This project demonstrates the implementation of a Site-to-Site VPN connection between AWS and an on-premises server (Simulated via Azure Cloud), creating a secure hybrid/multi-cloud architecture. This setup enables seamless communication between cloud environments while maintaining security and network isolation.
The implementation creates a secure tunnel between:
- AWS VPC:
200.0.0.0/16CIDR block - Azure VM (On-Premises Simulation):
100.0.0.0/16CIDR block
Deploy the VM that will simulate our on-premises server.
Configuration Details:
- VM Name:
vm-s2s - Username:
user-s2s - Virtual Network:
vnet-s2s(100.0.0.0/16) - Subnet:
subnet-s2s(100.0.0.0/16) - OS: Any Linux Machine (Amazon Linux in my case)
- VPC Name:
vpc-s2s - IPv4 CIDR:
200.0.0.0/16
- Subnet Name:
subnet-s2s - VPC:
vpc-s2s - Subnet IPv4 CIDR:
200.0.0.0/16
Rename the automatically created route table.
- Route Table Name:
rt-s2s - Associated VPC:
vpc-s2s
Link route table to our subnet subnet-s2s using edit subnet association option.
- VPGW Name:
vpgw-s2s
Connect the Virtual Private Gateway to our VPC vpc-s2s.
Add routing rules to direct traffic on virtual private gateway to on-premise server.
- Destination:
100.0.0.0/16 - Target:
Virtual Private Gateway (vpgw-s2s)
Configuration Parameters:
- Name:
cgw-s2s - IP Address:
[On-Prem/Azure VM Public IP]
Configuration Parameters:
- Target Gateway:
Virtual Private Gateway (vpgw-s2s) - Customer Gateway:
cgw-s2s - Static IP Prefix:
100.0.0.0/16
Once the VPN connection is established, download the configuration file as per the vpn client, which is strongswan in my case.
SSH into the Azure VM and install the StrongSwan client.
ssh user-s2s@[AZURE_VM_PUBLIC_IP]Install StrongSwan:
sudo apt update
sudo apt install strongswan -y
Configure the system to forward IP packets.
Edit sysctl configuration:
sudo nano /etc/sysctl.confUncomment the following line:
net.ipv4.ip_forward = 1
Save and verify changes:
sudo sysctl -pModify the downloaded VPN configuration file with correct subnet information.
Configuration Updates For Both Tunnel:
- leftsubnet:
100.0.0.0/16(On-Prem/Azure Network Subnet) - rightsubnet:
200.0.0.0/16(AWS VPC Subnet)
Edit the IPsec configuration file:
sudo nano /etc/ipsec.confConfiguration changes:
- Uncomment
uniqueids = no - Add updated tunnels configurations from downloaded file.
Note: Screenshot has mistake in showing the name of subnet, leftsubnet is of Azure and rightsubnet is of AWS.
Add the pre-shared keys for both tunnels given in configuration file.
Edit IPsec secrets file:
sudo nano /etc/ipsec.secretsPaste keys from 4th section of each tunnel in configuration file.
Restart and verify services.
Restart StrongSwan service:
sudo systemctl restart strongswan-starter
sudo systemctl status strongswan-starterRestart IPsec service:
sudo service ipsec restart
sudo service ipsec status
Check the on-premise tunnel status:
sudo ipsec status
Both the tunnels show established! 🤩
Check the VPN connection status in AWS VPN tunnel details.
Both the tunnels are up! 🚀
Create an EC2 instance in the AWS VPC for connectivity testing.
EC2 Configuration:
- Instance Name:
ec2-s2s - VPC:
vpc-s2s - Subnet:
subnet-s2s - Security Group: Default or Create Custom New
- Security Group Rules:
- Target:
All ICMP - Source:
security-group / CIDR Block of On-Prem Server
- Target:
Verify The Connection By Pinging Each Other's Private IP.
I have successfully implemented Site-to-Site VPN connection between AWS and On-Premise Infrastructure (Simulated via Azure VM) with following achievements:
- Established secure hybrid cloud connectivity
- Implemented multi-cloud networking architecture
- Demonstrated cross-cloud private communication
- Configured IPsec VPN tunnels
Also, This Setup Can Be Furthur Improved by Utilising Transit Gateway for Multi-VPC Setup.