DEV Community

Cover image for Deploying Multi-Provider Site-to-Site VPNs: Connecting AWS with Azure, GCP, and Beyond
AWS Community Builders profile image jekobokidou
jekobokidou for AWS Community Builders

Posted on

Deploying Multi-Provider Site-to-Site VPNs: Connecting AWS with Azure, GCP, and Beyond

#aws #vpn #awscommunity

Introduction

In today's cloud ecosystem, businesses rarely rely on a single provider. Multi-cloud adoption has become the standard, creating a critical need to securely interconnect different environments. This article explores strategies and best practices for deploying site-to-site VPNs between AWS and multiple cloud providers.

Multi-VPN Architecture: Why and How

Benefits of Connected Multi-Cloud

  • Resilience: Avoid Single Point of Failure (SPOF)
  • Cost Optimization: Leverage each provider's strengths
  • Compliance: Distribute data according to regulatory requirements
  • Performance: Reduce latency for end users

AWS-VPN Deployment with Azure

Azure Configuration 

# Creating a Gateway Subnet
az network vnet subnet create \
  --resource-group MyResourceGroup \
  --vnet-name MyVnet \
  --name GatewaySubnet \
  --address-prefixes 10.0.1.0/24
Enter fullscreen mode Exit fullscreen mode

AWS Configuration 

resource "aws_customer_gateway" "azure" {
  bgp_asn    = 65000
  ip_address = "52.143.72.189" # Azure VPN Gateway Public IP
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "azure" {
  vpn_gateway_id      = aws_vpn_gateway.main.id
  customer_gateway_id = aws_customer_gateway.azure.id
  type                = "ipsec.1"
  static_routes_only  = true
}
Enter fullscreen mode Exit fullscreen mode

Connecting AWS with Google Cloud Platform

GCP Cloud VPN Setup 

gcloud compute vpn-gateways create aws-gateway \
  --region=us-central1 \
  --network=default

gcloud compute external-vpn-gateways create aws-external \
  --interfaces=0=34.203.215.127 # AWS VPN Public IP
Enter fullscreen mode Exit fullscreen mode

AWS Side Configuration 

resource "aws_customer_gateway" "gcp" {
  bgp_asn    = 64514
  ip_address = google_compute_address.vpn_external.address
  type       = "ipsec.1"

  tags = {
    Provider = "GCP"
    Environment = "Production"
  }
}
Enter fullscreen mode Exit fullscreen mode

Interconnecting AWS Accounts

Via AWS Transit Gateway 

# Central account (Hub)
resource "aws_ec2_transit_gateway" "main" {
  description = "Multi-account TGW"
  auto_accept_shared_attachments = "enable"
}

# Spoke account
resource "aws_ec2_transit_gateway_vpc_attachment" "spoke1" {
  subnet_ids         = [aws_subnet.private.id]
  transit_gateway_id = aws_ec2_transit_gateway.main.id
  vpc_id             = aws_vpc.main.id
}
Enter fullscreen mode Exit fullscreen mode

Centralized Configuration Management

Automation with Terraform 

# Reusable module for different providers
module "site_to_site_vpn" {
  source = "./modules/vpn-connection"

  for_each = var.cloud_providers

  provider_name    = each.key
  customer_gateway_ip = each.value.gateway_ip
  bgp_asn         = each.value.bgp_asn
  routes          = each.value.routes
  vpn_gateway_id  = aws_vpn_gateway.main.id
}
Enter fullscreen mode Exit fullscreen mode

Unified Monitoring 

# CloudWatch dashboard for multi-VPN monitoring
aws cloudwatch put-dashboard \
  --dashboard-name "Multi-Cloud-VPN-Monitoring" \
  --dashboard-body file://vpn-dashboard.json
Enter fullscreen mode Exit fullscreen mode

Security Best Practices

Encryption and Authentication

  • Use IKEv2 with AES-256-GCM
  • Implement Perfect Forward Secrecy (PFS)
  • Regular rotation of pre-shared keys

Network Segmentation 

# Provider-specific ACLs
resource "aws_network_acl" "azure_traffic" {
  vpc_id = aws_vpc.main.id

  ingress {
    rule_no    = 100
    from_port  = 0
    to_port    = 0
    protocol   = "-1"
    cidr_block = "10.1.0.0/16" # Azure range
  }
}
Enter fullscreen mode Exit fullscreen mode

Dynamic Route Management

BGP Configuration 

resource "aws_vpn_connection" "bgp_enabled" {
  vpn_gateway_id      = aws_vpn_gateway.main.id
  customer_gateway_id = aws_customer_gateway.azure.id
  type                = "ipsec.1"

  # BGP activation for dynamic route exchange
  tunnel1_inside_cidr   = "169.254.10.0/30"
  tunnel2_inside_cidr   = "169.254.20.0/30"
  tunnel1_bgp_asn       = "65000"
  tunnel2_bgp_asn       = "65000"
}
Enter fullscreen mode Exit fullscreen mode

Troubleshooting Common Issues

Connectivity Diagnostics 

# VPN tunnel verification
aws ec2 describe-vpn-connections \
  --vpn-connection-ids vpn-12345678

# Metric monitoring
aws cloudwatch get-metric-statistics \
  --namespace AWS/VPN \
  --metric-name TunnelState \
  --dimensions Name=VpnId,Value=vpn-12345678
Enter fullscreen mode Exit fullscreen mode

Failure Management

  • Implementation of redundant tunnels
  • Proactive health metric monitoring
  • Automated failover

Conclusion

Deploying multi-provider site-to-site VPNs requires careful planning but offers significant flexibility and resilience. By standardizing configurations, automating deployments, and implementing centralized monitoring, organizations can create robust and scalable hybrid cloud networks.

The multi-cloud approach is not just a technical trend but a business strategy that, when properly implemented, can provide a lasting competitive advantage.

Top comments (0)