Site-to-site VPN between GCP and AWS with dynamic BGP routing

7 min readJun 6, 2019

A walk-through for configuring a secure and redundant link between AWS VPCs and GCP Cloud VPC Networks with dynamic BGP routing.

It doesn’t cover creating custom VPCs as there is a lot of guides on the Internet.

Use-cases:

Secured and united infrastructure distributed between 2 cloud providers
Secured migration from one cloud provider to another
Simulating on-premise VPN connections
Getting rid of manual routes configuration
etc…

The numbers represent the order in which AWS and GCP services need to be created.

Let’s assume you have default GCP Project and AWS Account with default VPC.

Let’s also describe the task: 2 virtual machines, one in GCP and one in AWS, should be able to say hello to each other without using public IP addresses.

1. Create GCP Cloud Router

Open GCP console and go to NETWORKING -> Hybrid connectivity -> Cloud routers -> Create router:

Select “Advertise all subnets visible to the Cloud Router” in order to expose your subnets to BGP routing and to the AWS router.

Click “Create” and this is how it should look like:

2. Create a GCP Cloud VPN gateway.

Go to NETWORKING -> Hybrid connectivity -> VPN -> Create a VPN:

Don’t worry about “No high availability”, AWS VPN gateway will have 2 public interfaces so there will be 2 VPN tunnels in fact.

Click on “Continue” and set the values as below:

Click on “Reserve”

As we don’t have anything on the AWS side remove the tunnel and click on “Create”:

Now, this is how it should look like:

We can see the public IP address attached to the gateway. This IP should be specified in the AWS Customer gateway. So let’s go to the AWS console and create one.

3. Create AWS Customer Gateway

Open AWS console and go to VPC -> Virtual Private Network (VPN) -> Customer Gateways -> Create Customer Gateway:

Set Dynamic Routing and specify ASN 65001 of GCP Cloud Router and IP of GCP Cloud VPN gateway you just created and click on “Create Customer Gateway”

4. Create AWS Virtual private gateway

Go to VPC -> Virtual Private Network (VPN) -> Create Virtual Private Gateway:

Set custom ASN 65002 that will be used on AWS side and click on “Create Virtual Private Gateway”

It is now created but not attached yet to a VPC, so let’s do it:

Select a VPC id you need to connect to GCP (Default one in this case) and click on “Yes, Attach”:

The attaching takes some time.

5. Create AWS Site-to-site VPN Connection

Go to VPC -> Virtual Private Network (VPN) -> Site-to-site VPN Connections -> Create VPN Connection and select Virtual Private Gateway and Customer Gateway you just created. Also, select Dynamic Routing:

Leave Tunnel Options unchanged. AWS will generate Pre-Shared IPSec keys and Link-local addresses (e.g. 169.254.46.225/30) for the tunnels automatically:

Click on “Create VPN Connection” and this is how it should look like:

The links are down as no tunnels are configured on the GCP side.

But first, let's figure out what configuration we might need.

Getting Tunnels configuration

See highlighted IPs from the screenshot above.

Tunnel1: AWS Public IP 34.231.248.76; Inside tunnel subnet 169.254.46.24/30 that means ip 169.254.46.25 (for AWS link)and 169.254.46.26 (for GCP link). To see how the subnet works use ipcalc.

Tunnel2: AWS Public IP 54.172.179.218; Inside tunnel subnet 169.254.44.184/30 that means ip 169.254.44.185 (for AWS link)and 169.254.44.186 (for GCP link). To see how the subnet works use ipcalc.

GCP Public IP is generic for both tunnels: 34.74.161.0

We also need to get ikev1 pre-shared keys so click on “Download Configuration”:

Select Cisco Systems Vendor and click “Download”. Open txt file and find section tunnel-group 34.231.248.76 (tunnel 1, see the IP bellow) and get ikev1 pre-shared-key sAz._YiBpxf9MMCRIi.ULMZbIXhxzFcb (the key will be different)

The same for tunnel 2: Find section tunnel-group 54.172.179.218 and get ikev1 pre-shared-key wremmthBf5DkJkeGOZzmfFC7Y3BQnu1a (the key will be different)

Save the file and the keys in a safe place.

So go ahead to GCP Console and configure VPN tunnels

6. Create GCP Cloud VPN tunnels

Open GCP console and go to NETWORKING -> Hybrid connectivity -> VPN -> Cloud VPN Tunnels -> Create VPN Tunnel:

Select VPN gateway “vpn-1” we created above and click on “Continue”:

Set remote peer IP address of tunnel 1 (see “Getting Tunnels configuration” above). Set BGP options as bellow and change BGP session:

Set Peer ASN 65002 (of AWS Private Gateway created above), Cloud Router BGP IP and BGP peer IP (see Tunnel 1 of “Getting Tunnels configuration” above), Select “Use Cloud Router’s advertisements” to expose all your subnets of the VPC Network (Default Network in this case) and click on “Save and continue”:

Now, this is how Routing options should look like:

Click “Create” and go to NETWORKING -> Hybrid connectivity -> VPN -> Cloud VPN Tunnels.

Starting the tunnel takes some time but this is how it looks like eventually:

Create tunnel 2 repeating the same operations but using options of tunnel 2 (see “Getting Tunnels configuration” above). This is how it should look like:

Let’s Go to the AWS console and check the status of the tunnel as well:

All is UP!

7. Enable Route Propagation in AWS Route Table

Open AWS console and go to VPC -> Route tables

Select Route table of the VPC (Default in my case) and click on Route Propagation tab then click Edit route propagation:

Then click on “Save”

Now the subnets of AWS VPC are exposed to BGP routing and GCP Router

8. Test the connectivity

Create 2 temporary VMs one in GCP in us-east1 region and Default VPC Network (in this case) and one in AWS in us-east-1 region in Default VPC (in this case) with opened 8080 port for the testing: