In this section, we will create an OpenBSD VM with two NICs as well as the underlying infrastructure needed to support this scenario (e.g.: VNet, subnets, routes and others) The following diagram illustrates this architecture:
To send traffic from our Azure VNet back to the AWS VPC, we will setup the following route:
Destination | Target | Notes |
---|---|---|
172.31.0.0/16 | 10.0.1.4 | OpenBSD's private NIC IP address |
- Create a Resource Group
- Create a VNet with a large network (e.g.: 10.0.0.0/16)
- Carve 3 subnets (k8sDataTier, Management, VPN)
- Create the OpenBSD VM with two NICs (via Azure CLI)
- For each NIC enable IP forwarding
- Add the route to Azure (e.g.: 172.31.0.0/16) on the UDR
- Allow traffic on the Security Groups (ports 500, 4500 UDP)
- Attach a Public IP to the OpenBSD interface on the VPN subnet.
- Configure OpenIKED.
NOTE: Bear in mind that you can use existing resources by adjusting your commands below.
#Define a Resource Group. This parameter will be used along the way.
export AZURE_OPENBSD_RG=myOpenBSD_RG
az group create --name ${AZURE_OPENBSD_RG} --location westus2
Recall our subnet planning from the Before You Begin section:
Name | CIDR | Nb of Hosts |
---|---|---|
VPN | 10.0.0.128/25 | 126 |
Private | 10.0.0.0/19 | 8190 |
az network vnet create \
--resource-group ${AZURE_OPENBSD_RG} \
--name ${AZURE_OPENBSD_RG}-VNet \
--address-prefix 10.0.0.0/16 \
--subnet-name ${AZURE_OPENBSD_RG}-VPN-subnet \
--subnet-prefix 10.0.0.128/25
az network vnet subnet create \
--resource-group ${AZURE_OPENBSD_RG} \
--vnet-name ${AZURE_OPENBSD_RG}-VNet \
--name ${AZURE_OPENBSD_RG}-private-subnet \
--address-prefix 10.0.0.0/19
Create the VPN NSG
az network nsg create \
--resource-group ${AZURE_OPENBSD_RG} \
--name ${AZURE_OPENBSD_RG}-VpnNSG
Create the private NSG
az network nsg create \
--resource-group ${AZURE_OPENBSD_RG} \
--name ${AZURE_OPENBSD_RG}-privateNSG
az network nsg rule create \
--name allow-ssh \
--nsg-name ${AZURE_OPENBSD_RG}-VpnNSG \
--resource-group ${AZURE_OPENBSD_RG} \
--priority 100 \
--protocol Tcp \
--destination-port-ranges 22
Create the first NIC for the VPN subnet:
az network nic create \
--resource-group ${AZURE_OPENBSD_RG} \
--name VpnNIC \
--vnet-name ${AZURE_OPENBSD_RG}-VNet \
--subnet ${AZURE_OPENBSD_RG}-VPN-subnet \
--network-security-group ${AZURE_OPENBSD_RG}-VpnNSG \
--ip-forwarding
Create the second NIC for the private subnet:
az network nic create \
--resource-group ${AZURE_OPENBSD_RG} \
--name privateNIC \
--vnet-name ${AZURE_OPENBSD_RG}-VNet \
--subnet ${AZURE_OPENBSD_RG}-private-subnet \
--network-security-group ${AZURE_OPENBSD_RG}-privateNSG \
--ip-forwarding
az network route-table create \
--name ${AZURE_OPENBSD_RG}-Route-Table \
--resource-group ${AZURE_OPENBSD_RG}
az network route-table route create \
--name To-AWS \
--address-prefix 172.31.0.0/16 \
--next-hop-type VirtualAppliance \
--next-hop-ip-address 10.0.1.4 \
--resource-group ${AZURE_OPENBSD_RG} \
--route-table-name ${AZURE_OPENBSD_RG}-Route-Table
To confirm the entries
az network route-table show -n ${AZURE_OPENBSD_RG}-Route-Table -g ${AZURE_OPENBSD_RG}
Next: Configuring AWS