Secure VPN Tunnelling Between AWS & GCP

6 min readSep 29, 2024

Scenario:
Imagine your company has applications running in both AWS and GCP. These applications need to communicate securely and efficiently with each other, sharing sensitive data and resources across the different cloud environments.

Why VPN Tunneling is Needed:

Secure Data Transmission:

Encryption: VPN tunnels encrypt the data traveling between different cloud environments, ensuring that sensitive information remains secure from eavesdropping or interception during transit.
Confidentiality: Ensures that only authorized users and systems can access the data, maintaining the confidentiality and integrity of your communications.

Consistent Network Policies:

Unified Security Policies: Implementing VPN tunnels allows you to enforce consistent security policies across different cloud environments, providing a standardized security posture.
Compliance: Helps in meeting regulatory and compliance requirements by ensuring secure data transfer and communication between different clouds.

AWS:
After VPC and ec2 setup we will create the
1- VPN gateway and attach to vpc, in VPN gateway we will define the BGP ASN,
An AWS VPN Gateway (Virtual Private Gateway) allows you to securely connect your on-premises network or another cloud environment to your Amazon VPC (Virtual Private Cloud) via a VPN connection. It provides an encrypted tunnel over the public internet for secure communication between the two networks.

2- After this we will create customer gateway which will have the gcp vpn peering information means public ip from GCP + BGP ASN of AWS.
A Customer Gateway (CGW) is the on-premises (or external) VPN device or software that connects to an AWS Virtual Private Gateway (VGW) or Transit Gateway to establish a secure Site-to-Site VPN connection between your on-premises network and your AWS VPC.

While the Virtual Private Gateway (VGW) exists on the AWS side of the VPN connection, the Customer Gateway is the entity that exists on your side (your network or data center).

3- VPN site to site (means put the vpn gateway and customer gateway inside a box).
GCP:
1- First we will create cloud router in gcp which use to connect your vpc to outside network.

2- Then we will create vpn gateway as we did on aws.

3- Then we will create peer vpn which will has information of aws vpn site.
4- At last we will create vpn tunnel which will has configuration of BGP session.
Our target is to establish the ping connection between aws ec2 instance and GCP VM.
Lets start the hands on!

We will start the hand on with AWS first, we already have vpc and subnets in the AWS:

Then creates subnets, 2 private and 2 public with diff AZs:

Now we will create one NAT gateway for internet access to public subnets, NAT gateway will be created in public subnet:

Now create the internet gateway so that public subnets and nat gateway will be able to access the internet, Also attach the IG with vpc:

Now create the two route tables and attach the private subnets with private RT and public subnets with public RT, add one default route 0.0.0.0/0 of private RT toward NAT gateway , and one default route in public RT toward IG.
Note: Enable the route propagation of each RT.

Below is the example of public RT default route:

Our AWS VPC part is completed.
Now we will create one ec2 instance in public subnet with public ip:

Now we will move to GCP to create the VPC there:
Create the VPC network there, put the network name and four subnets two private in us-east-1 and other in us-east-2 same goes for two public network, we will use below subnet ranges, also enable the private google access for private subnets:
10.10.1.0/24 private-01
10.10.2.0/24 private-02
10.10.3.0/24 public-01
10.10.4.0/24 public-02

Google Cloud Router helps to dynamically exchange routes between your Virtual Private Cloud (VPC) and on-premises networks using Border Gateway Protocol (BGP):
Now we will create NAT gateways for our private subnets inside this cloud router:

In our case we will have to create the the two cloud routers and two nat gateways as we have two private subnets in different regions:

In GCP, there is no separate component explicitly called an “Internet Gateway” like in AWS. Instead, GCP allows subnets to have direct access to the internet through the default routing and firewall rules. If a VM instance has an external IP address and the appropriate firewall rules are in place, it can access the internet directly.

Now we will create VPN on GCP, we will use HA because it provide two tunnels also support BGP dynamic routing, which is not supported by classic tunnel:
First it will ask u to create the cloud HA vpn gateway then it will create two vpn tunnels stop here copy the public ips of tunnel and came to aws:

At aws frist create the virtual private gateway and attach to VPC:

Now we will create two customer gateways for each GCP tunnel:

Now we will create site to site vpn connections:
Conn1:

Create conn 2 with gateway02.
Now download the conf file of both vpn connections:

We will require these file to check the conf information and configure GCP tunnel, lets come to the GCp and configure vpn tunnels:
First create the new vpn gateway:

Public ips of aws tunnels.
Select the cloud router:

Create four tunnels at GCP use same preshared key that is in aws.
Nest step is to configure bgp sessions for each tunnel by using aws ASN and private ips of each tunnel: