Free VPN between Azure and AWS

Request Demo

Create a VPN between Azure and AWS

Configuring Azure:

  1. Create a resource group on Azure to deploy the resources on that.
  2. Choose:
    • the subscription
    • the name
    • the region to be deployed
  3. Set the address space for the virtual network and for the subnet. Here I'm defining the virtual network address space to, changing the 'default' subnet name to 'subnet-01' and defining the subnet address range to

  4. Create the VPN Gateway:

    The Azure VPN Gateway is a resource composed of 2 or more VM's that are deployed to a specific subnet called Gateway Subnet where the recommendation is to use a /27. It contains routing tables and run specific gateway services. Note that you can't access those VM's.

    To create, go to your Resource Group, then click to + Add.

    Then fill the fields like below:

    • Subscription-
    • Name-
    • Region-
    • SKU-
    • Generation-
    • Virtual Network-
    • Gateway Subnet Address Range-
    • Public IP Adress Name-
    • Enable active-active mode- Disabled
    • Configure BGP- Disabled

    After click to Review + create, in a few minutes the Virtual Network Gateway will be ready.

Configuring AWS

  1. Create the Virtual Private Cloud (VPC)

  2. Create a subnet inside the VPC (Virtual Network)

  3. Create a customer gateway pointing to the public ip address of Azure VPN Gateway
  4. The Customer Gateway is an AWS resource with information to AWS about the customer gateway device, which in this case is the Azure VPN Gateway.

  5. Create the Virtual Private Gateway then attach to the VPC:
    • Name Tag-
    • ASN- Amazon Default ASN
    • Click- Create VPC
    • Attach to VPC
    • Select the VPC to attach to the virtual private gateway.
    • Click, Yes Attach.

  6. Create a site-to-site VPN Connection
    • Name tag-
    • Target Gateway Type-
    • Virtual Private Gateway-
    • Customer Gateway- Existing
    • Customer Gateway ID-
    • Routing Options- Static
    • Static IP Prefixes-
    • Tunnel inside IP version- IPv4
    • After fill the options, click to create.

  7. Download the configuration file:
  8. Please note that you need to change the Vendor, Platform and Software to Generic since Azure isn't a valid option:
    • Vendor-
    • Platform-
    • Software-

    In this configuration file you will note that there are the Shared Keys and the Public Ip Address for each of one of the two IPSec tunnels created by AWS:

    IPSec Tunnel 1:

    • IKE Version- IKEv1
    • Authentication Method- Pre-shared key
    • Pre-shared Key-
    • Authentication Algo- sha1
    • Encryption Algo-
    • Lifetime-
    • Phase 1 negotiation Mode- main
    • Diffie Hellman- Group 2

    IPSec Configuration:

    • Protocol-
    • Authentication Algo-
    • Encryption Algo-
    • Lifetime-
    • Mode-
    • Perfect Forward Secrecy

    Outside IP Addresses:

    • Customer Gateway-
    • Virtual Private Gateway-

Adding the AWS information on Azure Configuration:

  1. Now let's create the Local Network Gateway:
  2. The Local Network Gateway is an Azure resource with information to Azure about the customer gateway device, in this case the AWS Virtual Private Gateway.

    Now you need to specify the public ip address from the AWS Virtual Private Gateway and the VPC CIDR prefix.

    Please note that the public address from the AWS Virtual Private Gateway is described at the configuration file you have downloaded.

    As mentioned earlier, AWS creates two IPSec tunnels to high availability purposes.

  3. Then let's create the connection on the Virtual Network Gateway:
  4. You should fill the fields according below. Please note that the Shared key was obtained at the configuration file downloaded earlier.

    Add connection:

    • Name-
    • Connection Type- Site-to-site IPSec
    • Virtual Network Gateway-
    • Local Network Gateway-
    • Shared Key-
    • IKE Protocol- IKEv2

    After a few minutes, you can see the connection established.

    In the same way, we can check on AWS that the 1st tunnel is up.

    Now let's edit the route table associated with our VPC by clicking on route tables on the left-side bar menu.

    And, add the route to Azure subnet through the Virtual Private Gateway, and save.

  5. Adding High Availability
  6. Now we can create a 2nd connection to ensure high availability. To do this let's create another Local Network Gateway which we will point to the public ip address of the IPSec tunnel #2 on the AWS.

    Then we can create the 2nd connection on the Virtual Network Gateway:

    Add Connection:

    • Name-
    • Connection Type-
    • Virtual Network Gateway-
    • Local Network Gateway-
    • Shared Key (PSK)-
    • IKE Protocol- v2

    And in a few moments, we'll have:

    VPN Azure AWS connections-

    • Connection Azure AWS
    • Connection Azure AWS Standby

    Create VPN Connection-

    Tunnel 1:

    • Outside IP Address-
    • Inside IPv4 CIDR-
    • Status-Up

    Tunnel 2:

    • Outside IP Address-
    • Inside IPv4 CIDR-
    • Status-Up

    With this, our VPN connection is established on both sides and the work is done.

About Vast Edge - Simplified Cloud Solutions

Since 2004, Vast Edge has been providing cloud services including ERP implementation, integrations, migrations, data analytics, and application development. Vast Edge has recently been recognized in the Forbes Magazine as the top velocity partner and is also a certified Oracle Azure, Google, AWS cloud partner.
In these tough times, due to COVID-19 Pandemic, Vast Edge is offering Digital Transformation, Free Cloud Assessments, Free Bronze support for CSP customers, and Free access to software tools such as ticketing, finance, CRM (limitations apply) Contact us for cloud provisioning at competitive pricing, backed by a team of 100+ certified and experienced staff with high quality 24 x 7 help desk support.


Get in touch with us

Hello! 👋 How can we help you today?