Development Notes

Site-to-Site VPN Between AWS and Huawei Cloud

Setting Up a Site-to-Site VPN Connection Between AWS and Huawei Cloud

A Site-to-Site VPN connection is a type of virtual private network that securely connects two separate networks, often over the public internet. In cloud environments, it enables organizations to establish a secure tunnel between two cloud providers — such as AWS and Huawei Cloud — or between an on-premises data center and a cloud provider. This tunnel uses encryption to ensure the privacy and integrity of data during transmission, facilitating secure communication between resources in different environments. It is particularly beneficial for organizations that need to securely exchange data across multiple locations or cloud infrastructures.

This guide provides a step-by-step walkthrough for setting up a Site-to-Site VPN connection between AWS and Huawei Cloud, detailing the configurations on both platforms to achieve secure and reliable connectivity.

Overview of the Setup

To establish the VPN connection, we will configure components in both AWS and Huawei Cloud:

Huawei Cloud

  • VPN Gateway
  • Customer Gateway
  • VPN Connection

AWS

  • Customer Gateway
  • Virtual Private Gateway
  • VPN Connection

Before beginning, ensure that VPCs and subnets are already set up in both environments. Additionally, configure an interconnection subnet on Huawei Cloud (e.g., 192.32.2.0/24) to handle routing traffic between AWS and Huawei Cloud.

The interconnection subnet in Huawei Cloud serves as a dedicated network space for managing traffic between the two environments. Defining a clear network range for communication helps prevent conflicts or routing issues within the VPC and ensures seamless connectivity.

Resource Map

Huawei Cloud

  1. VPN Gateway
  2. Customer Gateway
  3. VPN Connections

AWS

  1. Customer Gateway
  2. VPN Gateway
  3. Site-to-Site VPN Connection
  4. Route Table Modifications

Key Considerations

  1. VPN Gateway IPs are required by both sides:

    • Each cloud provider’s VPN Gateway acts as the gateway device for the connection.
    • AWS requires the active IP address of Huawei Cloud’s VPN Gateway to create the Customer Gateway.
    • Similarly, Huawei Cloud needs the corresponding information from AWS.

  2. AWS Tunnel IPs are needed for Huawei Customer Gateway setup:

    • After creating the Site-to-Site VPN Connection in AWS, AWS generates tunnel IPs.
    • These IPs are crucial for configuring Huawei Cloud.

  3. Sequential Setup:

    • Huawei Cloud’s VPN Connections depend on information obtained from AWS VPN Tunnels.
    • Follow the VPN connection setup in the outlined order to avoid issues.

Installation Steps

1. Huawei Cloud — VPN Gateway

  1. Go to the Virtual Private Network interface on Huawei Cloud.
  2. Click VPN Gateways, then select Buy S2C VPN Gateway.
  3. Billing Mode: Choose Pay-Per-Use or Yearly/Monthly.
  4. Network Settings: Associate the VPN Gateway with your VPC.
  5. Interconnection Subnet: Specify details (e.g., 192.32.2.0/24).
  6. BGP ASN: Leave as default unless a specific ASN is required.
  7. Elastic IP: Create two Elastic IPs with appropriate bandwidth.

2. AWS — Customer Gateway

  1. In AWS, navigate to the VPC service.
  2. Under Virtual Private Network, select Customer Gateways.
  3. Configure the following:
    • Name: e.g., “aws-to-huaweicloud-cgw”.
    • BGP ASN: Match the Huawei Cloud BGP ASN.
    • IP Address: Provide the Active EIP Address of Huawei Cloud’s VPN Gateway.

3. AWS — VPN Gateway

  1. In AWS, navigate to the VPC service.
  2. Under Virtual Private Network, select Virtual Private Gateways.
  3. Configure the following:
    • Custom ASN: Assign a different ASN from Huawei Cloud.

4. AWS — Site-to-Site VPN Connection

  1. Navigate to the VPC service.
  2. Under Virtual Private Network, select Site-to-Site VPN Connections.
  3. Configure the following:
    • Target Gateway Type: Select the VPN Gateway from Step 3.
    • Customer Gateway ID: Select the Customer Gateway created in Step 2.
    • Routing Option: Choose Dynamic (BGP) or Static Routing.

5. Huawei Cloud — Customer Gateways

  1. Use the Tunnel IP addresses from AWS to create two Customer Gateways.
    • Tunnel 1: Configure with AWS Tunnel 1 IP and matching BGP ASN.
    • Tunnel 2: Configure with AWS Tunnel 2 IP and matching BGP ASN.

6. Huawei Cloud — VPN Connections

  1. For each Customer Gateway, create a separate VPN Connection:
    • Routing: Choose Static or Dynamic (BGP).
    • PSK: Use the pre-shared keys from AWS.

7. AWS — Route Table Modifications

  1. Navigate to the Route Tables section in AWS.
  2. Add a route for the Huawei Cloud subnets:
    • Destination: Huawei Cloud CIDR.
    • Target: AWS Virtual Private Gateway.

8. Huawei Cloud — Route Table Modifications

  1. Verify and modify route tables to ensure proper traffic flow.

9. AWS — VPN Connection Static Route Addition (For Static Routes)

  1. Navigate to the Static Routes section of the VPN Connection.
  2. Add Huawei Cloud subnet CIDRs.

Conclusion

By following these steps, you can successfully establish a secure Site-to-Site VPN connection between AWS and Huawei Cloud.

Final Steps

  1. Verify Connection Status: Ensure both AWS and Huawei Cloud VPN connections show a “Connected” status.
  2. Test Network Traffic: Exchange data between the subnets to confirm functionality.

This secure connection facilitates seamless data exchange between two distinct cloud environments, providing a reliable solution for organizations requiring inter-cloud or hybrid cloud communication.