Create Site-to-Site VPNs

0:00Welcome to the content on implementing a site-to-site VPN in AWS.

0:05The concept is relatively straightforward.

0:08The implementation is a bit more complex.

0:10We want our on-premises or other Cloud resources to reach

0:15our resources privately and securely that are hosted in AWS.

0:21This is the true mark of a hybrid environment,

0:24and it's critical to understand how to

0:26implement this in many environments today.

0:29In this set of demos, we're actually going to build a site-to-site VPN

0:33between AWS and Azure.

0:36But I want to stress this right now.

0:38The exam really only wants you to know the AWS side of things,

0:42because it's hard to assume you know how to implement

0:45a site-to-site VPN on every appliance that exists in the world today.

0:49The other end of a site-to-site tunnel could be connected to

0:52Hasysco Appliance, Maraki, Juniper, Barracuda, Palo Alto,

0:56Checkpoint, and so on, and so on, and so on.

0:58So really, you need to focus in on the AWS side of things for the exam,

1:03but of course, in order to successfully implement one,

1:06you have to implement it on both sides.

1:08So to make things nice and easy,

1:10I'm going to implement it between AWS and Azure.

0:00Now, wait a minute, this is an AWS course.

0:03Why would I have the Azure portal up on the screen?

0:06Well, I've also got AWS logged in here.

0:09That's true.

0:10I've got both because here's the thing,

0:12a really important part of today's

0:15entire technology ecosystem hinges on hybrid environments.

0:20Now, when we talk about hybrid environments,

0:25what are we really talking about?

0:26Let's give myself a little more room

0:28to doodle here for a second.

0:29When we talk about hybrid environments,

0:32we're really talking about something

0:35plus a cloud environment.

0:38I know this kind of goes down a rabbit hole

0:40just a little bit, but one of the real reasons

0:42we like having cloud environments

0:44is for the elasticity of it all.

0:48That's why you see a lot of the ease

0:50scattered throughout AWS, EBS, EC2, yada yada.

0:54That all stands for elasticity.

0:56The ability here is that we can quickly adapt

1:00to changes in demand.

1:02We can scale up, we can scale down,

1:04we can scale out, we can scale in

1:06and deploy resources on demand relatively quickly.

1:11It's a pay per month, kind of pay as you go,

1:15style service where you're focused in

1:18on operational expenditures or topics.

1:23Now, this being a advanced cloud course,

1:26the assumption is that you kind of understood

1:28these concepts already, but we're getting to why

1:32I'm talking about this in just a second.

1:34The other piece of this puzzle is very frequently things

1:38like an on-prem environment or a co-location

1:43slash data center environment.

1:45But here's the other thing that you probably didn't consider.

1:49This could also be another cloud.

1:52Hybrid environments aren't just physical and cloud,

1:56it could be cloud to cloud environments.

1:58You could have hybrid cloud environments.

2:01For very large enterprises, some of your applications

2:04might be built in AWS and some of your applications

2:07might be built in Azure.

2:09Ah, now that's why I had Azure up on the screen.

2:12And ultimately, we need all of these resources

2:16talking to each other.

2:19And yeah, that's what the internet was made for

2:22is to basically transfer traffic from point A

2:26to point B geographically.

2:28But the internet isn't very secure, isn't.

2:31Again, advanced networking course, we already know this.

2:35So knowing that I can't have confidential data

2:38that was generated in cloud one,

2:40transferred to cloud two over the internet,

2:43what's a network engineer to do?

2:46Well, this is what VPN tunnels solve.

2:49This is what the problem is and what they solve.

2:52This is a virtual private network.

2:56And the idea, the very fundamental idea with a VPN

2:59is that we have an appliance running on one end here

3:04that is going to attempt to establish

3:07a secure connected encrypted tunnel to an appliance

3:12that exists on the other side.

3:14These are going to be connected via the public IPs

3:19that are part of the internet.

3:21That is how they reach each other

3:23is over the public internet.

3:25But they immediately do start establishing

3:28encrypted tunnels to each other.

3:30So when they want to transfer traffic from cloud A

3:36to cloud B or data center to cloud B

3:39or on-prem HQ to cloud B or vice versa,

3:43they're going to encrypt the data first,

3:45send it to the given public IP

3:48who is configured to receive and decrypt this data

3:51before transferring it inbound to the target location.

3:55Now, there are a bunch of different kinds of VPNs.

3:58The kind of VPN we are focused in on right here

4:01is known as a site to site VPN.

4:05Ultimately, the goal is that our private addresses

4:08right here like 192.168.whatever.whatever

4:13can communicate directly to our private addresses

4:17like 172.16.whatever.whatever

4:20on the cloud side of things.

4:23So a host from 192.168 generates a packet destined

4:30for 172.16.

4:32And without doing NAT or any type of stuff like that,

4:36we actually encrypt and encapsulate the payload,

4:40transfer it to the public IP of this appliance

4:43who then decrypts it

4:44and then is able to make a forwarding decision

4:46moving it on inbound that way.

4:49Now, site to site VPNs work really well

4:51because this stuff isn't changing.

4:55We're not mobile here.

4:56This building, this data center,

4:58this on-premises location is fixed

5:00and the subnets inside of it are for the most part fixed.

5:04Same thing with the cloud.

5:06We have a VPC up and running

5:09and it's going to have the subnet inside of it

5:12which is relatively fixed.

5:13So being that these resources aren't constantly on the move,

5:17we can deploy a tunnel to always be up

5:20and route traffic back and forth to each other.

5:23This stands in contrast to something

5:25like a remote access VPN

5:27where we have our end user who has a laptop

5:32and they're out there in the field.

5:33They can be coming from anywhere.

5:35In this case, this is really an on-demand VPN

5:40which is an entirely separate configuration

5:42and an entirely separate topic

5:45outside of what we're talking about today.

5:47Our core AWS exam objective in domain two

5:50is to establish site to site connectivity.

5:52Now, the last thing I'm going to say

5:55before we move on to the nitty gritty and the how to

5:58is on the AWS side of things.

6:00That's really what we're focused in on

6:02in this set of videos.

6:04Don't dwell too much on the Azure side of things.

6:08The thing is is when you establish a site to site VPN,

6:11you have to have both ends of it to bring it up.

6:15And your results are going to vary depending on what firewall

6:20or appliances you're working with.

6:22In your on-prem environment, you could be working with

6:25Muraki, Cisco, which is, you know, owns Muraki, Juniper.

6:30You could work with Barracuda,

6:34you could work with Palo Alto, the list goes on and on and on

6:37and the setup of a site to site VPN is different

6:41from one appliance to the next.

6:43So AWS doesn't really care if you know how to set up

6:48these appliances or if you know how to set up an Azure Cloud VPN.

6:53That's not going to be on the exam.

6:54What's going to be on the exam is how do you do it

6:56on the AWS half of things?

6:59But you're not really going to know if you did it right

7:02unless you can figure the other half of the tunnel, right?

7:06So that's why I'm going to use Azure

7:08because it is, well, elastic.

7:10I can just deploy a virtual network gateway,

7:13which is the resource that you need

7:15to establish the other half of the site to site tunnel.

7:19So now you have an idea of where I'm going with this.

7:22In the next video, we're going to start talking

7:24about the nigh gritty details.

7:26Like what does it take to actually bring

7:28a site to site tunnel up?

7:30I hope this has been informative for you

7:31and I'd like to thank you for viewing.

0:00So now we're going to talk about the guts of IPsec.

0:03And the interesting thing about this is when you do

0:06Azure to AWS, you actually don't have to worry about this.

0:11You can really just accept the defaults and it just works.

0:16But of course, if you're working with on-premises

0:19appliances like Cisco, Juniper, Yada, Yada, Yada,

0:22yeah, you're going to have to absolutely know these

0:25and understand the two phase negotiation.

0:29You see, when we've been talking about site-to-site tunnels,

0:32the trick is it's not just a tunnel,

0:35it's actually two tunnels.

0:36Let's first talk about this

0:39because this is a really important thing to understand.

0:41You're going to see this even in the AWS configuration

0:44as well as the Azure configuration.

0:46Let's say this greenish-blueish color here

0:49is going to be my Azure appliance.

0:52And let's pretend it has a public IP of 1.1.1.1.

0:57I know that's CloudFlares DNS server.

1:00We're just keeping it simple, hypothetical, bear with me.

1:04I promise, this all makes sense.

1:06Over here, we're going to have AWS's appliance.

1:10This is actually called a virtual gateway.

1:14In fact, both of these have really similar names

1:17with virtual gateway and virtual network gateway.

1:19So I'm just going to put VRT GW right here.

1:23It attaches to a VPC and it is able to basically

1:28make routing decisions while also handling the encryption

1:32of the data before it goes over the tunnel.

1:34We'll set this public IP to 2222.

1:39When we configure the site-to-site VPN,

1:42we tell it you are going to talk to 1.1.1.1

1:46and you are going to talk directly to 2222.

1:50IPsec is a protocol just like everything else

1:53in networking, so it's very rigid.

1:55It's very by the book.

1:56You don't get a whole lot of wiggle room to do here.

1:59So what's going to happen is the first thing they're going to do

2:03is they're going to establish what I'm going to call

2:06the control tunnel.

2:09Basically, we're going to establish a tunnel

2:13where just these two appliances talk back and forth

2:16to each other.

2:18We're basically saying, hey, I've got some data over here

2:22that I want to send to you.

2:23And you're going to say, hey, you've

2:25got some data that you want to send back to me.

2:28So let's use this tunnel right here, this encrypted tunnel,

2:33to determine, to basically negotiate

2:37how we're going to encrypt this data.

2:40So this is known as the phase 1 tunnel, also sometimes known

2:47as the Ike tunnel as an internet key exchange.

2:51And for a phase 1 tunnel to come up for them

2:54to even begin negotiating how to encrypt the data,

2:58there's a lot of parameters that have to be matched.

3:00We're going to talk about those parameters in just a second.

3:03Once we've established the phase 1 tunnel,

3:07then we can begin negotiating how the phase 2 tunnel, also

3:13frequently known as the IPsec tunnel, comes to life.

3:17So we use the phase 1 tunnel to negotiate

3:21how we're going to encrypt the data.

3:24Then once we've agreed how we're going to encrypt the data,

3:28we then create the tunnel inside the tunnel.

3:32So when data comes along from a server or something

3:36and it needs to be sent over here,

3:38it's going to be routed to the appliance.

3:42The appliance sees, oh, it's destined over here.

3:45Therefore, it must go over this tunnel.

3:48Therefore, it must be encrypted in this exact way.

3:52So that when the data transmits over this tunnel,

3:56this endpoint, because it knows how it was encrypted,

3:59because that's what we just negotiated, decrypts the data

4:03and then forwards it on to the endpoint like so.

4:06And return traffic has treated the exact same way.

4:09IPsec tunnels are two phase tunnels.

4:12And now you've seen how an IPsec tunnel comes to life.

4:17So now that we understand the phases, in the next video,

4:21we're going to talk about what actually gets negotiated

4:24for phase 1 and phase 2.

4:26It's one of my favorite things to talk about.

4:28And truth be told, I learned this from Keith Barker himself.

4:32I used to be a CBT Nuggets learner for a very long time

4:35before I ever worked for CBT Nuggets.

4:38So I want to stress this right now

4:40that Keith Barker taught it this way

4:43before I go into this.

4:45And it's just the best way that I'll ever remember

4:47how an IPsec tunnel comes to life.

4:51And I hope it drills its own for you.

4:52But for now, I hope this has been informative for you

4:55and I'd like to thank you for viewing.

0:00So that negotiation thing is a pretty big deal.

0:03What gets negotiated?

0:05What has to happen in order to bring a tunnel to life?

0:08I remember this because of what Keith said.

0:11Haggle.

0:12Negotiations can be a haggle, and in this case, they're quite literally a hagg

0:17le.

0:18Phase one and phase two both require every parameter of haggle to exactly match

0:26in order

0:27for it to come to life.

0:28So what is haggle?

0:30The first one is the hashing algorithm.

0:35Hashing is more or less an authenticity check.

0:37Has the data been changed before it's transmitted?

0:41If I have data that I'm trying to send from point A to point B, what I might do

0:47is I

0:48might have my appliance generate a SHA-256 hash before it gets transmitted.

0:58Then it might come up being something like, you know, A, B, C, one, two, three.

1:03The data gets transmitted over the wire where the other appliance picks it up

1:08and it receives

1:09the data.

1:11And before it does anything else, it'll also generate a hash.

1:17Now it could generate if it's using it now, obviously it needs to use SHA-256

1:24so that

1:24it hopefully generates the same exact hash assuming the data hasn't been

1:28changed while

1:29in flight.

1:30If we were using, say, SHA-1, which is not safe at all, it's been proven to be

1:35broken

1:35at this point, you know, it obviously wouldn't come up with the same hash.

1:40So that's why we have to have the hashing algorithms check so that way or

1:44matching so

1:45that way we can ensure that the data hasn't been tampered with on both sides as

1:50it's in

1:51flight.

1:53So what comes next?

1:54We'll move a little bit down the spectrum of colors here and the A is for

2:00authentication.

2:02Do I actually trust the appliance on the other end?

2:06How do I know that it's really them at the end of the day?

2:09We can use traditional authentication methods.

2:1399% of the time, I'm going to tell you, people use a pre-shared key like, hey,

2:18do you know

2:20what key you're supposed to be using right now, send the key back to me and I

2:23'll double

2:23check it.

2:24Now you can also use certificates as long as, of course, everybody trusts the

2:29same CA

2:30that generated the certificates, but that's what the authentication method does

2:36.

2:36Pre-shared keys are going to be really important.

2:38And I'm going to tell you right now, we're going to get the pre-shared key from

2:42the AWS

2:43side of things.

2:44AWS is going to generate the pre-shared key and we're going to drop it in the

2:48Azure side

2:49of things when we're done.

2:51Now this part is interesting.

2:53This is the G here.

2:55I didn't go in the, I know I didn't go in the order of the colors.

2:57I'm mixing it up a little bit.

2:59The G here is actually short for the Diffie Hellman group, very frequently

3:08known as just

3:09the group.

3:11The Diffie Hellman group is an algorithm for generating shared secrets, for

3:19generating

3:20secrets.

3:24When we actually go to encrypt the data itself, we can use a seed basically to

3:31help generate

3:32that data.

3:34The Diffie Hellman group is going to give us an algorithm where we can generate

3:38and agree

3:39upon a seed to use an encryption.

3:42If you're not seen Diffie Hellman groups, you usually see them written

3:45something like

3:46DH1, DH2, they get up to like weird numbers, they skip a lot and go to

3:52something like DH12

3:55or 13 or 14.

3:57You'll see when you can start digging into it that the Diffie Hellman groups

4:00are kind

4:00of like, they got just, you know, kind of scattered all over the place.

4:04Now what comes next in our haggle?

4:07I'm going to switch down to pink for this one, lifetime.

4:11How long in seconds should our tunnels be up for?

4:15This can be different for phase one and phase two.

4:19The idea is that we're rotating or generating new seeds for encryption every so

4:25often.

4:26You can even automate changing or rotation of pre-shared keys on the same

4:30schedule if

4:31that's what you want to do.

4:32You would just have to reconfigure the appliances to use the new pre-shared

4:36keys on that same

4:37schedule.

4:38Lots of times you see this as 28,800 seconds.

4:42That's kind of just been the de facto standard.

4:46Sometimes you see it as 3,600 seconds.

4:50And of course, the very last one, you know, the moment you've been waiting for,

4:54the thing

4:55that we all came here for in encryption itself.

5:00What is the encryption algorithm that we're going to be using to transmit the

5:04data?

5:04Lots of times you see this as things like AES-256, but we're even seeing bigger

5:10elliptical

5:11curve algorithms, encryption algorithms coming to market these days.

5:16So be on the lookout for whatever appliance you're using.

5:18You might use something even more secure and more robust than AES-256.

5:24Now phase one and phase two can both have different configurations for each of

5:31these.

5:32You can use one hashing algorithm for phase one and a different one for phase

5:37two.

5:37You can use a different PSK.

5:39Well, actually the pre-shared keys get a pre-shared keys going to stay the same

5:42.

5:42I take that that part back.

5:44But you can use different Diffie-Hellman groups.

5:46You can have different lifetimes.

5:48And you can have different encryption algorithms between phase one and phase

5:53two.

5:54But it even gets cooler than that.

5:56When we configure our appliances, we actually can create proposal suites,

6:04basically saying,

6:05"Here's one of the haggle configurations I'm willing to accept."

6:11And if you don't have that one configured, let's fall back to the next one.

6:16And if you don't have that one configured, let's fall back to the next one.

6:21And they literally propose back and forth during phase one and phase two.

6:24They just negotiate back and forth until they find a matching proposal suite.

6:31Understand that the tunnel is not going to come up unless both sides have been

6:36configured

6:37to communicate directly to each other in the first place.

6:41So once we've got them pointed at each other's public IPs, we then have to have

6:46matching

6:47proposals for our haggle negotiations for both phase one and phase two.

6:54Now again, the interesting thing when configuring a site to site between Azure

6:58and AWS is you

7:00don't need to know any of this.

7:02You can just accept the defaults and it'll come up on its own.

7:05They have matching proposal suites somewhere in there already.

7:11The other good news is if you're not doing AWS to Azure, you'll configure your

7:16AWS configuration

7:17and then you'll say, well, I'm using Cisco on my side.

7:20I don't know what to do from here.

7:22It will literally download a script for you to run.

7:26It shows you all the commands you need to run on your appliance to bring the

7:29tunnel up.

7:30So in my opinion, they have made it relatively easy and straightforward to

7:35bring a site to

7:35site to AWS to life.

7:38Now, what have I done up until now?

7:41What have I scaffolded in preparation for that?

7:43Let's talk about that in the next video.

7:45Now we have the site to site fundamentals down.

7:47I hope this has been informative for you and I'd like to thank you for viewing.

0:00So what have I done in preparation for this deployment?

0:03Absolutely nothing in AWS.

0:05I got NADA up and running in AWS.

0:08But in Azure, I went ahead and scaffolded a very basic virtual network.

0:13It's this one right here called site to site demo.

0:16Pretty straightforward.

0:17Now I want you to take a careful look at right here, the address space.

0:2110, 1, 0.

0:23That's the block that's used inside of this.

0:26Now much like AWS's VPCs, we have subnets inside of it.

0:30Azure requires the VPN gateway to get its own dedicated subnet when you deploy

0:36it.

0:36So I've already gone ahead and provision that.

0:38For the most part, you don't really have to worry about this because nothing

0:41else can attach to that subnet, just the VPN gateway.

0:43My servers, though, are going to run in 10, 1, 0.

0:47So I went ahead and deployed a basic virtual machine right here called site to

0:52site AZ.

0:53It does have a public IP that I can use to SSH in and configure it, but it's

0:58got

0:58a private IP address 10, 0, 0, 0, 4 right there.

1:01I want to be able to ping from my private IP address to a private IP that's

1:08running in AWS or vice versa, regardless of what my public IP says.

1:12And in order to do that, it'll traverse over a virtual network gateway.

1:17Now I especially went ahead and pre provisioned this before I started recording

1:22because this thing takes a really long time to deploy, like at least 40 minutes

1:27is what it takes to deploy one of these.

1:29So go ahead and click in here.

1:32You should consider this the equivalent of an on premises firewall.

1:36And this public IP is going to be crucial in figuring out how to connect in.

1:42Obviously, AWS is going to need to know this public IP so that it can start

1:47to establish the tunnels.

1:49Now, this is all that I've done on the Azure side of things.

1:53If this was over your head, don't worry.

1:57We have Azure training here on CBT nuggets, specifically the advanced virtual

2:01networking course, which you can find in the AZ 700 certification exam.

2:05So if you want to learn more about the Azure side of things, check that out.

2:10If you're working with things like Meraki or Cisco or Palo Alto or Fortinet or

2:16any

2:17of that stuff, hey, hit that search bar in the top right corner of your screen

2:21and go find that content.

2:23Like I said, we're here primarily to talk about the AWS side of things because

2:28that's this is an AWS exam.

2:29And of course, this is where we're beginning.

2:32So I'm in US East to right now.

2:35My Azure region is actually south central US.

2:38So for sure, we're, you know, going across the country for this.

2:41So what I'm going to do is I'm going to stand up a fresh new VPC to do my work.

2:46This video is going to be primarily focused on just establishing the

2:50resources that I need.

2:51Let's create a VPC.

2:53I like VPC and more.

2:55We'll just give this a name like S two S for site to site.

2:58We see it's going to be called site to site VPC.

3:00Now I can't use the same block here, can I?

3:03No, I need to use an entirely separate block.

3:06So I'm going to create this block is 10, 10, 0, 0, slash 16.

3:11I'm not worried about using IPV six right now or tenancy.

3:15I'm fine with two availability zones.

3:18I really only need one public subnet, but two is going to be fine.

3:21Since I have two availability zones, I don't need any private subnets for this

3:26deployment.

3:26I don't need a net gateway.

3:28I don't need an S three gateway.

3:30I'm good to create this VPC.

3:32Except I've got the maximum number of internet gateways already deployed.

3:36Whoops, let's clean up my mess.

3:38OK, so clean up some mess.

3:40We create this real quick zero on the private subnets, notes, the S three

3:45gateway, create VPC.

3:46And now we're looking a lot better.

3:48Great.

3:49So got the VPC up and running immediately.

3:52What I'm going to do now, so I'm going to attach a workload to it.

3:56Let's jump over to EC two and spin up just a very quick EC two instance.

4:02I'm going to hit launch an instance.

4:04We'll call this something like site to site demo.

4:07Very simple.

4:08I'm OK with using Amazon Linux for good measure.

4:11I'll put this on something like free tier eligible Amazon Linux to rather than

4:15the 2023 image.

4:16I'll go ahead and just create a new key pair from scratch.

4:20I'm going to be using the PEM file.

4:22You feel free to change what you want.

4:25So I'm going to call this site to site PEM.

4:27If you're using putty, use the PPK will create the key pair.

4:31It immediately downloads the key pair.

4:32Great.

4:33Now let's go ahead and edit the network configurations and make sure I'm

4:37setting

4:37this to be in the correct VPC.

4:40We're going to put it in the public subnet.

4:42Of course, what I want to do is make sure I get a public IP so that I can SSH

4:46into it.

4:47And of course, I've got SSH open in this case in my security group rules.

4:52I'm going to add a rule to allow ICMP.

4:56Don't go scroll too much.

4:57We're going to allow all ICMP from anywhere just to allow ICMP and ping traffic

5:03in

5:04to confirm that the machine is up and running.

5:07So I'll launch the instance very quickly.

5:09This won't take but just a second.

5:10So I want to jump over to my EC2 instances.

5:14My filter of instance running, obviously, the instance isn't alive just yet.

5:19If I remove the filter, I see that it's open.

5:21Now it's running.

5:22It's coming up actually.

5:23It's an initializing status right now.

5:26So I'm going to let this run for a little bit and let it catch up and, you know

5:30, get

5:30hydrated and brought to life.

5:31So a little bit of refreshing and the checks have passed.

5:35So that looks good.

5:36Now my SSH management tool is secure CRT.

5:40So what I'm going to do is I'm going to add a new session for my EC2 instance

5:45here.

5:45We'll jump on over into it right here.

5:47I'll grab it by the instance ID.

5:48I'll grab the public IP address right here and I'm going to paste it in.

5:54The username for an Amazon Linux is EC2 user, of course.

6:00We'll hit continue, continue.

6:02And I'll just call this AWS site to site.

6:06How about that?

6:06And press return.

6:07Now, with that being said, I'm going to change this properties real quick and

6:11make

6:11sure it uses those SSH keys.

6:13So when I go into SSH to highlight public key, I hit the gear and I point it to

6:19a

6:19different public key pair.

6:20So the public key pair is selected.

6:23I click OK, I click OK, and now I should be able to SSH in without any issues.

6:28Looks good.

6:29Here I am.

6:30So I'll give it a pseudo Sue, elevate myself into the root user.

6:34I'll make a directory real quick called AWS and then move into AWS.

6:39That way I can quickly tell that I'm on my AWS server prompt.

6:43That's really all there is to it.

6:44I'll get a similar session going here for my Azure server.

6:48So let me jump over here into my Azure virtual machine.

6:52I'll grab the public IP right there.

6:55And I set this one up with password authentication.

6:58So this one should go much easier.

7:00We'll say new session.

7:01Next, there's the user account or excuse me, the IP address and the user

7:08account.

7:09I'm going to edit this to not even bother with key pairs.

7:13I want to go straight into password authentication and I'll set the password

7:17right now.

7:18I'll just go ahead and type it in real quick, confirm my password right now

7:26real quick

7:27and hit enter to SSA gen looks good.

7:31Same drill, give it a pseudo Sue to elevate myself to root, make a directory

7:36called this one Azure change into Azure.

7:38Now I know I'm on my Azure server.

7:41So obviously I should not be able to ping these from the inside to the inside

7:46right now.

7:46If this one is 10, 0, 0, 4 should definitely not be able to ping from

7:55my AWS side of things to the Azure side of things.

7:57There's no encrypted tunnel and you can't ping from private IP to private IP

8:01over the internet.

8:02A quick IP address shows that I'm coming from 10, 10, 27, 168.

8:07So naturally test on both sides.

8:10Nothing's looking good here.

8:11So we'll cancel that.

8:13So with these resources stood up, I've got a little bit of lab environment that

8:17I can start working with.

8:19Now, in the next video, we'll start building out the components we need

8:23to get the AWS side working and ready for a site to site tunnel.

8:27I hope this has been informative for you.

8:28I'd like to thank you for viewing.

0:00Cool. So what's next?

0:02Now we actually start focusing in on the AWS side of things.

0:07This is what I want you to know about AWS and really Azure in general.

0:12I'm just going to use this little white space right here.

0:14When we have our VPC,

0:16which of course has a block of IP addresses,

0:18there's two things that we do.

0:20Again, this is the same fundamental thing that we do in Azure as well.

0:25The first is the thing that really represents our firewall appliance.

0:29And like I said, that was a virtual network gateway.

0:34This is going to get a public IP address.

0:36And this is where ultimately our external appliances are going to connect to.

0:42We're also going to have to tell this virtual network gateway

0:46how to connect to the what they consider the local network gateway.

0:52Again, this is the same between Azure and AWS.

0:55So I want you to understand this concept.

0:57They consider the VPC, the remote end of it.

1:02And where you're sitting, pretending maybe you're in an HQ,

1:06this is considered your local side of things.

1:10This is the nomenclature of it.

1:12So when you're in the AWS console or the Azure portal,

1:17they're going to be referring to the cloud as remote

1:21and you're on-prem environment as local.

1:25So for the virtual gateway to connect to the local environment,

1:30we create a logical resource called the customer gateway.

1:36And this basically contains the public IP of your local firewall

1:42and the subnets of your local environment that's going to allow to come over.

1:48So the virtual network gateway here, we'll be able to see,

1:52ah, this is the resource that I'm connecting to,

1:55which really just points it to the on-prem environment.

1:59This again is identical to what Azure does too.

2:03So watch this.

2:05We're going to jump over to the VPC section here.

2:08Let's go into VPCs.

2:10And the first thing I'm going to create is the virtual network gateway.

2:14We scroll down here to virtual private network.

2:18And here we see the customer gateways.

2:20We're not there yet.

2:21We're going to start by creating our virtual private gateway.

2:24So we'll give this a click and this is just going to establish the appliance

2:29itself.

2:29I don't know why I show you in this deleted one.

2:31We can just feel free to ignore that.

2:33We're going to create a new virtual private gateway.

2:36And we'll call this AWS to AZ for Azure.

2:41I'm going to allow it to use the default ASN or autonomous system number.

2:46If you want to use BGP to share subnets and learned prefixes back and forth to

2:52each other,

2:53that could greatly simplify your workload rather than having to custom

2:56configure static routes.

2:58For small deployments like this, though,

3:00where we're really only talking one or two subnets on each side of the tunnel,

3:04perfectly acceptable to use static routes.

3:07Now, of course, if you were using custom ASNs,

3:10in this case, you would be typing in private BGP ASNs.

3:15I'm not worried about tagging this, so I'm just going to create the appliance.

3:19So it'll take just a moment to create the appliance.

3:21It's in a detached state by default, which is perfectly fine.

3:25What do we need to do now?

3:26Well, we need to attach it.

3:28We get to pick the VPC that we want this to attach to.

3:32So we say attach to VPC under the actions.

3:36We choose our VPC, which in my case was project VPC,

3:40because I had to recreate the VPC and I forgot to name it site to site VPC.

3:43You get it. We're going to go attached to VPC, and it's in the attaching state.

3:48It can take a minute or two to attach, so we'll just refresh it and wait for it

3:53to get done attaching.

3:54Okay, so now it is attached, which is a great sign.

3:59Got a little bit more work to do, a few more resources to create.

4:03So what I'll do under my VPC section, I'll scroll back down,

4:07and now we'll create the customer gateway.

4:10So as you can tell, I've already been trying to lab this up, you know, in

4:13preparation,

4:13but we'll create a new fresh one real quick.

4:16We'll call this Azure CGW for customer gateway.

4:20I'll leave it as the standard BGP right here, ASN of 65,000,

4:24even though we can choose not to use BGP if that's what we want to do.

4:29What's the public IP address of my Azure appliance?

4:33Well, if I jump back to Azure here, I'm going to grab.

4:36This is my virtual machine. That's not it.

4:38We need to go into the virtual network gateway right here,

4:42and I'll see the public IP address 20, 97, 0, 242 right there.

4:49I'll copy it. I'll jump back here and paste it in,

4:52and I'll create the customer gateway.

4:55So at this point, I have a customer gateway,

4:59and I have a virtual private gateway.

5:01If I select this virtual private gateway,

5:04you can see a little bit more details about it,

5:06not a whole lot here that's given away.

5:09We can go into the virtual gateway ID IP,

5:12and you can see it doesn't really give you a lot of information

5:16aside from the Amazon ASN and the VPC that it's connected to.

5:21So obviously what I need to do now is I need to create the customer gateway,

5:25or what Azure calls the local network gateway, representing the AWS side of

5:30things.

5:31So that begs the question, how do I find my virtual private gateway's public IP

5:36?

5:36One of the easiest ways to do that is to actually set up the site-to-site VPN

5:41connection

5:42now on the AWS side of things.

5:45That's what we'll pick up in the next video.

5:46For now, we've built out our gateways and got them attached.

5:50We'll configure the AWS connection next.

5:53I hope this has been informative for you, and I'd like to thank you for viewing

5:55.

0:00So what I'm going to jump into immediately is creating a VPN connection

0:04primarily so that we can get the public IPs to create the local network gateway

0:11in Azure.

0:12We'll create the VPN connection here, and I'll call this VPN to AZ.

0:18This is going to be a virtual private gateway. This is a two way street site to

0:24site from public IP to public IP.

0:29If we were actually building a hub and spoke topology where my spokes could be

0:39on Prem or colo or VPCs or other clouds.

0:47Any combination of these around here, we would create a transit gateway.

0:54Basically this is a virtual private gateway where we're built to handle many

1:01connections and then forward learned prefixes to the remote spokes.

1:07That's what the transit gateway is built to do.

1:10So in this case, since I'm just doing a one to one connection, I'm going to use

1:13a virtual private gateway, which gateway appliance. Well, the only one that we

1:17've got clicked on that drop down.

1:19What's the destination. This is why we created the customer gateway.

1:23Now if we want to use dynamic, we can establish the BGP peer to peer

1:26connectivity.

1:28Since I've got a small network to work with here, I'm just going to set these

1:33to be a static IP prefix.

1:35Now it's important to understand this is not going to update the actual routing

1:40of your VPC.

1:42This is just to help the virtual network gateway understand what are the remote

1:47subnets that it's going to transmit traffic to.

1:52So if I jump over into Azure back into my virtual network back into site to

1:57site demo, I see my block space right here 10, 1, 0, 0, I'll copy it.

2:03Paste it in under static prefixes like this.

2:08Looks good. I think, wait, right? There we go. I got an extra space in there.

2:13We'll click it and now we've got it in here.

2:16Now if I wanted to start filtering out like only allow traffic from this subnet

2:23or destined to the subnet again, look local and remote.

2:28It's that key terminology local equals customer on premises remote is AWS side.

2:36So these are the subnets that we can define that are allowed to communicate

2:40over the tunnel right here.

2:42We can say the local subnets that are allowed to communicate right here and the

2:46default or in the AWS subnets or the remote subnets that are allowed to

2:49communicate over the tunnel are right here.

2:52Now these are optional. We can leave these unchecked and that will allow

2:55anything.

2:56Now remember, haggle. That's what tunnel one options and tunnel two options are

3:00all about.

3:01This is the phase one tunnel. This is the phase two tunnel.

3:05So if you look at your tunnel one options, take a scroll down and you'll start

3:10to see things like what's the prep of the pre share key.

3:14Do you want to edit the tunnel options? Click this and this is where you start

3:19to see phase one encryption phase two encryption phase one phase two phase one

3:23phase two.

3:24If you help me in like lifetime rekeying like it's a lot. It's a lot of stuff.

3:36But with all of these checked, that means there's some combination of proposal

3:37suite that could be matched by the remote peer in an ideal scenario.

3:41You don't have everything checked. You have only what you need checked.

3:45But for Azure to AWS communications and simplicity sakes, this is what we're

3:49going to do. Now I did just say this is phase one and phase two. That's

3:53actually not correct.

3:55What the virtual private gateway does is it actually gets to public IPs and you

4:03can establish two IP sec tunnels in a truly redundant hybrid environment.

4:10You would have a rack with two firewalls, wouldn't you? And you could do active

4:16active load balancing or active standby load balancing and failing over to the

4:22alternative public private IP sec tunnel.

4:26The Azure virtual network gateway is also configured to have two public IPs and

4:31set up to establish tunnels, but you only have to have one.

4:35The interesting thing is, is you can adjust the parameters for tunnel one

4:39versus tunnel two. So maybe you could even have Cisco on one side and Palo Alto

4:44on the other and they might support different encryption algorithms.

4:50You got flexibility and controlling how that works. So what I'm going to do is

4:56I'm going to create the VPN connection and it's going to be an appending state

5:00for a little bit.

5:01If I actually click on the VPN ID, we can scroll down and now I can see my

5:06public IPs for each of the tunnels. Both are in the downstate. And here's the

5:11thing that I want you to understand, because this can be very stressful the

5:15first time you do it in both AWS and Azure.

5:19The tunnels come up and don't reflect it in the console or the portal for

5:23several minutes and you'll be sweating bullets like, oh, the tunnels are down

5:28because it says down on the screen.

5:31But if you actually try like a ping test, it might actually work.

5:35So now that the tunnel has been configured on the AWS side of things and I have

5:40outside public IPs, I can now configure the Azure side of things.

5:45So what we're going to do is we're going to wrap it up in the next video, put a

5:48little bow on it and stand up that site to site tunnel on the Azure side of

5:52things.

5:53I hope this has been informative for you and I'd like to thank you for viewing.

0:00Okay, so in Azure, I've got a virtual network,

0:02I've got a virtual machine and a virtual network gateway,

0:05but I need the customer gateway equivalent in Azure.

0:09In Azure, they call it the local network gateway.

0:12Again, that key terminology there,

0:14remember local equals on-prem.

0:18So in this case, Azure is saying,

0:21I don't know where you want me to go to,

0:24so you need to create the local network gateway to stand that up.

0:29Now, where the virtual network gateways take like an hour to deploy,

0:32local network gateways take like five seconds,

0:35because all they really are is just logical configurations.

0:38They're not actually provisioning any resources here.

0:41So I'll put this in my app to have resource group,

0:43we'll call this AWS GW for AWS gateway,

0:48and where am I going?

0:49Right here is my tunnel one endpoint.

0:52What are the address spaces or subnets on the other end?

0:57What does AWS currently have?

0:59Well, if I look back in my VPC,

1:02we'll go back in here to my VPC,

1:05I've got this VPC and I see my CIDR notation right here,

1:0910, 10, 0, 0, 16.

1:12So here, I'll put my address spaces 10, 10, 0, 0,

1:16/16 without the superfluous period right there.

1:21And that's really it.

1:24There's an advanced tab where you can configure BGP settings.

1:27It's the same time.

1:28So if you wanted to configure BGP,

1:31we would have set things like 65,000 to be our ASN,

1:34and what is the remote BGP peer IP address?

1:38In this case, AWS actually uses an epipit address,

1:42a 169.254 address to configure that.

1:47So make sure if you are using BGP,

1:49you look that up and figure out

1:51which one of those epipit addresses it has configured.

1:53We'll review and create this customer local network gateway

1:58right here, customer gateway at AWS side of things.

2:01And you'll see in Azure,

2:02it's just going to deploy super duper quick.

2:04So go to the resource, everything looks great here.

2:09Now it's time to stand up the connection

2:12much like I did on the AWS side of things.

2:15To do this, we go back into our virtual network gateway

2:19and we come down here into connections.

2:21Now I know I said you downloaded configuration from AWS

2:26and it'll show you like how to do things in Cisco.

2:28I'm going to show you that in just a second

2:30because that's how we actually get the pre-share key,

2:32no matter what.

2:33So just bear with me, one second, you're going to see it.

2:36We're going to add a connection on the AWS side of things.

2:39It's not VNet to VNet, that's really Azure to Azure.

2:42In this case, we're doing a true site to site tunnel.

2:45I'll call this AZ to AWS.

2:49And the region is South Central US.

2:52That's where my resources currently are.

2:55We'll go into the actual tunnel configuration

2:57by going into the settings tab.

2:59We choose our virtual network gateway.

3:01That's the Azure side of things.

3:03We choose the local network gateway, that's AWS.

3:05And now it wants the pre-share key.

3:08So where do I go to get the pre-share key?

3:10I'll go back here into AWS.

3:13We'll jump down here to the site to site connections.

3:16We'll click on the site to site connection.

3:18And right here, you see download configuration.

3:21Give it a click.

3:22And this, pretty cool, right?

3:24This is where you get to choose your manufacturer.

3:28So you got a lot of options here.

3:30Sonic wall, P F sense, Palo Alto, Micretik,

3:34Yadi Ade Ade Juniper, Cisco,

3:37Iraqi checkpoint, all the usual suspects,

3:41if you will, are there.

3:43We'll download Open Swan because it's really easy

3:46to see and understand.

3:48We're gonna leave this on IKEV one.

3:50We'll click download and it downloads a text file,

3:53which comes up way unlike the third screen

3:57that's farthest away from me.

3:58Hang on.

3:58So let's drag it onto this screen.

4:02So, oh, I can't because I'm full screen right now.

4:03Hang on.

4:04Okay, now it'll let me bring it onto this full screen.

4:07Let me go big, let me zoom, weigh in so you can see.

4:12Okay, look, see, IPsec tunnel number one.

4:15It tells you step-for-step what you should do

4:18if you were configuring this for Open Swan.

4:20The same thing would be true if this were like

4:22a Cisco appliance.

4:23It would show you all of the CLI commands to create.

4:27What I want you to do is look right here on step five.

4:30This is the pre-shared key for tunnel number one.

4:34So it's important to keep in mind

4:36that this pre-share key is directly associated

4:40with this public IP address in AWS, okay?

4:44Tunnel one is for this public IP in AWS

4:48and gets this pre-share key.

4:50Tunnel two is for a different public IP in AWS

4:54and gets a different pre-share key.

4:57So keep those straight.

4:58Tunnel one and tunnel two are different

5:01and they're for different public IP addresses.

5:04So back in Azure, I will paste in the pre-share key.

5:08Looks good.

5:09This was for IKEV one.

5:11And we can really leave everything else the same.

5:15So in this case, I'll do a review and create

5:20and I'll do create.

5:22Now we're not done.

5:24This might bring the tunnel up, but we still have a big problem.

5:27The AWS VPC is still not routing traffic

5:31through the tunnel.

5:33What we need to do really quickly is adjust this route table

5:36that's associated with my VPC.

5:38So I'll go to my VPCs, I'll go into this VPC right here

5:43and I see it's main route table right here,

5:45this RTB063 blah, blah, blah.

5:48So what I'll do is I'll bring up this route table real quick

5:52and I'll edit the routes.

5:54First thing I'll do is I'll add a route to 10100/16,

6:00which is my Azure subnet

6:03and that's gonna go towards a virtual private gateway.

6:07The virtual private gateway is the one

6:09that I've labeled AWS to Azure.

6:11I'm also gonna add a default route in here.

6:13That's gonna go towards my internet gateway,

6:15which is attached to that VPC

6:17and we'll save the changes.

6:19For good measure, I also recommend taking a careful look

6:24at how traffic is actually gonna flow

6:26throughout your environment too.

6:28Look, most of my traffic actually is pointed

6:30towards this project route table

6:33instead of the main route table here.

6:35So you probably wanna adjust the project route table as well,

6:38depending on what your VPC configuration is.

6:41You can jump right into it and as you can see,

6:43I went ahead and added the virtual gateway route

6:47towards the Azure subnet at the same time.

6:50So with my route table adjustments in place

6:53and my connection being deployed in Azure,

6:56what does my virtual network

6:58or my virtual private gateway think of it now?

7:01When I jump over to virtual private gateways

7:03into, wait, wait, wait, I was sorry.

7:05When I jump into my site to site VPN connections

7:08into my VPN ID, ah, green means go, right?

7:13Tunnel one is up, which is great.

7:15And it makes sense because I didn't configure tunnel two,

7:17did I?

7:18What does the Azure side of things think about it?

7:20Is it already up to snuff?

7:22Let's jump back here into the virtual network gateway,

7:25down into connections.

7:29It might say, yeah, now it shows connected too.

7:31So my tunnel, my main tunnel is for sure up.

7:34Let's bring up the backup tunnel too.

7:37I'll add a second connection into the mix.

7:39Site to site, we'll call this AZ to AWS two.

7:44This was from my South Central US location in Azure.

7:48Jump into the settings, choose site to site.

7:51I just went ahead and created the local network gateway

7:54representing my backup public IP

7:56with its backup pre-share key.

7:58Well, this backup public IP.

8:01So let's now grab that backup pre-share key.

8:04So we'll jump here, scroll down to tunnel two,

8:09grab this pre-share key, paste it back into Azure

8:14and accept the defaults for everything,

8:18review and create and create.

8:22So it'll take just a moment to deploy this new connection

8:25when it finds its sea legs.

8:27So to speak, it'll take a few minutes to refresh

8:30and find its footing.

8:31We should see two connections in place.

8:33Okay, that deployment succeeds,

8:35but like I say, it can take several minutes

8:37for these connections to actually refresh.

8:39You can't even see it, there's a second connection.

8:41See now it just popped up right now

8:43and it's currently in the unknown status.

8:45It will take a little bit for both sides

8:47to see these tunnels come up.

8:49Okay, I've let it sit for a little bit.

8:51Let's jump back here.

8:52I'm gonna refresh the AWS console.

8:55Hey, two greens, the tunnels are alive.

9:00Back in Azure, it's still trying to find its sea legs

9:02on that second tunnel.

9:03But like I say, it can really take several minutes

9:06for this to really come up

9:08and show connected on both sides.

9:10For sure, AWS sees them both as up, which is a great sign.

9:14Sometimes the cache on, hey, there goes,

9:16you just switched to connected right now.

9:18You just saw it with your own eyes.

9:20So now both sides of my tunnel see the tunnel as up.

9:24So we've done it, we've configured an end-to-end

9:27site-to-site VPN tunnel between Azure

9:30and AWS.

9:31Like I said, I can't stress this enough

9:33that your results are definitely going to vary

9:36depending on your on-premises implementation

9:39or whatever appliances you're using

9:41for what's considered the local side of the tunnels.

9:45For now, I hope this has been informative for you

9:47and I'd like to thank you for viewing.

0:00So my challenge to you was can you recall your

0:03Haggle really really important for troubleshooting VPNs

0:09H is for hashing data integrity making sure it hasn't been transformed when it

0:17arrives at its destination

0:19Authentication do we trust the appliance that we're actually connecting to a

0:24lot of hackers can spoof a source IP address

0:28But if they don't know the pre-share key or have the right certificate

0:32They're not getting in the Diffie-Hellman group. This is really a

0:37algorithm of cipher if you will that's designed to

0:42Generate seed keys in order to be exchanged back and forth used as part of the

0:48actual encryption itself

0:50Encryption uses keys to encrypt or decrypt data. Where do those keys come from

0:55the Diffie-Hellman group?

0:57The lifetime how long is this tunnel good for before we have to re-authenticate

1:02and repropose?

1:04new

1:06Haggle new proposal suites. This is usually measured in seconds and it's

1:10usually

1:1128,800 and lastly the encryption algorithm itself

1:17What is actually being used to encrypt or decrypt the data so that we correctly

1:22encrypt it or decrypt it

1:24So that we can forward it on to the next destination. This has been my

1:29challenge to you

1:30I think this is the most important part in working with all IPsec tunnels is

1:35understanding phase one and phase two

1:38Proposals and negotiations. I hope this has been informative for you and I'd

1:42like to thank you for viewing