Setup IPSec Tunnel between Microsoft Azure and Alibaba Cloud with VPN Gateway
By Lin En Shu, Solutions Architect
A Virtual Private Network (VPN) provides a means for securely communicating among remote hosts and private networks across a public WAN such as the Internet. Two private networks can be securely connected through site-to-site VPN. To secure VPN communication while passing through the WAN, the two sites create an IP Security (IPsec) VPN tunnel.
IPSec VPN tunnel protects IP packets exchanged between remote networks or hosts and VPN gateway located at the edge of private network. IPSec includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to use during the session.
This solution guide aims to provide a walkthrough on how to establish an IPSec Tunnel between Microsoft Azure and Alibaba Cloud using VPN Gateway.
Solution Architecture
In this guide, the IPSec VPN Tunnel setup between Microsoft Azure and Alibaba Cloud using VPN Gateway will be based upon the following solution architecture.
Pre-Requisites and Preparation
- An Alibaba Cloud Account
- A Microsoft Azure Account
- Required environmental setup information
- Reference: Azure IPSec/IKE parameters for Site to Site VPN Gateway https://docs.microsoft.com/en-gb/azure/vpn-gateway/vpn-gateway-about-vpn-devices
- Create an Alibaba Cloud VPC
- Refer to this guide: https://www.alibabacloud.com/help/doc-detail/53604.htm
Alibaba Cloud — Setup VPN Gateway
1. Create VPN Gateway
Go to Products -> Virtual Private Cloud -> VPN Gateway and click the Create VPN Gateway button
Choose the region, peak bandwidth and VPC (which has been created) and press Buy Now.
Go back to VPN Gateway console to find the VPN Gateway IP address.
2. Create Customer Gateway
Customer Gateway is the VPN gateway IP in Microsoft Azure.
Go to Virtual Private Cloud -> Customer Gateway and press Create Customer Gateway button
Enter Azure’s VPN Gateway IP into the IP Address field.
Go back to the Customer Gateway console to verify Customer Gateway IP has been registered correctly.
3. Create VPN Connection
Once the VPN Gateway in Alibaba Cloud and Customer Gateway for Azure has been configured, next is to setup the VPN connection.
Go to Virtual Private Cloud -> VPN Connection and press Create VPN Connection button
Fill in the information for the advanced configuration based on this table. It is a must to use the same values highlighted in Green (Azure’s IPSec/IKE configuration) otherwise the IPSec tunnel cannot be established.
4. Add Route Entry in VPC
In order for the ECS within this Alibaba Cloud VPC to reach the VMs in Azure Virtual Network, a route entry needs to be added to route the traffic to remote private network (Azure) through this VPN Gateway.
Once the VPN connection has been created, select the VPC and go to VRouters to add a route entry.
Enter the CIDR (Address Space) of Azure Virtual Network to destination CIDR Block, choose VPN Gateway as the next hop type and select the VPN Gateway created.
The IPSec VPN Tunnel setup in Alibaba Cloud side is now completed!
Microsoft Azure — Setup Virtual Network Gateway
1. Create Virtual Network
The steps here are similar as Azure Virtual Network is Alibaba Cloud’s VPC equivalent. The first step is to setup Azure Virtual Network by pressing New -> Networking -> Virtual Network.
Enter the all the required information and most important information here is Address Space, which is the CIDR of Azure’s private network.
Go to Virtual Networks to verify that it has been created successfully.
2. Create Virtual Network Gateway
Similarly, Azure Virtual Network Gateway is Alibaba Cloud’s VPN Gateway equivalent.
Create Azure Virtual Network Gateway by pressing New -> Networking -> Virtual Network Gateway.
Enter the all the required information and most important information here is to choose the Virtual Network created earlier.
3. Create Local Network Gateway
Azure Local Network Gateway is Alibaba Cloud’s Customer Gateway equivalent.
Create Azure Local Network Gateway by pressing New -> Networking -> Local Network Gateway.
Enter the all the required information and most important information here are:
- IP address: Alibaba Cloud’s VPN Gateway IP
- Address space: Alibaba Cloud’s VPC CIDR
4. Create VPN Connection
Create an Azure VPN Connection by going to Virtual Network Gateway -> Connections -> +Add
Enter the all the required information and most important information here are:
- Connection type: Site to site (IPSec)
- Shared key (PSK): This pre-shared key must be the same with the one entered in Alibaba Cloud during VPN Connection creation.
The IPSec VPN Tunnel setup in Microsoft Azure side is now completed!
Site-to-Site IPSec VPN Tunnel Test
1. VPN Connectivity Verification
Verify both side’s VPN connection status. Alibaba Cloud side’s VPN Connection should have the status of “Phase 2 of IKE Tunnel Negotiation Succeeded”.
Microsoft Azure side’s VPN Connection should have the status of “Connected”.
2. Provision servers to test VPN Tunnel
In Alibaba Cloud, setup an ECS server in the same region and same VPC of VPN gateway.
Refer to this guide to setup a Linux ECS server.
In Microsoft Azure, setup a virtual machine in the same region and same virtual network of Virtual Network Gateway.
Refer to this guide to setup an Azure Virtual Machine.
3. Test IPSec VPN Tunnel Connectivity Using Telnet
As a summary, here are the server information of test servers provisioned
SiteServer Private IPAlibaba Cloud172.21.223.245Microsoft Azure10.1.0.4
Login to Alibaba Cloud server and telnet to Azure server’s private IP and SSH port 22. The result should show “Connected to < Azure VM’s private IP > “.
Login to Azure server and telnet to Alibaba Cloud server’s private IP and SSH port 22. The result should show “Connected to < Alibaba Cloud ECS private IP > “.
Conclusion
This site-to-site IPSec VPN Tunnel solution allows customer who are consuming services in both Alibaba Cloud and Microsoft Azure to be able have a secure connectivity between both sites over internet.