AWS to Azure Connectivity Options and Setup Guide

If you're looking to connect your AWS resources to Azure, you have several options to consider.

AWS Direct Connect allows you to establish a dedicated network connection from your premises to an AWS Direct Connect location. This provides a more consistent and reliable connection than the internet, which is essential for mission-critical applications.

To set up AWS Direct Connect, you'll need to purchase a Direct Connect connection, which can be done through the AWS Management Console. This will give you a dedicated connection to the AWS network.

One of the key benefits of using AWS Direct Connect is that it allows you to bypass the public internet, reducing latency and improving overall performance.

Here's an interesting read: Azure Direct Connect

Connecting your AWS and Azure clouds can be a game-changer for your business, allowing for enhanced freedom and flexibility across these two clouds. This new framework is still evolving, but it's a great strategic goal to have in mind once you've connected your clouds and determined the core applications and SaaS products your business and branches need to run smoothly.

Curious to learn more? Check out: Aws vs Azure for Small Business

You can connect an AWS environment to a Microsoft Azure one in three ways, each with its pros and cons. One method, the VPN tunnel, is the most common, but it's not the best option.

You can take it a step further and connect the cloud providers' dedicated private connections, AWS's Direct Connect and Azure's ExpressRoute, to each other. This means that a customer's ExpressRoute can communicate directly to their Direct Connect path, rather than just connecting their entire AWS and Azure clouds.

Connecting Direct Connect and ExpressRoute has several everyday use cases, including large data migrations, multicloud workloads, and easier IT integration. This enables you to integrate your network without having to fully migrate your cloud workloads, which is especially useful for network mergers.

There are three recommended ways to connect your Direct Connect and ExpressRoute workloads for better performance and compatibility: using your data center, Virtual Network Function (VNF), and Carrier Private IP-VPN Multiprotocol Label Switching (MPLS). Each of these connection methods can prove beneficial for your enterprise, depending on how you intend to design and take advantage of your multicloud network.

Here are the three recommended ways to connect your Direct Connect and ExpressRoute workloads:

Megaport offers a simplified way to connect your clouds, allowing you to connect at Layer 3 in an instant. With Megaport Cloud Router, you can privately peer between leading cloud providers such as AWS and Azure, without the need to learn the ins and outs of network engineering.

Check this out: Azure Cloud Connect

To establish a secure and private connection between Azure and AWS, you'll need to set up a VPN. This involves creating a virtual private gateway in AWS and connecting it to your Azure virtual network gateway.

You'll need to create a virtual private gateway in AWS, which involves specifying a name, ASN, and VPC. For example, you can use the name "AzureGW" and the Amazon default ASN (64512). You'll also need to attach the gateway to a VPC, such as VPC1.

In Azure, you'll need to create a local network gateway, which involves specifying the IP address of the AWS virtual private gateway. For example, you can use the outside IP address 52.30.50.45.

To create a site-to-site VPN connection, you'll need to specify the tunnel settings, including the pre-shared key. For example, you can use a secure key for tunnel 1 and a different key for tunnel 2.

Here's a summary of the key settings you'll need to configure:

By following these steps and configuring the key settings, you'll be able to establish a secure and private connection between Azure and AWS. This will enable you to transfer data securely, create hybrid architectures, and meet regulatory and compliance requirements.

To connect your AWS customer gateways to Azure, you'll need to create local network gateways in Azure for each of your four AWS tunnels. This involves navigating to the Local network gateway resource in the Azure portal, selecting Create, and entering a name for your local network gateway.

You'll also need to configure the IP address, which should be the Outside IP Address from AWS for the tunnel you're creating. Leave the Address Space blank and select Advanced to configure the settings. The routing option for the AWS Customer Gateway (CGW) should be set to dynamic, with the BGP ASN set to 65413 and the IP address assigned to the Azure VNG.

The Azure Local Network Gateway (LNG) should be added to your subscription, ticking the box for Configure BGP settings. The LNG specifies the details of the AWS end of the tunnel, so the ASN to use is from AWS, 65412, and the BGP peer IP is the AWS end of the tunnel, 169.254.21.1.

Here's a summary of the required settings:

Connecting to the public cloud is a critical factor in deploying a modern network. Enterprises transitioning from MPLS to SD-WAN networks need to consider this.

Accessing hyperscale cloud providers wasn't a top priority when private MPLS networks were deployed. However, today it's a crucial aspect of network deployment.

Organisations are usually locked into their existing topology due to the costs of deploying a large-scale MPLS network. This means they're stuck with their current network setup.

Adding multiple clouds and managing connectivity to hyperscalers on an existing MPLS platform is typically slow, costly, and complex.

For another approach, see: Is Oracle Cloud Compatible with Azure or Aws

To configure your AWS customer gateways, you'll need to create a virtual private gateway in AWS and a local network gateway in Azure. This will allow you to establish a site-to-site VPN connection between the two.

In Azure, you'll need to create a local network gateway for each of your four AWS tunnels, specifying the outside IP address for each tunnel. You'll also need to configure BGP settings, using the ASN from AWS (65412) and the BGP peer IP address from AWS (169.254.21.1).

See what others are reading: How to Connect to Azure Virtual Network

You can choose to use default APIPA addresses or set up custom APIPA addresses. If you choose to use custom APIPA addresses, you'll need to reserve space for two IP addresses in your AWS /30 inside CIDR. For example, if you set your AWS Inside IPv4 CIDR to be 169.254.21.0/30, AWS will use the BGP IP address 169.254.21.1 and Azure will use the IP address 169.254.21.2.

Here's a summary of the APIPA configuration you'll need to set up:

In Azure, you'll need to create a connection for each of your four AWS tunnels, specifying the custom BGP addresses you set up earlier. You can use the default APIPA configuration or set up custom APIPA addresses. If you choose to use custom APIPA addresses, you'll need to configure the primary and secondary custom BGP addresses for each tunnel.

For example, for AWS Tunnel 1 to Azure Instance 0, you'll need to set up the following custom BGP addresses:

You'll need to repeat this process for each of your four AWS tunnels, setting up the custom BGP addresses and creating a connection for each tunnel.

In AWS, you'll need to create a virtual private gateway and a customer gateway. The virtual private gateway will be used to connect to the Azure VPN gateway, while the customer gateway will be used to connect to your on-premises network.

You'll need to specify the following settings for the virtual private gateway:

You'll also need to specify the following settings for the customer gateway:

To establish a secure connection between Azure and AWS, you'll need to configure a VPN. A VPN connection between Azure and AWS serves several critical purposes, including data transfer, hybrid architectures, redundancy, and compliance.

The AWS VPN endpoint is configured using the CGW and Transit Gateway. In the AWS VPC console, you'll create a new connection specifying the Transit Gateway as the target type and select the already deployed TGW and use the existing AWS CGW, set the routing option to Dynamic.

You might like: Set up Vpn between Azure and Aws

The tunnel options are key for the BGP configuration, with the Inside IPv4 CIDR for Tunnel 1 set to 169.254.21.0/30 to match the Azure APIPA address on the VNG. A secure shared secret is also required, and you may need to edit the tunnel options for phase 1 and 2 encryption, integrity algorithms, and Diffie-Hellman group numbers.

Here are the key settings for the AWS VPN endpoint:

Connecting your AWS Direct Connect and Azure ExpressRoute can bring numerous benefits to your organization. By doing so, you can enable secure data transfer between your Azure and AWS resources.

Data migration becomes more cost-effective and predictable over private connectivity. This is especially true for large data migrations, which can be faster and more reliable when done over a private connection.

Connecting your Direct Connect and ExpressRoute paths allows your organization to use "best of breed" product and pricing options in each cloud. This is a key advantage of multicloud connectivity, ensuring a backup of your critical data in case of disaster.

Here's an interesting read: Express Route in Azure

Multicloud workloads can be supported by connecting both your AWS and Azure paths. This enables you to integrate your network without having to fully migrate your cloud workloads, which is especially useful for network mergers.

There are three recommended ways to connect your Direct Connect and ExpressRoute workloads: using your data center, Virtual Network Function (VNF), or Carrier Private IP-VPN Multiprotocol Label Switching (MPLS).

Here are the benefits of connecting your Direct Connect and ExpressRoute paths:

IPSec Configuration is a crucial aspect of establishing a secure connection between Azure and AWS. The protocol is used to encrypt and authenticate data being transmitted between the two cloud providers.

To configure IPSec, you'll need to set the routing option to Dynamic (requires BGP) for both site-to-site VPN connections. This ensures that the connection is established using the Border Gateway Protocol, which is essential for secure data transfer.

The tunnel options are also critical in IPSec configuration. For example, the Inside IPv4 CIDR for Tunnel 1 should be set to 169.254.21.0/30 to match the Azure APIPA address on the VNG. Similarly, the Inside IPv4 CIDR for Tunnel 2 should be set to 169.254.22.0/30.

Suggestion: Export Azure Ad Connect Settings

Here's a summary of the IPSec configuration settings for both site-to-site VPN connections:

By following these IPSec configuration settings, you'll be able to establish a secure and reliable connection between Azure and AWS, enabling seamless data transfer and communication between the two cloud providers.