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/2k2n9q45rahm3pskg0s3.png)
![ssm Endpoint config-c](https://res.cloudinary.com/practicaldev/image/fetch/s--relkPZns--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vbfwis5nqdi68l21tm1m.png)
|
|
Name |
ssm-endpoint |
Service Category |
AWS Service |
Service |
SSM |
VPC |
vpc-aws-vpc |
Subnets |
us-east-1, us-east-2 |
Security Group |
Default |
Policy |
Full Access |
SSMMessage Endpoint
![Image description](https://res.cloudinary.com/practicaldev/image/fetch/s--HK29vFkH--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3kzvt0k6sj86w03rqnbj.png)
|
|
Name |
ssmmessage-endpoint |
Service Category |
AWS Service |
Service |
SSMmessages |
VPC |
vpc-aws-vpc |
Subnets |
us-east-1, us-east-2 |
Security Group |
Default |
Policy |
Full Access |
EC2Message Endpoint
![Image description](https://res.cloudinary.com/practicaldev/image/fetch/s--MKeTSrBK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pqia31zmsm1pd2za934o.png)
|
|
Name |
ec2message-endpoint |
Service Category |
AWS Service |
Service |
ec2messages |
VPC |
vpc-aws-vpc |
Subnets |
us-east-1, us-east-2 |
Security Group |
Default |
Policy |
Full Access |
Azure
![Azure](https://res.cloudinary.com/practicaldev/image/fetch/s--eXZCS3kt--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vbr5nl499mtvwx1djmkq.png)
VNET
![VNET](https://res.cloudinary.com/practicaldev/image/fetch/s--v4nxKdvb--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/c65xu4a3pd1pqgdy6uac.png)
- Create a Virtual Network on Azure
Resource Group
![RG Review](https://res.cloudinary.com/practicaldev/image/fetch/s--hk8Xi9x9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/myk351gqo2ldxuhfcvk8.png)
- Resource Group provides a single detailed view of all resources in a groups stack
|
|
Resource group |
rg-aws-azure |
Region |
East US |
Virtual Network
![Vnet Review](https://res.cloudinary.com/practicaldev/image/fetch/s--s5qr71AU--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/dq967ke7q4ku0fp9v02t.png)
- This Iaas will build a virtual network similar to a VPC
- Create 1 network /24 CIDR to create 4 subnets with /26 CIDR
|
|
Resource group |
rg-aws-azure |
Name |
vnet-aws-azure |
Region |
East US |
Bastion |
Disabled |
Firewall |
Disabled |
DDoS |
Disabled |
Adress Space |
172.16.12.0/24 |
Subnet |
172.16.12.0/26 |
VWAN
![VWAN](https://res.cloudinary.com/practicaldev/image/fetch/s--rmCYzTNX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/nnu1z9efs3leu9g49v7q.png)
- TODO: Azure VWAN
- Have a AWS site-to-site connection config to populate data
Local Network Gateway
![LNG Review](https://res.cloudinary.com/practicaldev/image/fetch/s--csS57XBB--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/90r6o6889ts0akg90hct.png)
- IP of the customer/data center Gateway
|
|
Resource group |
rg-aws-azure |
Region |
East US |
Endpoint |
IP Address |
IP Address |
1.1.1.1 |
Address Space(s) |
None |
ASN |
64512 |
BGP |
169.254.21.1 |
Reserved APIPA
|
|
AWS |
169.254.0.0/16 |
Azure |
169.254.21.0/24 - 169.254.22.0/24 |
Virtual Network Gateway
![VNG Review](https://res.cloudinary.com/practicaldev/image/fetch/s--9Bivo3oo--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/k6n8mn3h5lnvqsvnc8sv.png)
|
|
Resource group |
rg-aws-azure |
Region |
East US |
SKU |
VPNGw2AZ |
Generation |
2 |
VNET |
vnet-aws-azure |
Subnet |
172.16.12.64/27 |
Gateway Type |
VPN |
VPN Type |
Route Based |
Active-active |
Disabled |
BGB |
Enabled |
ASN |
65000 |
Custom APIPA |
169.254.21.2, 169.254.22.2 |
Public IP adress |
vng-aws-azure-pip |
Private Resolver
![Private Resolver](https://res.cloudinary.com/practicaldev/image/fetch/s--RI6zKFRX--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/m40y49nvzpjznb6q1buw.png)
Connection
![Connection](https://res.cloudinary.com/practicaldev/image/fetch/s--06Y_Xdc7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4ga0o6s6zc7nfxw26z0y.png)
- Use to create an IPsec connection using BGP
- Create a second connection for failover
![Conn Review](https://res.cloudinary.com/practicaldev/image/fetch/s--Je5hXauq--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/um859zokwejxyggfeyxx.png)
|
|
Resource group |
rg-aws-azure |
Region |
East US |
Connection type |
Site-to-site(IPsec) |
Connection name |
conn-1-aws-azure |
Virtual Network Gateway |
vng-aws-azure |
Local Network Gateway |
lng-aws-azure |
IKE Protocol |
IKEv2 |
IpSec / IKE policy |
Default |
Use Policy based traffic selector |
Disable |
DPD timeout |
45 |
Connection Mode |
Default |
BGP |
169.254.21.2 |
BGP
![VNG Sidebar](https://res.cloudinary.com/practicaldev/image/fetch/s--KNRuKZMk--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/xlp7bpkhygtb32pqplph.png)
![Connection Status](https://res.cloudinary.com/practicaldev/image/fetch/s--iA8NLJU0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1962g1nxxsqjpjrq207t.png)
- Verify Connection is enabled
- Create second connection for failover
![BGB Status](https://res.cloudinary.com/practicaldev/image/fetch/s--aoPwxkiz--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/iv6lwo3oj9dwck4um70a.png)
- Verify Route propagation from BGP
Azure VM
![Ping](https://res.cloudinary.com/practicaldev/image/fetch/s--dhKCbWJE--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kix89c8b312ibq558rbh.png)
GCP
![GCP](https://res.cloudinary.com/practicaldev/image/fetch/s--2opo6Fr9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zpi9kof5vwdq6k6btuo1.png)
VPC
![VPC](https://res.cloudinary.com/practicaldev/image/fetch/s--DftC8ds2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/gnokqgvsdu0aue2phtch.png)
- Create a Virtual Private Cloud on Google
![VPC config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--u8MvH2km--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/smmge708i9ddbr1idf2m.png)
![VPC config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--Zu5kegD9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/kgx7g46bq6isnepxjhkb.png)
![VPC config-c](https://res.cloudinary.com/practicaldev/image/fetch/s--CLDXwtwv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w1x49do350vi86kupynx.png)
|
|
Name |
vpc-gcp-aws |
Description |
VPC |
IPv6 |
Disabled |
Subnet |
Custom |
Subnet Name |
Private |
Subnet Region |
us-east-1 |
IP stack |
IPv4 |
IP range |
172.16.13.0/24 |
Private Google Access |
off |
Flow Logs |
off |
IPv4 Firewall Rule |
Ingress Apply to all 0.0.0.0/0 ICMP Allow |
Dynamic Routing |
Regional |
Network Connectivity Center
![Network Connectivity](https://res.cloudinary.com/practicaldev/image/fetch/s--jTkjYW5U--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/c7ci2tfg9kbnjveh9t8c.png)
Cloud Router
![Cloud Router](https://res.cloudinary.com/practicaldev/image/fetch/s--fKyWc74---/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mxv950kiznd814sbgm8j.png)
|
|
Name |
cr-gcp |
Description |
route |
Network |
vpc-gcp-aws |
Region |
us-east-1 |
ASN |
65000 |
Interval |
20 |
Routes |
Advertise all subnets to CR |
VPN Gateway
![VPN Gateway](https://res.cloudinary.com/practicaldev/image/fetch/s--ie2EU0h0--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jyniv99nbqpcidavx7ku.png)
|
|
Name |
vpn-gcp-aws |
Network |
vpc-gcp-aws |
Region |
us-east-1 |
IP stack |
IPv4 |
Cloud DNS
![Cloud DNS](https://res.cloudinary.com/practicaldev/image/fetch/s--uiQSg7aa--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/nju39yq0sf2xh7uoyulz.png)
Peer VPN
![Peer VPN](https://res.cloudinary.com/practicaldev/image/fetch/s--gayda0Ez--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/590dnq3l3u5w7bep8qhp.png)
- Set up the infrastructure for GCP VPN
![Peer VPN config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--ePhMSw5t--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/ishpqglp42j4w0f9zed6.png)
![Peer VPN config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--BO5mu8F7--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/sgiui3fpk8hehn9bvl3k.png)
![Peer VPN config-c](https://res.cloudinary.com/practicaldev/image/fetch/s--PrMAh9iN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/njlat3b92ucc2m3f48sf.png)
- Repeats these steps on interface 1 (failover)
|
|
Name |
vpng-gcp-aws |
Interfaces |
two interfaces |
Interface 0 |
3.3.3.3 |
Interface 1 |
3.3.3.2 |
Peer VPN Gateway |
On-Prem or Non Google |
Peer VPNG Name |
vpng-gcp-aws |
High Availability |
Create a pair of VPN tunnles |
Cloud Router |
cr-gcp |
Associated Peer VPNG interface |
0: 1.1.1.1 |
Name |
conn1-gcp-aws |
pre-shared key |
strong password |
Peer ASN |
64512 |
BGP
![BGP](https://res.cloudinary.com/practicaldev/image/fetch/s--j3vaGDw1--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/26zci26bkwbirpqzs78q.png)
|
|
Name |
conn1 |
Peer ASN |
64512 |
BGB IPv4 address |
Manually |
Cloud Router BGP |
169.254.250.138 |
BGP Peer Address |
169.254.250.137 |
![BGP Status](https://res.cloudinary.com/practicaldev/image/fetch/s--tpXToEYx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/4o9vcsc2o1alwqyjyn4a.png)
- Verify Dynamic Route update
GCP vm
![Image description](https://res.cloudinary.com/practicaldev/image/fetch/s--rE-a8PvT--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/uz6ag27wptmzhqurw9ug.png)
PFSense
![Pfsense](https://res.cloudinary.com/practicaldev/image/fetch/s--PfRKtlXv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1xdc2bhflycjdd7lq793.png)
VLAN
Check out this write-up on how to configure VLANs with pfsense
ISP
TODO: Check out this write-up on how to configure a VPN Server with pfsense
PiHole
TODO: Check out this write-up on how to configure a DNS server with PiHole
IPSec
Phase 1
![Edit Tunnel 1](https://res.cloudinary.com/practicaldev/image/fetch/s--q6bUAaAx--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/mzbj3nzbgg83ti4o148e.png)
- Start by creating a primary tunnel and repeat the below steps for the failover connection tunnel 2
![Tunnel1 Config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--I3Y4mLYe--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/3lthkei3omh9raqpyek2.png)
![Tunnel1 Config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--SGnzzpbD--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/bjxsc74njx61x91isf73.png)
|
|
Description |
conn1-aws-pfsense |
Key Exchange version |
IKEv2 |
Remote Gateway |
1.1.1.1 |
Pre-Shared Key |
strong password key token |
Algorithm |
AES |
Key Length |
128 bits |
Hash |
SHA256 |
DH Group |
14 (2048 bit) |
Max failures |
3 |
Phase 2
![Edit Tunnel 2](https://res.cloudinary.com/practicaldev/image/fetch/s--rM3N8DvN--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/jiq9viiyz10cavsjeoi8.png)
- Start by creating a primary tunnel and repeat the below steps for the failover connection tunnel 2
![Tunnel1 Config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--_MG_mtDQ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/8ow5oi43p05y5kjair4c.png)
![Tunnel1 Config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--hoWduCns--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/852jnz1ksdhy07jvkvuq.png)
![Tunnel1 Config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--I7djLAKw--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/d3nxfb99zm3shdedjv9i.png)
|
|
Description |
conn1-aws-pfsense |
Mode |
Routed (VTI) |
Local Network |
address: 169.254.11.12 |
Remote Network |
address: 169.254.11.11 |
Encryption Algorithm |
AES256-CGM 128bits |
Ping Host |
172.16.11.11 |
Keep Alive |
Enabled |
Status
![Image description](https://res.cloudinary.com/practicaldev/image/fetch/s--_YNCnuK9--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/pe5xkwki6eob6vzkgur3.png)
- Both primary and failover tunnels connected with IPSec
BGP
FRR Global Settings
![Global Settings](https://res.cloudinary.com/practicaldev/image/fetch/s--Gmsk-A7K--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/i1mkyb4se39xify2uxes.png)
|
|
Enabled |
true |
Master Password |
strong password |
FRR Route Maps
![Route Maps](https://res.cloudinary.com/practicaldev/image/fetch/s--1SEIb5Ef--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/z809hxlbakdtfj134v3b.png)
![Route Maps config](https://res.cloudinary.com/practicaldev/image/fetch/s--ePI_XrOG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/40osc3et5u4ab2rtwv7k.png)
|
|
Name |
Allow-all |
Action |
Permit |
Sequence |
100 |
FRR BGB
![FRR BGB](https://res.cloudinary.com/practicaldev/image/fetch/s--dYd7JJrv--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/02esh1j6lv7i6ad90z0x.png)
![BGB-config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--kEVVbQHh--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5swktgpids18yiq6y331.png)
![BGB-config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--J2s0c5HF--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/1vvt8x3nvfstv8o7iczp.png)
|
|
Enabled |
true |
Local AS |
65000 |
Router ID |
10.0.1.1 |
Networks to distrbute |
10.0.1.0/28, 10.0.2.0/29, 10.0.4.0/28 |
FRR Neighbors
![FRR Neighbors](https://res.cloudinary.com/practicaldev/image/fetch/s--PufAbJ-3--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/5it5y8pn3jp6jpdg8zbm.png)
- Start with the primary tunnel and repeat the steps for the failover tunnel
![FRR Neighbors config-a](https://res.cloudinary.com/practicaldev/image/fetch/s--y83cP1Ol--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/vhuo4jyfnc4d1n3n9qbn.png)
![FRR Neighbors config-b](https://res.cloudinary.com/practicaldev/image/fetch/s--uC1NRqeJ--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/zoibrsqcr8mqkyl35ysy.png)
![FRR Neighbors config-c](https://res.cloudinary.com/practicaldev/image/fetch/s--zLSallst--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/i6esdduluf9k4cwevyv6.png)
|
|
Name/Address |
169.254.11.12 |
Description |
conn1-aws-pfsense |
Remote AS |
64512 |
Inbound Route Map Filters |
Allow-all |
Outbound Route Map Filters |
Allow-all |
FRR Status
![Status Routes](https://res.cloudinary.com/practicaldev/image/fetch/s--60b_k3tG--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/tksb3luy5w102vvn17cl.png)
- Verify Dynamic Routes have been updated
![Status Summary](https://res.cloudinary.com/practicaldev/image/fetch/s--tc6wyiO2--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/w1ur8ijpyexg0c2r4cqt.png)
Mac
![Mac](https://res.cloudinary.com/practicaldev/image/fetch/s--GOHfsVQY--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_800/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/h40us3nz4j47c9bb32eg.png)
Top comments (0)