Establishing secure connectivity in-between Azure/AWS and point-to-site to AWS cloud
Client required site-to-site connectivity between Azure and AWS cloud, along with point-to-site established to AWS. So, a wide area network is established between Azure and AWS over VPN. Also, employees working from home can connect to AWS over a point-to-site VPN tunnel.
- Infrastructure consisted of highly available Azure VM and EC2 instances hosting business critical LOB applications. Azure infrastructure also consisted of Azure SQL databases, WebApps, SQL servers and SAP servers cluster. Services deployed in either cloud should be able to communicate with each other over internal IP addresses.
- Existing active directory (ADDS) and certificate authority (ADCA) infrastructure is to be used to generate certificates for RRAS.
- Contractors working in AWS infrastructure should be able to connect seamlessly with backend services running in azure and vice versa.
- Whitelisting of port, protocol and IP addresses are to be done.
- Deploying Microsoft RRAS and configuring it to act as VPN remote access server in AWS. This VPN server should act as the single endpoint for ingress and egress data.
- In Azure VPN gateway service is to be configured to act as infrastructure endpoint.
- Certificates authored by active directory certificate authority (ADCA) are to be used to configure RRAS
- VPC peering and Vnet peering should be configure
Using Active directory certificate authority client-server certificates are generated for RRAS configuration. These certificates are used by remote clients to establish a P2S connection to AWS EC2 instance AWS VPN server configuration:
An EC2 instance with windows server 2016 is created to act as VPN remote access server. This server will be used to establish VPN tunnel in later part of the configuration. RRAS server role is installed in this instance. Upon installation of RRAS server, it is configured to accept and establish VPN tunnel with Azure Gateway. Here pre-shared key is used for authentication during metadata handshake.
Azure VPN Gateway:
Azure VPN gateway act as endpoint in azure for ingress/egress traffic. It is deployed then configured to accept and establish VPN tunnel from RRAS server in AWS.
Another service in Azure called as local gateway is to be configured. In local gateway configuration IP address range of AWS is entered along with public IP address of RRAS server.
This service in azure is deployed and configured to initiate the VPN tunnel creation. Pre-shared key used during RRAS configuration is entered here to validate the metadata handshake.
Remote VPN client configuration:
In remote user machine VPN client is configured. Using this native client these machines can connect to RRAS server in AWS securely over P2S VPN tunnel.
To allow traffic to pass through gateway network in Azure/AWS cloud peering is configured. After peering of the networks traffic can propagate to core network on both sides.
Whitelisting port, protocol & IP addresses:
Only Public IP address of the adjourning cloud are whitelisted on either side to insure network traffic originated from outside is not accepted by either cloud.
We were able to achieve automatic replication of all the aspects of infrastructure from AWS to Azure. Even if S3, RDS, CloudFront, etc. services were down the system could just substitute the Azure services with AWS ones. Even if entire AWS was down, a Azure ARM template could start the entire system into Azure within a few mins with minimal human intervention. We achieved substantial DR capabilities without increasing the monthly costs much.