Disclaimer: This interoperability terraform setup is intended to be minimal in nature with less user input and auto public ip and shared key creation. Customers should verify this by testing it.
- Go through steps to create GCP to AWS HA VPN setup (aws and gcp cli commands)
- Review information about how dynamic routing works in Google Cloud.
- Required Administrative role is assigned to respective user (which will be used to run terraform) on GCP and AWS
- VPC and subnets is already created at GCP and AWS
- GCP firewall rule must be added for traffic flow (ingress and egress) between aws and gcp
- AWS security group and route table modification for traffic flow and subnet propagation
Modify below variables in terraform.tfvars according to your setup
| variable | Description | Required | Default |
|---|---|---|---|
| gcp_project_id | gcp project ID. | yes | |
| gcp_region | gcp region of cloud router and vpn setup | yes | |
| gcp_bgp | gcp router bgp ASN | yes | "65273" |
| gcp_network | gcp VPC network name | yes | |
| aws_vpc_id | aws vpc ID | yes | |
| aws_region | aws region | yes | |
| aws_route_table_id | aws route table ID which will be used to propagate vpn gateway to subnets, if left empty propagation will not be enabled on any subnets | no | "" |
Because HA VPN is dependent on BGP IP settings generated by AWS, you must configure Cloud VPN and AWS components in the following sequence:
- Create the HA VPN gateway and create a Cloud Router.
- Create two AWS virtual private gateways.
- Create two AWS site-to-site VPN connections and customer gateways, one for each AWS virtual private gateway.
- Create four VPN tunnels on the HA VPN gateway.
- Configure BGP sessions on the Cloud Router using the BGP IP addresses and auto shared key.
AWS terminology and the AWS logo are trademarks of Amazon Web Services or its affiliates in the United States and/or other countries.
Learn how to build site-to-site IPSec VPNs between HA VPN on Google Cloud and AWS.
Below are definitions of terms used throughout this guide.
- Google Cloud VPC network: A single virtual network within a single Google Cloud project.
- On-premises gateway: The VPN device on the non-Google Cloud side of the connection, which is usually a device in a physical data center or in another cloud provider's network. Google Cloud instructions are written from the point of view of the Google Cloud VPC network, so on-premises gateway refers to the gateway that's connecting to Google Cloud.
- External IP address or Google Cloud peer address: External IP addresses used by peer VPN devices to establish HA VPN with Google Cloud. External IP addresses are allocated automatically, one for each gateway interface within a Google Cloud project.
- Dynamic routing: Google Cloud dynamic routing for VPN using the Border Gateway Protocol (BGP). Note that HA VPN only supports dynamic routing.
HA VPN supports multiple topologies.
This interop guide is based on the
AWS-peer-gateways topology
using with REDUNDANCY_TYPE of FOUR_IPS_REDUNDANCY.
There are three major gateway components to set up for this configuration, as shown in the following topology diagram:
- An HA VPN gateway in Google Cloud with two interfaces.
- Two AWS virtual private gateways, which connect to your HA VPN gateway.
- An external VPN gateway resource in Google Cloud that represents your AWS virtual private gateway. This resource provides information to Google Cloud about your AWS gateway.
The supported AWS configuration uses a total of four tunnels:
- Two tunnels from one AWS virtual private gateway to one interface of the HA VPN gateway.
- Two tunnels from the other AWS virtual private gateway to the other interface of the HA VPN gateway.
