Configure Highly Available VPN with BGP from Azure to GCP

Sep. 10, 2021

GCP HA VPN Logo

As I am working more and more with multi-cloud customers after creating so called “Landing Zone” the usual next step is to connect on-premises networks and/or another public cloud provider.

In this post I will guide you through creation of Highly Available VPN connection with BGP to dynamically exchange the routes between two cloud providers. I will do it with Microsoft Azure and Google Cloud Platform.

Initial Azure VPN configuration

1.Depends how you want to set it up you can either create a new Resource Group or re-use existing one. In my case I created a new one.

GCP HA VPN - 1

2.In search type gateway and select Virtual Network Gateway. Click Create virtual network gateway. GCP HA VPN - 2

3.Insert following information:

GCP HA VPN - 3

4.Virtual Network - if not created before you can do it in this wizard:

GCP HA VPN - 4 5.Wait ~30 Minutes to deploy. LOL

Initial GCP VPN configuration

1.Create a GCP project.

GCP HA VPN - 5

2.Navigate in the menu to Hybrid Connectivity and select VPN.

GCP HA VPN - 6

3.If needed enable missing API’s.

GCP HA VPN - 7

4.Click CREATE VPN CONNECTION.

GCP HA VPN - 8

5.Choose Highly Available (HA) VPN configuration.

GCP HA VPN - 9

6.Provide the VPN Gateway name, network and region.

GCP HA VPN - 10

7.Now we have public IP’s available we can create tunnels. 8.We need to create new peer VPN gateway. Peer VPN gateway is simply Azure VPN Public IP/IP’s.

GCP HA VPN - 11

9.We need to provide a name for our peer VPN gateway and add IP’s. In our case I’ve selected two interfaces.

GCP HA VPN - 12

10.We didn’t create a cloud router in advance we will have to do it in this wizard.

GCP HA VPN - 13

11.We need to enter the router name and Google ASN. I stick to BGP defaults for BGP peer keepalive interval.

GCP HA VPN - 14

12.Now we need to configure two tunnels to the Azure VPN gateway. We need to give it a name and choose or generate IKEv2 pre-shared key

GCP HA VPN - 15

13.Same for the second tunnel.

GCP HA VPN - 16

14.Click create & continue.

GCP HA VPN - 17

15.We are almost at the end of the GCP VPN configuration. Last part is to configure BGP sessions.

GCP HA VPN - 18

16.Configure BGP settings. You will find it in Azure VPN Gateway Configuration section. You must use Azure VPN BGP ASN and previously configured APIPA IP’s.

GCP HA VPN - 19

17.Save the BGP configuration. 18.We also receive a nice overview of the BGP configuration.

GCP HA VPN - 20

Final Azure VPN configuration

So we are pretty much at the very end. We have created all needed resources with configuration in GCP and now we finalize Azure part.

1.In the virtual network gateway go to connections and click add.

GCP HA VPN - 21

2.We need to add and configure tunnels towards GCP VPN. We will use the same pre-shared keys we used in GCP part of configuration.

GCP HA VPN - 22

3.Similar to GCP part we need to add peer network gateways. It is a weird wording from Azure to use local network gateway. Even from Azure point of view local refers to Azure part and not the other side of the tunnel. So we simply add into the local network gateway a public IP of VPN interface 1 from GCP VPN. Weird but works ;)

GCP HA VPN - 23

4.n my case the deployment of local network gateway failed but then it was created. Lol Azure again… It failed because there wasn’t BGP configuration. If it is needed please provide this option during the deployment. Again - fix this please Azure.

GCP HA VPN - 24

5.If you go to local network gateway settings we can now add BGP configuration. We added GCP ASN and configured the GCP cloud router IP address.

GCP HA VPN - 25

6.After configuring the local network gateway with BGP we now are able to configure the tunnel to GCP.

GCP HA VPN - 26

7.Of course configured both tunnels towards GCP.

8.After a few seconds we have connectivity between Azure and GCP.

GCP HA VPN - 27 GCP HA VPN - 28

9.To have final confirmation that tunnels are working in both directions I created two virtual machines in both cloud.

GCP HA VPN - 29 GCP HA VPN - 30

10.SSH works as well. I only needed to allow it on the GCP Firewall side.

GCP HA VPN - 31

Summary

I hope this wizard will be of use to you. In the next post I will create Terraform setup which will be might faster, smoother and easier to follow :)