Overview of high-level configurations steps to set up HA VPN with Amazon Web Services (AWS):
- Create the HA VPN gateway and a Cloud Router. This creates 2 public IP addresses on the GCP side.
- Create two AWS Virtual Private Gateways. This creates 4 public addresses on the AWS side.
- Create two AWS Site-to-Site VPN connections and customer gateways, one for each AWS Virtual Private Gateway. Specify a non-overlapping link-local Tunnel IP Range for each tunnel, 4 total. For example, 169.254.1.4/30.
- Configure AES-256, SHA-2 and DH group 18, as a combination of single Phase 1 and Phase 2 encryption algorithms, integrity algorithms, and DH group numbers.
- Download the AWS configuration files for the generic device type.
- Create four VPN tunnels on the HA VPN gateway.
- Configure BGP sessions on the Cloud Router using the BGP IP addresses from the downloaded AWS configuration files.
module "tgw-us-east-1" {
source = "terraform-aws-modules/transit-gateway/aws"
version = "1.1.0"
name = "tgw-example-us-east-1"
description = "TGW example shared with several other AWS accounts"
amazon_side_asn = "64512"
enable_auto_accept_shared_attachments = true
ram_allow_external_principals = true
tags = {
Purpose = "tgw example"
}
}
module "cb-us-east-1" {
source = "github.com/spotify/terraform-google-aws-hybrid-cloud-vpn"
transit_gateway_id = module.tgw-us-east-1.this_ec2_transit_gateway_id
google_network = default
amazon_side_asn = 64512
google_side_asn = 65534
}https://cloud.google.com/files/CloudVPNGuide-UsingCloudVPNwithAmazonWebServices.pdf https://cloud.google.com/vpn/docs/how-to/creating-ha-vpn
| Name | Version |
|---|---|
| aws | >= 3.22.0 |
| >= 3.11.0 | |
| google-beta | >= 3.11.0 |
| Name | Version |
|---|---|
| aws | >= 3.22.0 |
| >= 3.11.0 | |
| google-beta | >= 3.11.0 |
| random | n/a |
No modules.
| Name | Type |
|---|---|
| aws_customer_gateway.cgw-alpha | resource |
| aws_customer_gateway.cgw-beta | resource |
| aws_vpn_connection.vpn-alpha | resource |
| aws_vpn_connection.vpn-beta | resource |
| google-beta_google_compute_external_vpn_gateway.external_gateway | resource |
| google-beta_google_compute_ha_vpn_gateway.gateway | resource |
| google-beta_google_compute_router.router | resource |
| google-beta_google_compute_router_interface.interfaces | resource |
| google-beta_google_compute_router_peer.router_peers | resource |
| google-beta_google_compute_vpn_tunnel.tunnels | resource |
| random_string.suffix | resource |
| aws_region.current | data source |
| google_project.project | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| transit_gateway_id | AWS Transit Gateway ID | string |
n/a | yes |
| amazon_side_asn | BGP ASN Number for the AWS side of the VPN | number |
64512 |
no |
| aws_vpn_configs | AWS Tunnels Configs for aws_vpn_connection. This addresses this known issue. | map(any) |
{ |
no |
| google_network | Google VPN Network name, can be either a name or a self_link | string |
"default" |
no |
| google_side_asn | BGP ASN Number for the Google side of the VPN | number |
65534 |
no |
| router_advertise_config | Router custom advertisement configuration, ip_ranges is a map of address ranges and descriptions. More info can be found here https://www.terraform.io/docs/providers/google/r/compute_router.html#bgp (Default: null) | object({ |
null |
no |
| suffix | String to identify groups resources created by this module. This allow the module to be called multiple times in the same GCP Project and AWS account. dev/staging/prod are examples inputs. If not passed a 10 character random string will be assigned | string |
"null" |
no |
| Name | Description |
|---|---|
| cloud_router | Map of cloud router attributes. Map should match the exported resources described in the docs https://www.terraform.io/docs/providers/google/r/compute_router.html |
| ha_vpn_gateway_interfaces | List of objects with interface ID and IP addresses |
| transit_gateway_attachment_ids | Set of AWS Transit Gateway Attachement IDs |