Google Cloud VPN Interop Guide Using Cloud VPN With Amazon Web Services​TM​ Virtual Private Gateway

Disclaimer: This interoperability guide is intended to be informational in nature and are examples only. Customers should verify this information via testing. Amazon Web Services, AWS, and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Contents Introduction Topology Preparation Overview Getting Started IPsec Parameters Policy Based IPsec VPN Configuration - AWS Creating the VPC Configuring the VPN Configuration - GCP UI Configuration - GCP CLI Create the VPN Gateway Create the VPN Tunnel IPsec VPN Using Cloud Router Configuration - AWS Creating the VPC Configuring the VPN Cloud Router VPN Tunnel Configuration - Google Cloud Router CLI Create the VPN Gateway Reserve a Static IP Create the Cloud Router Create the VPN Tunnel Add the BGP Link Local Interface Add the BGP Peering Session Testing the Site-to-Site VPN Verify Connectivity Test the Tunnel

Introduction This guide walks you through the process of configuring the AWS Virtual Private Gateway for integration with the ​Google Cloud VPN service​. This information is provided as an example only. If utilizing this guidance to configure your AWS implementation, be sure to substitute the correct IP information for your environment.

Topology This guide will describe three VPN topologies: 1. A site-to-site policy based IPsec VPN tunnel configuration using static routing 2. A site-to-site route based IPsec VPN tunnel configuration 3. A site-to-site IPsec VPN tunnel configuration using the Google Cloud Router and BGP

Preparation Overview The configuration samples which follow include numerous value substitutions provided for the purposes of example only. Any references to IP addresses, device IDs, shared secrets or keys, account information or project names should be replaced with the appropriate values for your environment when following this guide. This guide is intended to assist in the creation of IPsec connectivity to the Google Cloud. The following is a high level overview of the configuration process which will be covered: ● ● ● ● ● ●

Configuring the Amazon Virtual Private Gateway Configuring the Amazon Customer Gateway Configuring the Google Cloud Platform VPN Setting up the VPN Connection Connecting to GCP Testing the tunnel

The IPsec connectivity will utilize the​ pre-shared key​ generated by AWS for authentication.

Getting Started The first step is to establish the base networking environment in AWS. The basis of networking in AWS is the Virtual Private Cloud (VPC). Amazon provides ​documentation​ for getting started with AWS networking. The basic concepts to understand are: ● ● ●

Virtual Private Cloud ​– customer defined private network space in AWS. Virtual Private Gateway​ – the VPN concentrator on the Amazon side of the VPN connection. Customer Gateway​ – AWS reference to the remote IPsec end point. In this case the Google Cloud Platform VPN gateway.

IPsec Parameters For the AWS IPsec configuration, the following details will be used: Parameter

Value

IPsec Mode

ESP+Auth Tunnel mode (Site-to-Site)

Auth Protocol

Pre-shared Key

Key Exchange

IKEv1

Start

auto

Perfect Forward Secrecy

on

(PFS)

Dead Peer Detection

aggressive

(DPD)

INITIAL_CONTACT (uniqueids)

on

The IPsec configuration used in this guide is specified below: Phase

Phase 1

Phase 2

Cipher Role

Cipher

Encryption

aes-256

Integrity

sha-256

prf

sha1-96

Diffie-Hellman (DH)

Group 14 (modp_2048)

Phase 1 lifetime

36,000 seconds (10 hours)

Encryption

aes-cbc-256

Integrity

sha-256

Policy Based IPsec VPN Configuration - AWS To get started, login to the AWS Management Console and select V ​ PC from the main services menu. New AWS accounts will all have a default VPC. For this exercise, create a new VPC to connect to the Google Cloud Platform using the ​VPC Wizard​:

Creating the VPC The VPC Wizard steps through the creation and configuration of a new VPC. The first step is to select an IP subnet topology. There are options for various combinations of private and public IP addressing, with or without VPN connectivity. Once selected this cannot be changed. For the test environment ​Select​ a Private Subnet Only VPC with Hardware VPN Access:

The next step is to configure the VPC settings:

The following settings must be configured: ● IP CIDR Block​: this is the CIDR block for the VPC. It cannot be changed once set. For this test, enter ​10.0.0.0/16 ● VPC Name​: this is the name of the VPC. For this test, enter ​GCP-Test ● Private Subnet​: this is the first subnet allocated from the private IP CIDR block used for AWS services including EC2. Enter 1 ​ 0.0.1.0/24 ​which is the network on the AWS side that we want to connect to GCP. ● Availability Zone​: this is the AWS Availability Zone into which the VPC will be deployed. We will leave this set to ​no preference ● Private Subnet Name​: a friendly name for the private subnet. We will set this to AWS-VPC ● S3 Endpoint​: EC2 to S3 connectivity requires a public network link. This option deploys an S3 API gateway endpoint into the selected private subnet. This exercise will not require an S3 endpoint ● Enable DNS Hostnames​: this option enabled automatic DNS hostname assignment via DHCP for the private subnet. We will leave DNS hostnames enabled ● Hardware Tenancy: this option allows you to select a dedicated instance type for the VPN gateway for higher scale. Use the default option After completing the form, click ​Next t​ o proceed to Step 3.

Configuring the VPN To configure the VPN enter the C ​ ustomer Gateway IP ​which is the IP address assigned to the Google Cloud Platform VPN gateway created in the ​Configuration - GCP section​:

In addition to the Customer Gateway IP, enter a ​Customer Gateway name​ and a ​VPN Connection name​. Next choose a Routing Type for the VPN connection. This section of the guide covers ​static route​ type VPN so ​Static​ should be selected. Enter the Google Cloud Platform subnet CIDR block under ​IP Prefix​ and click ​Add​:

With all required configuration completed, click C ​ reate VPC​ to create the new VPC and finish the Wizard. VPC creation will take a minute or two to complete. Once completed the management console status will be updated:

The newly created VPC can now be selected from the Dashboard in order to collect the configuration detail required to complete the ​GCP configuration​:

The last step is to collect the IP addresses of the AWS Virtual Gateway and pre-shared keys used for IKE authentication automatically generated by AWS. This information is stored in the configuration file which can be downloaded by clicking D ​ ownload Configuration​. Several device specific options are available for configuration format. For GCP, select ​Generic​:

The configuration file is an ASCII text file. The auto-generated pre-shared key will be listed under ​Pre-Shared Key​. A sample configuration file is provided below for reference: Amazon Web Services Virtual Private Cloud

VPN Connection Configuration ================================================================================ AWS utilizes unique identifiers to manipulate the configuration of a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier and is associated with two other identifiers, namely the Customer Gateway Identifier and the Virtual Private Gateway Identifier. Your VPN Connection ID Your Virtual Private Gateway ID Your Customer Gateway ID

: vpn-c1c6d9d3 : vgw-f670afe8 : cgw-3548972b

A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). It is important that both tunnel security associations be configured. IPSec Tunnel #1 ================================================================================ #1: Internet Key Exchange Configuration Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : auto-generated-pre-shared-key - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2

Configuration - GCP UI In the Google Cloud Platform Developers Console, select the project into which the VPN will be deployed, or create a new project. More information on creating and managing projects can be found ​here​. To view the current network configuration for the project, select Networking from the main services menu in the Developer Console:

In GCP all projects start with a single network named d ​ efault at time of creation. The default network is configured with a private IP space and a set of base firewall rules. The default network provides a sufficient starting point for creating a site-to-site IPsec VPN. More information on networking within the Google Cloud Platform can be found in the N ​ etworking section​ of the Google Compute Engine documentation. To configure the AWS side of the VPN, two values are needed from GCP: ● ●

Customer Gateway IP Address​: the public IP address of the VPN gateway in Google Cloud Routing Type/IP Prefix​: the private IP address space associated with the Google Cloud Platform Network

The address space is shown in the network overview and in this example is 10.240.0.0/16:

To get the Customer Gateway IP address, create a Google Cloud VPN gateway. From the Networking menu, select VPN. Any existing VPN gateways will be listed in the main information panel. If no VPN gateways have been created, an option will be provided to create one:

Click ​Create a VPN​ to initiate the VPN creation workflow:

The VPN has several user configurable properties: ● Name​: a representative name for the VPN connection (must be lowercase) ● Description​: free form text describing the gateway (optional) ● Network​: the network to which the VPN gateway will be attached ● Region​: the region into which the VPN gateway will be deployed ● IP address​: the static public IP address which will be assigned to the VPN gateway. A new static IP address can also be allocated at this stage:

Enter the AWS Virtual Private Gateway IP and the pre-shared key collected in the C ​ onfiguration - AWS section​ and click ​create​. The Remote Network IP Ranges should include b ​ oth the VPC CIDR block as well as any configured subnets. N ​ ote that AWS requires​ IKEv1​:

AWS utilizes two tunnels for redundancy. The above steps should be repeated for each tunnel documented in the AWS configuration file.

Configuration - GCP CLI Cloud VPN can also be configured using the g ​ cloud command line tool​. Command line configuration requires two steps. First the VPN Gateway is created, then the tunnels are created referring to the VPN Gateway.

Create the VPN Gateway gcloud compute target-vpn-gateways create gcp-to-aws --network to-lab --region us-central1

Create the VPN Tunnel AWS utilizes two tunnels for redundancy. Repeat this step for each tunnel: gcloud compute vpn-tunnels create m ​ y-tunnel​ --shared-secret M ​ ySharedSecret --peer-address ​on-prem-IP​ --target-vpn-gateway gcp-to-aws --local-traffic-selector gcp-CIDR​ --remote-traffic-selector o ​ n-prem-CIDR

IPsec VPN Using Cloud Router Configuration - AWS To get started, login to the AWS Management Console and select V ​ PC from the main services menu. New AWS accounts will all have a default VPC. For this exercise a new VPC is being created to connect to the Google Cloud Platform using the V ​ PC Wizard​:

Creating the VPC The VPC Wizard steps through the creation and configuration of a new VPC. The first step is to select an IP subnet topology. There are options for various combinations of private and public IP addressing, with or without VPN connectivity. Once selected this cannot be changed. For the test environment, will ​Select​ a Private Subnet Only VPC with Hardware VPN Access:

The next step is to configure the VPC settings:

The following settings must be configured: ● IP CIDR Block​: this is the CIDR block for the VPC. It cannot be changed once set. For this test, enter ​10.0.0.0/16 ● VPC Name​: this is the name of the VPC. For this test, enter ​GCP-Test ● Private Subnet​: this is the first subnet allocated from the private IP CIDR block used for AWS services including EC2. Enter 1 ​ 0.0.1.0/24 ​which is the network on the AWS side that we want to connect to GCP. ● Availability Zone​: this is the AWS Availability Zone into which the VPC will be deployed. We will leave this set to ​no preference ● Private Subnet Name​: a friendly name for the private subnet. We will set this to AWS-VPC ● S3 Endpoint​: EC2 to S3 connectivity requires a public network link. This option deploys an S3 API gateway endpoint into the selected private subnet. This exercise will not require an S3 endpoint ● Enable DNS Hostnames​: this option enabled automatic DNS hostname assignment via DHCP for the private subnet. We will leave DNS hostnames enabled ● Hardware Tenancy: this option allows you to select a dedicated instance type for the VPN gateway for higher scale. Use the default option After completing the form, click ​Next t​ o proceed to Step 3.

Configuring the VPN To configure the VPN enter the C ​ ustomer Gateway IP ​which is the IP address assigned to the Google Cloud Platform VPN gateway created in the ​Configuration - GCP section​:

In addition to the Customer Gateway IP, enter a ​Customer Gateway name​ and a ​VPN Connection name​. Next choose a Routing Type for the VPN connection. This section of the guide covers VPN with BGP route management, so ​Dynamic​ should be selected. Enter the Google Cloud Platform subnet CIDR block under ​IP Prefix​ and click A ​ dd​:

With all required configuration completed, click C ​ reate VPC​ to create the new VPC and finish the Wizard. VPC creation will take a minute or two to complete. Once completed the management console status will be updated:

The newly created VPC can now be selected from the Dashboard in order to collect the configuration detail required to complete the ​GCP configuration​:

AWS utilizes two tunnels for redundancy. The last step is to collect the IP addresses of the AWS Virtual Gateway and the pre-shared keys used for IKE authentication automatically generated by AWS. These configuration details can be downloaded by clicking D ​ ownload Configuration​. Several device specific options are available for configuration format. For GCP, select ​Generic​:

The configuration file is an ASCII text file. The auto-generated pre-shared key will be listed under ​Pre-Shared Key ​and cannot be user defined. The link local address for BGP peering will be listed under ​Inside Addresses​ and also cannot be user defined. Configuration - Google Cloud Router UI

Google Cloud Router enables dynamic ​Border Gateway Protocol (BGP)​ route updates between your Google Cloud Platform network and your on-premise network. For the initial release, Cloud Router supports BGP for ​Cloud VPN o ​ nly. Cloud Router works with both legacy networks and Subnetworks​.

Cloud Router The first step in configuring the Google Cloud Platform for site-to-site VPN connectivity utilizing BGP and the Google Cloud Router is to create a new cloud router. From the Developer Console, select ​Networking​ and then C ​ loud Routers​. From the workspace select C ​ reate Router​:

All parameters needed to create a new cloud router are entered on this page. A detailed description of each parameter is provided below:

● ●

Name: ​the name of the cloud router. Description: ​a brief description of the cloud router.

● ● ●

Network: ​the GCP network the cloud router will attach to. N ​ ote: ​this is the network on route information will be managed. Region: ​the home region of the cloud router. N ​ ote:​ the cloud router must be in the same region as the subnetworks it is connecting. Google ASN​: the BGP Autonomous System Number assigned to the cloud router. Use the ASN assigned by the Amazon VPC Creation Wizard to the Customer Gateway configuration from the configuration file downloaded in the final step of the C ​ onfiguration - AWS​ section of this document: BGP -

Configuration Options: Customer Gateway ASN Virtual Private Gateway ASN Neighbor IP Address Neighbor Hold Time

: 65000 : 7224 : 169.254.12.185 : 30

The newly created instance will appear in the list of Cloud Routers. Click C ​ onfigure ​under VPN Gateway to create the VPN tunnel. AWS utilizes dual redundant IPsec VPN tunnels. Two tunnels will be created, matching the AWS configuration.

VPN Tunnel All parameters needed to create a new VPN connection are entered on this page. AWS utilizes two tunnels for redundancy. The following step should be repeated for each tunnel documented in the AWS configuration file. A detailed description of each parameter is provided below:

The following parameters are required for the VPN gateway: ● Name: ​the name of the VPN gateway. ● Description: ​a brief description of the VPN connection. ● Network: ​the GCP network the VPN gateway will attach to. N ​ ote: t​ his is the network to which VPN connectivity will be made available. ● Region: ​the home region of the VPN gateway. N ​ ote:​ the VPN gateway must be in the same region as the subnetworks it is connecting. ● IP address: ​the static public IP address which will be used by the VPN gateway. An existing, unused, static public IP address within the project can be assigned, or a new one can be created. The following parameters are required for each Tunnel which will be managed by the VPN gateway: ● Remote peer IP address: t​ he public IP address of the on premises VPN appliance which will be used to connect to Cloud VPN. ● IKE version: ​the IKE protocol version. AWS requires ​IKEv1 ● Shared secret: ​a shared secret used for mutual authentication by the VPN gateways. Provided in the configuration file downloaded in the final step of the C ​ onfiguration - AWS section of this document. ● Routing options: ​Cloud VPN supports multiple routing options for the exchange of route information between the VPN gateways. For this example D ​ ynamic (BGP)​ is being used. Static Routes were covered ​earlier in this guide​. ● Cloud Router: ​the Cloud Router instance associated with this VPN tunnel created in the Cloud Router section​. ● BGP session: ​the BGP configuration to be used by the Cloud Router for this VPN tunnel. Click the pencil to create a new configuration:

The following parameters are required to configure the BGP session: ● Name: ​the name of the BGP session ● Peer ASN: ​Provided in the configuration file downloaded in the final step of the Configuration - AWS​ section of this document as the “Virtual Private Gateway ASN”: BGP -



Configuration Options: Customer Gateway ASN Virtual Private Gateway ASN Neighbor IP Address Neighbor Hold Time

: 65000 : 7224 : 169.254.12.185 : 30

Google BGP IP address, Peer BGP IP address: ​Provided in the configuration file downloaded in the final step of the ​Configuration - AWS​ section of this document. Inside IP Addresses - Customer Gateway - Virtual Private Gateway

: 169.254.12.186/30 : 169.254.12.185/30

Once all of the BGP session info has been entered, click S ​ ave and continue​ to complete. When all information for the tunnels has been entered successfully, click C ​ reate​ on the Create a VPN connection form to create the new dual tunnel VPN connection.

Configuration - Google Cloud Router CLI Cloud VPN can also be configured using the g ​ cloud command line tool​. Command line configuration requires multiple steps.

Create the VPN Gateway Create the VPN gateway. Make note of the chosen name (​my-gateway​), network and region for use in future steps: gcloud compute target-vpn-gateways create m ​ y-gateway​ --project m ​ y-project ​ -network my-network​ --region ​my-region

Reserve a Static IP Reserve a static IP address in the Google Cloud Platform network and region where the VPN gateway was created. Make a note of the created address for use in future steps. gcloud compute addresses create vpn-static-ip --project m ​ y-project​ --region m ​ y-region

Create the Cloud Router The Amazon VPC Creation Wizard automatically assigns a BGP ASN (65000) to the Customer Gateway. This asn should be used for m ​ y-asn

gcloud beta compute --project m ​ y-project​ routers create m ​ y-router​ --region m ​ y-region --network ​my-network​ --asn m ​ y-AWS-provided-customer-gateway-asn

Create the VPN Tunnel Create the VPN tunnel referencing the V ​ PN gateway​ and C ​ loud Router​ created earlier. Make note of the chosen tunnel name for use in future steps. The ​peer-address​ should be set to the AWS Virtual Private Gateway IP and the s ​ hared-secret s​ hould be set to the AWS assigned pre-shared key, both provided in the configuration file downloaded in the final step of the Configuration - AWS​ section of this document. AWS utilizes two tunnels for redundancy. The following step should be repeated for each tunnel documented in the AWS configuration file. gcloud beta compute --project m ​ y-project​ vpn-tunnels create m ​ y-tunnel​ --region my-region​ --ike-version 1 --target-vpn-gateway m ​ y-gateway​ --peer-address my-AWS-virtual-private-gateway-IP​ --shared-secret m ​ y-AWS-provided-PSK ​ -router my-router

Add the BGP Link Local Interface Update the configuration of the Cloud Router created earlier to add a virtual interface (--interface-name) for the BGP peer referencing the VPN tunnel created above. The BGP interface IP address must be the link-local IP address provided by Amazon as the C ​ ustomer Gateway Inside IP​ in the configuration file downloaded in the final step of the C ​ onfiguration AWS​ section of this document. gcloud beta compute --project m ​ y-project​ routers add-interface m ​ y-router --interface-name ​my-if​ --ip-address m ​ y-AWS-provided-Customer-Gateway-inside-IP --mask-length 30 --vpn-tunnel m ​ y-tunnel​ --region m ​ y-region

Add the BGP Peering Session Update the Cloud Router config to add the BGP peer to the interface. Use the ASN and peer IP address provided by Amazon as the V ​ irtual Private Gateway ASN​ and the ​Virtual Private Gateway Inside IP​ in the configuration file downloaded in the final step of the C ​ onfiguration AWS​ section of this document. gcloud beta compute --project m ​ y-project​ routers add-bgp-peer m ​ y-router​ --peer-name bgp-peer1 --interface-name m ​ y-if​ --peer-ip-address my-AWS-provided-virtual-private-gateway-inside-IP​ --peer-asn my-AWS-provided-virtual-private-gateway-ASN​ --region m ​ y-region

Testing the Site-to-Site VPN Verify Connectivity To verify that Cloud Router has successfully initiated BGP peering with AWS, check the Cloud Router status in the Developer Console:

To verify that the IPsec tunnel has been successfully initiated, check the VPN status in the Developer Console:

On the AWS side, verify that the configured Tunnel is up. Note that the unconfigured tunnel will remain Down. This is expected:

Test the Tunnel With the site-to-site VPN online the tunnel is now ready for testing. To test, create virtual machines in both AWS EC2 and Google Compute Engine. Instructions for creating EC2 virtual machines can be found ​here​. To learn how to create virtual machines in Google Compute Engine, visit the ​Getting Started Guide​. Once virtual machines have been deployed on both platforms an ICMP echo test can ensure network connectivity. Note that on AWS ​Security Groups​ provide firewall capabilities for EC2 instances. The default security group for a new instance does not allow ICMP. A security group rule for ICMP must be added in order for this test to work. A demonstration of a functional tunnel is below. EC2 virtual machine pinging the virtual machine in GCE:

GCE virtual machine pinging the virtual machine in EC2:

Google Cloud VPN Interop Guide Cloud Platform

Using Cloud VPN With Amazon Web Services​TM​ Virtual Private Gateway ... 1. A site-to-site policy based IPsec VPN tunnel configuration using static routing. 2. ... Virtual Private Cloud ​– customer defined private network space in AWS.

2MB Sizes 11 Downloads 312 Views

Recommend Documents

Google Cloud VPN Interop Guide Using Cloud VPN with A Palo Alto ...
ESP+Auth Tunnel mode (SitetoSite). Auth Protocol. Preshared Key. Key Exchange. IKEv2. Start auto. Perfect Forward Secrecy. (PFS) on. Dead Peer Detection.

Untitled Cloud Platform
Page 1. Updated document version now lives in https://developers.google.com/appengine/pdf/HowtofileaGESCsupportcase.pdf.

Gigya Cloud Platform
Gigya enables its customers to integrate social media into their website applications through ... One of Gigya's most popular apps lets customers enhance live.

WebFilings Cloud Platform
The mission is to help companies find new ways to reduce the time, risk, and ... Solution. As the development team worked to create the software they envisioned, ... WebFilings customers say they have filed their quarterly 10-Qs a week earlier.

Certificate Cloud Platform
Apr 15, 2016 - the Information Security Management System as defined and implemented by located in Mountain View, California, United States of America,.

MAG Interactive Cloud Platform
Build Ruzzle for both Android and iOS ... Sell premium Android version through .... Ruzzle saw rapid growth at launch, and is currently handling over 10M.

G Suite Cloud Platform
Barrow Street. Dublin 4. 30 December 2016. Re: Application for a common opinion regarding Google Apps (now G-Suite utilisation of model contract clauses.

Google Cloud Platform Services
Dec 21, 2017 - Platform, nor have we considered the impact of any security concerns on a specific workflow or piece of software. The assessment ... similar to a traditional file system, including fine-grained access control lists for each object. ...

SOC 3 Cloud Platform
Jul 29, 2016 - Confidentiality. For the Period 1 May 2015 to 30 April 2016 ... Google Cloud Platform, and Other Google Services System ..... virtual machines on-demand, manage network connectivity using a simple but flexible networking.

D3.3 Cloud Platform v3 - NUBOMEDIA
Apr 5, 2017 - NUBOMEDIA: an elastic PaaS cloud for interactive social multimedia. 2 ..... while the Media Service components are deployed on the IaaS using the NFV layers. ...... defined as Network Service (refer to section 2.3.3 for more details), t