Google Cloud VPN Interop Guide Using Cloud VPN With Amazon Web ServicesTM Virtual Private Gateway

Disclaimer: This interoperability guide is intended to be informational in nature and are examples only. Customers should verify this information via testing. Amazon Web Services, AWS, and the “Powered by Amazon Web Services” logo are trademarks of Amazon.com, Inc. or its affiliates in the United States and/or other countries.

Contents Introduction

Topology

Preparation Overview Getting Started IPsec Parameters

Policy Based IPsec VPN Configuration - AWS

Creating the VPC Configuring the VPN

Configuration - GCP UI Configuration - GCP CLI

Create the VPN Gateway Create the VPN Tunnel

IPsec VPN Using Cloud Router Configuration - AWS

Creating the VPC Configuring the VPN Cloud Router VPN Tunnel

Configuration - Google Cloud Router CLI Create the VPN Gateway Reserve a Static IP Create the Cloud Router Create the VPN Tunnel Add the BGP Link Local Interface Add the BGP Peering Session

Testing the Site-to-Site VPN Verify Connectivity Test the Tunnel

Introduction This guide walks you through the process of configuring the AWS Virtual Private Gateway for integration with the Google Cloud VPN service. This information is provided as an example only. If utilizing this guidance to configure your AWS implementation, be sure to substitute the correct IP information for your environment.

Topology This guide will describe three VPN topologies:

1. A site-to-site policy based IPsec VPN tunnel configuration using static routing 2. A site-to-site route based IPsec VPN tunnel configuration 3. A site-to-site IPsec VPN tunnel configuration using the Google Cloud Router and BGP

Preparation

Overview The configuration samples which follow include numerous value substitutions provided for the purposes of example only. Any references to IP addresses, device IDs, shared secrets or keys, account information or project names should be replaced with the appropriate values for your environment when following this guide. This guide is intended to assist in the creation of IPsec connectivity to the Google Cloud. The following is a high level overview of the configuration process which will be covered:

● Configuring the Amazon Virtual Private Gateway ● Configuring the Amazon Customer Gateway ● Configuring the Google Cloud Platform VPN ● Setting up the VPN Connection ● Connecting to GCP ● Testing the tunnel

The IPsec connectivity will utilize the pre-shared key generated by AWS for authentication.

Getting Started The first step is to establish the base networking environment in AWS. The basis of networking in AWS is the Virtual Private Cloud (VPC). Amazon provides documentation for getting started with AWS networking. The basic concepts to understand are:

● Virtual Private Cloud – customer defined private network space in AWS. ● Virtual Private Gateway – the VPN concentrator on the Amazon side of the VPN

connection. ● Customer Gateway – AWS reference to the remote IPsec end point. In this case the

Google Cloud Platform VPN gateway.

IPsec Parameters For the AWS IPsec configuration, the following details will be used:

Parameter Value

IPsec Mode ESP+Auth Tunnel mode (Site-to-Site)

Auth Protocol Pre-shared Key

Key Exchange IKEv1

Start auto

Perfect Forward Secrecy

(PFS)

on

Dead Peer Detection

(DPD)

aggressive

INITIAL_CONTACT

(uniqueids)

on

The IPsec configuration used in this guide is specified below:

Phase Cipher Role Cipher

Phase 1 Encryption aes-256

Integrity sha-256

prf sha1-96

Diffie-Hellman (DH) Group 14 (modp_2048)

Phase 1 lifetime 36,000 seconds (10 hours)

Phase 2 Encryption aes-cbc-256

Integrity sha-256

Policy Based IPsec VPN

Configuration - AWS To get started, login to the AWS Management Console and select VPC from the main services menu. New AWS accounts will all have a default VPC. For this exercise, create a new VPC to connect to the Google Cloud Platform using the VPC Wizard:

Creating the VPC The VPC Wizard steps through the creation and configuration of a new VPC. The first step is to select an IP subnet topology. There are options for various combinations of private and public IP addressing, with or without VPN connectivity. Once selected this cannot be changed. For the test environment Select a Private Subnet Only VPC with Hardware VPN Access:

The next step is to configure the VPC settings:

The following settings must be configured:

● IP CIDR Block: this is the CIDR block for the VPC. It cannot be changed once set. For this test, enter 10.0.0.0/16

● VPC Name: this is the name of the VPC. For this test, enter GCP-Test ● Private Subnet: this is the first subnet allocated from the private IP CIDR block used for

AWS services including EC2. Enter 10.0.1.0/24 which is the network on the AWS side that we want to connect to GCP.

● Availability Zone: this is the AWS Availability Zone into which the VPC will be deployed. We will leave this set to no preference

● Private Subnet Name: a friendly name for the private subnet. We will set this to AWS-VPC

● S3 Endpoint: EC2 to S3 connectivity requires a public network link. This option deploys an S3 API gateway endpoint into the selected private subnet. This exercise will not require an S3 endpoint

● Enable DNS Hostnames: this option enabled automatic DNS hostname assignment via DHCP for the private subnet. We will leave DNS hostnames enabled

● Hardware Tenancy: this option allows you to select a dedicated instance type for the VPN gateway for higher scale. Use the default option

After completing the form, click Next to proceed to Step 3.

Configuring the VPN To configure the VPN enter the Customer Gateway IP which is the IP address assigned to the Google Cloud Platform VPN gateway created in the Configuration - GCP section:

In addition to the Customer Gateway IP, enter a Customer Gateway name and a VPN Connection name. Next choose a Routing Type for the VPN connection. This section of the guide covers static route type VPN so Static should be selected. Enter the Google Cloud Platform subnet CIDR block under IP Prefix and click Add:

With all required configuration completed, click Create VPC to create the new VPC and finish the Wizard. VPC creation will take a minute or two to complete. Once completed the management console status will be updated:

The newly created VPC can now be selected from the Dashboard in order to collect the configuration detail required to complete the GCP configuration:

The last step is to collect the IP addresses of the AWS Virtual Gateway and pre-shared keys used for IKE authentication automatically generated by AWS. This information is stored in the configuration file which can be downloaded by clicking Download Configuration. Several device specific options are available for configuration format. For GCP, select Generic:

The configuration file is an ASCII text file. The auto-generated pre-shared key will be listed under Pre-Shared Key. A sample configuration file is provided below for reference:

Amazon Web Services Virtual Private Cloud VPN Connection Configuration ================================================================================ AWS utilizes unique identifiers to manipulate the configuration of a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier and is associated with two other identifiers, namely the Customer Gateway Identifier and the Virtual Private Gateway Identifier. Your VPN Connection ID : vpn-c1c6d9d3 Your Virtual Private Gateway ID : vgw-f670afe8 Your Customer Gateway ID : cgw-3548972b

A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). It is important that both tunnel security associations be configured.

IPSec Tunnel #1 ================================================================================ #1: Internet Key Exchange Configuration

Configure the IKE SA as follows - Authentication Method : Pre-Shared Key - Pre-Shared Key : auto-generated-pre-shared-key - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2

Configuration - GCP UI In the Google Cloud Platform Developers Console, select the project into which the VPN will be deployed, or create a new project. More information on creating and managing projects can be found here. To view the current network configuration for the project, select Networking from the main services menu in the Developer Console:

In GCP all projects start with a single network named default at time of creation. The default network is configured with a private IP space and a set of base firewall rules. The default network provides a sufficient starting point for creating a site-to-site IPsec VPN. More information on networking within the Google Cloud Platform can be found in the Networking section of the Google Compute Engine documentation. To configure the AWS side of the VPN, two values are needed from GCP:

● Customer Gateway IP Address: the public IP address of the VPN gateway in Google Cloud

● Routing Type/IP Prefix: the private IP address space associated with the Google Cloud Platform Network

The address space is shown in the network overview and in this example is 10.240.0.0/16:

To get the Customer Gateway IP address, create a Google Cloud VPN gateway. From the Networking menu, select VPN. Any existing VPN gateways will be listed in the main information panel. If no VPN gateways have been created, an option will be provided to create one:

Click Create a VPN to initiate the VPN creation workflow:

The VPN has several user configurable properties:

● Name: a representative name for the VPN connection (must be lowercase) ● Description: free form text describing the gateway (optional) ● Network: the network to which the VPN gateway will be attached ● Region: the region into which the VPN gateway will be deployed ● IP address: the static public IP address which will be assigned to the VPN gateway. A

new static IP address can also be allocated at this stage:

Enter the AWS Virtual Private Gateway IP and the pre-shared key collected in the Configuration - AWS section and click create. The Remote Network IP Ranges should include both the VPC CIDR block as well as any configured subnets. Note that AWS requires IKEv1:

AWS utilizes two tunnels for redundancy. The above steps should be repeated for each tunnel documented in the AWS configuration file.

Configuration - GCP CLI Cloud VPN can also be configured using the gcloud command line tool. Command line configuration requires two steps. First the VPN Gateway is created, then the tunnels are created referring to the VPN Gateway.

Create the VPN Gateway gcloud compute target-vpn-gateways create gcp-to-aws --network to-lab --region us-central1

Create the VPN Tunnel AWS utilizes two tunnels for redundancy. Repeat this step for each tunnel: gcloud compute vpn-tunnels create my-tunnel --shared-secret MySharedSecret --peer-address on-prem-IP --target-vpn-gateway gcp-to-aws --local-traffic-selector gcp-CIDR --remote-traffic-selector on-prem-CIDR

IPsec VPN Using Cloud Router

Configuration - AWS To get started, login to the AWS Management Console and select VPC from the main services menu. New AWS accounts will all have a default VPC. For this exercise a new VPC is being created to connect to the Google Cloud Platform using the VPC Wizard:

Creating the VPC The VPC Wizard steps through the creation and configuration of a new VPC. The first step is to select an IP subnet topology. There are options for various combinations of private and public IP addressing, with or without VPN connectivity. Once selected this cannot be changed. For the test environment, will Select a Private Subnet Only VPC with Hardware VPN Access:

The next step is to configure the VPC settings:

The following settings must be configured:

● IP CIDR Block: this is the CIDR block for the VPC. It cannot be changed once set. For this test, enter 10.0.0.0/16

● VPC Name: this is the name of the VPC. For this test, enter GCP-Test ● Private Subnet: this is the first subnet allocated from the private IP CIDR block used for

AWS services including EC2. Enter 10.0.1.0/24 which is the network on the AWS side that we want to connect to GCP.

● Availability Zone: this is the AWS Availability Zone into which the VPC will be deployed. We will leave this set to no preference

● Private Subnet Name: a friendly name for the private subnet. We will set this to AWS-VPC

● S3 Endpoint: EC2 to S3 connectivity requires a public network link. This option deploys an S3 API gateway endpoint into the selected private subnet. This exercise will not require an S3 endpoint

● Enable DNS Hostnames: this option enabled automatic DNS hostname assignment via DHCP for the private subnet. We will leave DNS hostnames enabled

● Hardware Tenancy: this option allows you to select a dedicated instance type for the VPN gateway for higher scale. Use the default option

After completing the form, click Next to proceed to Step 3.

Configuring the VPN To configure the VPN enter the Customer Gateway IP which is the IP address assigned to the Google Cloud Platform VPN gateway created in the Configuration - GCP section:

In addition to the Customer Gateway IP, enter a Customer Gateway name and a VPN Connection name. Next choose a Routing Type for the VPN connection. This section of the guide covers VPN with BGP route management, so Dynamic should be selected. Enter the Google Cloud Platform subnet CIDR block under IP Prefix and click Add:

With all required configuration completed, click Create VPC to create the new VPC and finish the Wizard. VPC creation will take a minute or two to complete. Once completed the management console status will be updated:

The newly created VPC can now be selected from the Dashboard in order to collect the configuration detail required to complete the GCP configuration:

AWS utilizes two tunnels for redundancy. The last step is to collect the IP addresses of the AWS Virtual Gateway and the pre-shared keys used for IKE authentication automatically generated by AWS. These configuration details can be downloaded by clicking Download Configuration. Several device specific options are available for configuration format. For GCP, select Generic:

The configuration file is an ASCII text file. The auto-generated pre-shared key will be listed under Pre-Shared Key and cannot be user defined. The link local address for BGP peering will be listed under Inside Addresses and also cannot be user defined. Configuration - Google Cloud Router UI

Google Cloud Router enables dynamic Border Gateway Protocol (BGP) route updates between your Google Cloud Platform network and your on-premise network. For the initial release, Cloud Router supports BGP for Cloud VPN only. Cloud Router works with both legacy networks and Subnetworks.

Cloud Router The first step in configuring the Google Cloud Platform for site-to-site VPN connectivity utilizing BGP and the Google Cloud Router is to create a new cloud router. From the Developer Console, select Networking and then Cloud Routers. From the workspace select Create Router:

All parameters needed to create a new cloud router are entered on this page. A detailed description of each parameter is provided below:

● Name: the name of the cloud router. ● Description: a brief description of the cloud router.

● Network: the GCP network the cloud router will attach to. Note: this is the network on route information will be managed.

● Region: the home region of the cloud router. Note: the cloud router must be in the same region as the subnetworks it is connecting.

● Google ASN: the BGP Autonomous System Number assigned to the cloud router. Use the ASN assigned by the Amazon VPC Creation Wizard to the Customer Gateway configuration from the configuration file downloaded in the final step of the Configuration - AWS section of this document:

BGP Configuration Options: - Customer Gateway ASN : 65000 - Virtual Private Gateway ASN : 7224 - Neighbor IP Address : 169.254.12.185 - Neighbor Hold Time : 30

The newly created instance will appear in the list of Cloud Routers. Click Configure under VPN Gateway to create the VPN tunnel. AWS utilizes dual redundant IPsec VPN tunnels. Two tunnels will be created, matching the AWS configuration.

VPN Tunnel All parameters needed to create a new VPN connection are entered on this page. AWS utilizes two tunnels for redundancy. The following step should be repeated for each tunnel documented in the AWS configuration file. A detailed description of each parameter is provided below:

The following parameters are required for the VPN gateway:

● Name: the name of the VPN gateway. ● Description: a brief description of the VPN connection. ● Network: the GCP network the VPN gateway will attach to. Note: this is the network to

which VPN connectivity will be made available. ● Region: the home region of the VPN gateway. Note: the VPN gateway must be in the

same region as the subnetworks it is connecting. ● IP address: the static public IP address which will be used by the VPN gateway. An

existing, unused, static public IP address within the project can be assigned, or a new one can be created.

The following parameters are required for each Tunnel which will be managed by the VPN gateway:

● Remote peer IP address: the public IP address of the on premises VPN appliance which will be used to connect to Cloud VPN.

● IKE version: the IKE protocol version. AWS requires IKEv1 ● Shared secret: a shared secret used for mutual authentication by the VPN gateways.

Provided in the configuration file downloaded in the final step of the Configuration - AWS section of this document.

● Routing options: Cloud VPN supports multiple routing options for the exchange of route information between the VPN gateways. For this example Dynamic (BGP) is being used. Static Routes were covered earlier in this guide.

● Cloud Router: the Cloud Router instance associated with this VPN tunnel created in the Cloud Router section.

● BGP session: the BGP configuration to be used by the Cloud Router for this VPN tunnel. Click the pencil to create a new configuration:

The following parameters are required to configure the BGP session:

● Name: the name of the BGP session ● Peer ASN: Provided in the configuration file downloaded in the final step of the

Configuration - AWS section of this document as the “Virtual Private Gateway ASN”: BGP Configuration Options: - Customer Gateway ASN : 65000 - Virtual Private Gateway ASN : 7224 - Neighbor IP Address : 169.254.12.185 - Neighbor Hold Time : 30

● Google BGP IP address, Peer BGP IP address: Provided in the configuration file downloaded in the final step of the Configuration - AWS section of this document.

Inside IP Addresses - Customer Gateway : 169.254.12.186/30 - Virtual Private Gateway : 169.254.12.185/30

Once all of the BGP session info has been entered, click Save and continue to complete. When all information for the tunnels has been entered successfully, click Create on the Create a VPN connection form to create the new dual tunnel VPN connection.

Configuration - Google Cloud Router CLI Cloud VPN can also be configured using the gcloud command line tool. Command line configuration requires multiple steps.

Create the VPN Gateway Create the VPN gateway. Make note of the chosen name (my-gateway), network and region for use in future steps: gcloud compute target-vpn-gateways create my-gateway --project my-project --network my-network --region my-region

Reserve a Static IP Reserve a static IP address in the Google Cloud Platform network and region where the VPN gateway was created. Make a note of the created address for use in future steps. gcloud compute addresses create vpn-static-ip --project my-project --region my-region

Create the Cloud Router The Amazon VPC Creation Wizard automatically assigns a BGP ASN (65000) to the Customer Gateway. This asn should be used for my-asn

gcloud beta compute --project my-project routers create my-router --region my-region --network my-network --asn my-AWS-provided-customer-gateway-asn

Create the VPN Tunnel Create the VPN tunnel referencing the VPN gateway and Cloud Router created earlier. Make note of the chosen tunnel name for use in future steps. The peer-address should be set to the AWS Virtual Private Gateway IP and the shared-secret should be set to the AWS assigned pre-shared key, both provided in the configuration file downloaded in the final step of the Configuration - AWS section of this document. AWS utilizes two tunnels for redundancy. The following step should be repeated for each tunnel documented in the AWS configuration file. gcloud beta compute --project my-project vpn-tunnels create my-tunnel --region my-region --ike-version 1 --target-vpn-gateway my-gateway --peer-address my-AWS-virtual-private-gateway-IP --shared-secret my-AWS-provided-PSK --router my-router

Add the BGP Link Local Interface

Update the configuration of the Cloud Router created earlier to add a virtual interface (--interface-name) for the BGP peer referencing the VPN tunnel created above. The BGP interface IP address must be the link-local IP address provided by Amazon as the Customer Gateway Inside IP in the configuration file downloaded in the final step of the Configuration - AWS section of this document. gcloud beta compute --project my-project routers add-interface my-router --interface-name my-if --ip-address my-AWS-provided-Customer-Gateway-inside-IP --mask-length 30 --vpn-tunnel my-tunnel --region my-region

Add the BGP Peering Session

Update the Cloud Router config to add the BGP peer to the interface. Use the ASN and peer IP address provided by Amazon as the Virtual Private Gateway ASN and the Virtual Private Gateway Inside IP in the configuration file downloaded in the final step of the Configuration - AWS section of this document. gcloud beta compute --project my-project routers add-bgp-peer my-router --peer-name bgp-peer1 --interface-name my-if --peer-ip-address my-AWS-provided-virtual-private-gateway-inside-IP --peer-asn my-AWS-provided-virtual-private-gateway-ASN --region my-region

Testing the Site-to-Site VPN

Verify Connectivity To verify that Cloud Router has successfully initiated BGP peering with AWS, check the Cloud Router status in the Developer Console:

To verify that the IPsec tunnel has been successfully initiated, check the VPN status in the Developer Console:

On the AWS side, verify that the configured Tunnel is up. Note that the unconfigured tunnel will remain Down. This is expected:

Test the Tunnel With the site-to-site VPN online the tunnel is now ready for testing. To test, create virtual machines in both AWS EC2 and Google Compute Engine. Instructions for creating EC2 virtual machines can be found here. To learn how to create virtual machines in Google Compute Engine, visit the Getting Started Guide. Once virtual machines have been deployed on both platforms an ICMP echo test can ensure network connectivity. Note that on AWS Security Groups provide firewall capabilities for EC2 instances. The default security group for a new instance does not allow ICMP. A security group rule for ICMP must be added in order for this test to work. A demonstration of a functional tunnel is below. EC2 virtual machine pinging the virtual machine in GCE:

GCE virtual machine pinging the virtual machine in EC2: