2

As I found solutions on making site-to-site VPN between Azure and AWS using a software VPN server, I'm asking myself if it's possible to connect the VPN gateways (Azure VNET / AWS VPC) directly.

Is there a limitation that forbids it ?

Bastien Semene
  • 133
  • 1
  • 6

5 Answers5

6

I spent some time working on this today, and as far as I can tell, it is not currently possible. While you can get the gateway IP addresses and pre-shared keys synced up, you don't seem to have any control over the IKE parameters for either cloud provider's gateways. AWS wants to use AES-128-CBC, and Azure wants to use AES-256, and that's all she wrote. (Azure may also not yet support group 2 PFS for the IPSEC parameters, but since I couldn't actually get that far, I don't know if there would be a way to address that problem.)

Unless I'm mistaken, it looks like using a software VPN on one side or the other is required for now.

Falcon Momot
  • 25,244
  • 15
  • 63
  • 92
Dave Wyatt
  • 161
  • 1
  • 3
  • Even though this comment is correct in the sense that it is not possible to accomplish this, the reasons are not a mismatch on chosen ciphersuites. The reason is AWS is IKEv1 only and Azure IKEv2 (except on their Basic SKU, which is policy-based, not compatible with AWS' route-based VPN) – Pedro Perez Jan 29 '19 at 09:18
0

I haven't tried it yet, but here is a very detailed walkthrough of how to do set that up:

https://blogs.technet.microsoft.com/canitpro/2016/01/11/step-by-step-connect-your-aws-and-azure-environments-with-a-vpn-tunnel/

brendan
  • 225
  • 1
  • 3
  • 8
-1

Not technically. The only problem I've seen connecting AWS and Azure is that both services prefer to generate the shared key on "their side". I couldn't figure out how to get to the point where the same key was configured on both sides of the tunnel. That was a while ago, so the services/apis might have been updated to allow this by now.

Trondh
  • 4,201
  • 24
  • 27
-2

Yes you can do it. But on the Azure side you have to do all the config via XML files and the cli manually, you cant do it via the WebUI.

The cmdlet Set-AzureVNetGatewayKey is your friend :)

Geraint Jones
  • 2,503
  • 16
  • 19
  • 1
    @Geraint Jones you mind giving us a more comprehensive version of how it can be done? I've managed to set the shared key. However when I click connect, it doesn't work. – Sleeper Smith Nov 05 '15 at 09:10
  • @Geriant Jones I also am looking for more details. I used the azure CLI to set the PSK, but it fails without any useful error message. – daxlerod Jan 13 '16 at 21:19
  • 1
    Just to clarify it still not possible without using third-party tools like OpenVPN, RRAS, etc. @dave Wyatt answer is correct. Both sides expect different parameters for IPSEC, hence, the connection never closes. Atm there's not way to change gw parameters for any of them. – Bruno Faria Feb 03 '16 at 17:01
-3

Yes, you can do it without any problem Here you have a step-by-step guide. It's in spanish but I think that you can understand without problems with Bing translator: http://www.microsofttranslator.com/bv.aspx?from=es&to=en&a=http%3A%2F%2Fenterprise.plainconcepts.com%2F2015%2F04%2Fconectando-microsoft-azure-con-amazon-web-services%2F

jangelfdez
  • 134
  • 4
  • 2
    That relies on having a Windows RAS server in AWS, You can do this using nothing but the VPN gateway devices provided by Azure and AWS. – Geraint Jones Jun 25 '15 at 10:07