IPsec VPN – GCP and AWS

Overview

This article focuses on how to create an IPsec VPN between GCP and AWS this using Terraform. First let’s take a look at the diagram of what we are trying to achieve.

 

GCP Subnets

In GCP, we will create two subnets. One subnet for our bastion instance, subnet_bastion, with the IP address range 172.16.1.0/24. And one subnet, subnet_lb in the IP address range 172.16.10.0/24, for our web server instances that will be deployed behind a load balancer.

The loadbalancer is used to terminate IPv6 HTTP traffic and proxy the traffic to the backend web servers using IPv4 addresses in subnet_lb subnet. This allows, IPv6 clients outside the Google cloud to connect to our cloud instances. The loadbalancer was created using the template provided on Github – Content Based Load Balancing in Google Cloud.

 

GCP Firewall Rules

1) HTTP Proxy to load-balanced instances
When a health check is used with HTTP(S), SSL proxy, TCP proxy, or Internal load balancing, the health check probes come from addresses in the ranges 130.211.0.0/22 and 35.191.0.0/16. So we need to create a firewall rule to allow tcp port 80 connections from the IP address ranges to our VPC.

2) Internal SSH Access
We will create a firewall rule to allow SSH access across the VPC for this demo scenario. In a production environment you will want to lock down the access to only the protocols, source and destination addresses that are strictly required to have access. This enables our bastion subnet subnet_bastion to create SSH connection to all other subnets including subnet_lb.

3) Internal ICMP Access
A firewall rule is created to allow ICMP access across the VPC for this demo scenario. In a production environment you will want to lock down the access to only the protocols, source and destination addresses that are strictly required to have access. This enables our bastion subnet subnet_bastion to create ICMP echo connections to all other subnets including subnet_lb.

4) External SSH Access
A firewall rule is created to allow external SSH access from the Internet to the bastion subnet subnet_lb. This allows us to SSH into the bastion instance from our machine.

 

AWS Subnets

In AWS, we will create one VPC, vpc-demo with CIDR range 10.0.0.0/16. We will also create one private subnet, vpc-private-subnet with IP address range 10.0.1.0/24. The private subnet contains one instance tagged vpc-instance. This represents our Oracle DB in the scenario diagram but is just a linux instance we are testing ICMP reachability to.

 

AWS Firewall Rules

The AWS cloud has one security group configured with an ingress policy that allows ICMP traffic from only the GCP loadbalancer instances in the subnet, subnet_lb.

 

IPsec VPN Connection

The IPsec VPN tunnels has the following features:

●  IKEv1
●  Pre-shared keys for authentication
●  Route-based VPN
●  Static routing
●  Single GCP VPN headend connecting to two AWS VPN headends

GitHub Repository

The Github Repository can be found in the following link – https://github.com/kaysal/terraform-multi-cloud/tree/master/gcp-aws-vpn. Information on how to deploy the scenario is included in the README file in the repository.

Go to next page to view the AWS configuration screenshots

One Reply to “IPsec VPN – GCP and AWS”

Leave a Reply

Your email address will not be published. Required fields are marked *