Want to connect you services in AWS and OCI? Both clouds offer LAN-to-LAN VPN services, but they are normally used to connect from the Cloud to On-Premise. In this article I will explain how you can connect the OCI and AWS VPN services directly with each other.
Step 1 – Setting up non overlapping Private Networks
So to start off, let’s make sure you have a VPC on AWS and a VCN on OCI with non overlapping CIDR ranges. I am using for OCI 10.0.0.0/16 and for AWS 10.1.0.0/16. This is up to you, as long as the ranges do NOT overlap!
Step 2 – Creating the IPSEC tunnel on AWS
You need to first setup the IPSEC (Site-to-Site VPN Connection) on AWS. As only AWS allows you later to change the Customer Gateway/Customer-Premises Equipment.
You first need to create a “dummy” Customer Gateway, as you do not know the IP address of the OCI IPSEC gateway yet.
You can specify pretty much anything you want, as you will later create a new Customer Gateway with the correct information.
Next, you need to create a Virtual Private Gateway, this will be the routing service on the AWS side (like the DRG on OCI).
After the Virtual Private Gateway is created, attach it to your VPC.
Now you can create on AWS side the IPSEC tunnel (Site-to-Site VPN Connection). Let’s call this AWS-to-OCI-1, #1 because if you want a redundant connection you later need to connect a 2nd one. Make sure you have the Routing Options set to Dynamic (requires BGP)
All the other settings (tunnel settings) can stay as-default empty.
While the VPN is being setup (takes a few minutes), you can download the configuration. You will need the information from that document to setup the IPSEC tunnels on OCI
Download the configuration, select “Generic”for the Vendor/Platform.
IMPORTANT: Check that the Pre-Shared key ONLY contains Letters and Numbers. OCI does not support . and _ !! (while AWS does, but AWS does not support spaces). You can also specify your own Pre-shared keys, so you can make sure you only have Letters and Numers.
Example: The Pre-shared key in the above image is NOT correct, as it contains an underscore and this will not be accepted in OCI.
Step 3 – Creating the IPSEC tunnel on OCI
The first thing in OCI you need to create is a “Customer-Premises Equipment”, in this case not really a “customer-premises” but you will do this for the AWS-Premise 🙂 You will find the “Customer-Premises Equipment” option in the Network menu.
Click on the Create button and specify the AWS IPSEC Public IP address that you can find in the downloaded configuration file (See Image above)
If your VCN does not have a DRG (Dynamic Routing Gateway) yet, make sure you create one. You will find the DRG option again in the networking menu.
After you have created the DRG make sure you attach it to your VCN.
Click on the “Attach Dynamic Routing Gateway” and select the DRG you have created.
Now you can create a new IP SEC connection. You will find the IP SEC Connections also in the network menu.
IMPORTANT: Before you click on “Create IPSec Connection”, click on the “Show Advanced Options”!!!
You need to configure the Tunnel 1 and Tunnel 2 Settings, see the below image.
For tunnel 2, you just need to provide “dummy” information. Do make sure you set routing type to BGP.
You can create the IPSec Connection, this will take a few minutes.
You will now see the Public IP address for the “AWS-Tunnel1” on the OCI side. In my case 22.214.171.124. With this you now need to go back to AWS and create a new Customer Customer Gateway.
Step 3 – Create Correct New Customer Gateway on AWS
In AWS go to the Customer Gateways and click on “Create Customer Gateway””
For this gateway, use the IP Address of the Oracle VPN (not the dummy tunnel) and set the BGP ASN to Oracle = 31898.
After this is created, go to the Site-to-Site VPN Connection and click on “Actions – > Modify VPN Connection”
Change the target type for the Customer Gateway, and select here the newly (correct) configured Custer Gateway (that is using the actual OCI VPN IP).
AWS will update (modify) the VPN connection, this again takes a few minutes.
You are almost there! After AWS is done modifying the VPN Connection you should see on both sides that the tunnel is up.
Step 4 – Configure the Route Tables
The tunnel is UP, now you need to make sure that the route tables enable the actual flow of data. In AWS go to your Route Tables and click on Edit Routes.
Add a route for 10.0.1.0/24 (This is the CIDR range of the Subnet in OCI).
You need to do the same for the route to AWS in OCI. In OCI go to your VCN and click on Route-Tables. Click on the default-route-table and click on Add Route Rules
Add the route to the AWS Subnet, in my case 10.1.1.0/24
Step 5 – Configure your Network Security
Your VPN tunnel between OCI and AWS is now up and you have the correct routing, but both clouds by default do no allow any traffic to flow.
In OCI make sure you configure the Security List or Network Security Group to allow the traffic you want to allow to flow between OCI and AWS.
In AWS configure the Network ACLs and Security Groups to allow the traffic you want to allow to flow between OCI and AWS.
In my case I have allowed ICMP and SSH, so I can SSH and Ping between my instances. Lo and behold, I can ping between my instances using the Private IP Addresses. Both or neither need an Internet Gateway to connect to each other 🙂
Step 6 – Making the VPN Redundant
As both VPN services can only be configured with one On-premise IP address, you need to duplicate all the steps again to create a 2nd VPN connection, again with one active tunnel and one dummy tunnel.
In case one of the Tunnels goes down the BGP routing will automatically route thru the other tunnel (this can take a minute to fail over).
CREDITS: I want to thank Tom Walker, my Oracle Colleague fro Australia who did all the hard work of figuring out the setup with BGP routing. Thanks Tom!!!