In this comprehensive guide, we will delve into the step-by-step process of establishing a secure VPN connection between Google Cloud Platform (GCP) and Azure. By following these instructions, you will gain the ability to seamlessly migrate workloads from Azure to GCP or run multi-cloud workloads across both platforms, ensuring a flexible and efficient infrastructure for your applications.
Prerequisites:
Ensure you have an active Azure subscription and a project set up on GCP.
Make sure you have the required administrative roles on both platforms. You can create the new VPC Network (Virtual Network on Azure) and subnets in both GCP and Azure or you can use the existing one.
Key Components and Terminology:
Google Cloud VPC network: It represents a virtual network within a Google Cloud project, enabling secure communication between resources in the network.
External IP address or Google Cloud peer address: These are automatically allocated external IP addresses used by peer VPN devices to establish High Availability (HA) VPN connections with Google Cloud. Each gateway interface in a Google Cloud project is assigned an external IP address.
Dynamic Routing: Google Cloud’s dynamic routing feature uses the Border Gateway Protocol (BGP) to enable automatic routing updates and efficient communication between VPN devices. Note that HA VPN only supports dynamic routing.
HA VPN: High Availability (HA) VPN is a secure solution provided by Google Cloud that allows the establishment of IP sec VPN connections between on-premises networks and private networks on GCP. It ensures high availability and reliability of the VPN connection.
Virtual Network Gateway: In Azure, the Virtual Network Gateway provides cross-premises connectivity between customer premises and Azure. Deploying a Virtual Network Gateway creates a VPN tunnel to connect with the Google environment. It is typically deployed in the “GatewaySubnet” within Azure.
Site-to-Site (IPsec): It is a VPN connection type composed of a VPN Gateway, Local Gateway, and a Connection. Site-to-Site VPN allows encrypted traffic to be sent between an Azure Virtual Network (VNet) and an on-premises location over the public internet.
Azure Virtual Network Gateway Setup Steps:
1 – Create a virtual network gateway – Choose the resource group, select the gateway type, and then choose the SKU according to your need but for multiple networks choose the gateway type higher then VpnGw1, Select the virtual network and public ip address. Put two Azure Apipa BGP Ip address.
GCP VPN Gateway Setup Steps:
Go to Hybrid Connectivity then select VPN Setup Wizard and chosse High-availability (HA) VPN in VPN Options
1- Create Cloud HA VPN gateway- Enter the name, Choose vpc name and region.
2- Add VPN tunnels and Choose the option peer VPN gateway as on-prem or non-google cloud and put the public ip of Azure VPN.
- Create a cloud router- Enter the name and ASN number
Note: It should be different from Azure - Enter the name of the tunnel, select the IKE version, Generate the IKE pre-shared key, and click on create
- Let’s establish a BGP session – Enter the name, and ASN number that we defined in Azure, Allocate the BGP IPV4 address manually, and save the BGP configuration.
3- Repeat the above GCP steps if you want to create the other vpn gateway in gcp of a different vpc and connect to the same Azure VPN Gateway of the same VPC (multiple networks).
Let’s get back to Azure to finish the VPN configuration
1- Create Local Network Gateway – Choose the region, Enter the name, Select resource group, Copy GCP VPN Gateway IP address and set the endpoint as ip-address.
2- Click on Advanced and Set the Configure BGP settings as yes and enter the ASN number of GCP cloud router and the router BGP IP address.
3- Create the connection in Azure Virtual Network Gateway
– Choose the local network gateway and Virtual Network Gateway
– Put the GCP shared IKEV key here (both shared key of Azure and GCP should be same)
Once the connection is created then the status in Azure will be shown as “Connected”.
In the Google Cloud Platform (GCP) the tunnel is successful. The BGP session confidently transitions to the “BGP Established” state.
Conclusion:
In conclusion, this guide has provided a step-by-step process for establishing a secure VPN connection between Google Cloud Platform (GCP) and Azure. This enables seamless workload migration and multi-cloud operations. Key concepts include GCP’s dynamic routing, HA VPN for reliability, and Azure’s Virtual Network Gateway. By following the outlined steps for setup on both platforms, you’ll weave a robust, cross-cloud network for your applications.
Blog Pundits: Rajat Vats and Sandeep Rawat
OpsTree is an End-to-End DevOps Solution Provider.
Connect with Us