Open in app

Sign in

Write

Sign in

Site to Site VPN Connection Between AWS and Huawei Cloud

Asrın Andırın
7 min readDec 5, 2024

--

A Site-to-Site VPN connection is a type of virtual private network that securely connects two separate networks, often over the public internet. In cloud environments, it enables organizations to establish a secure tunnel between two cloud providers — such as AWS and Huawei Cloud — or between an on-premises data center and a cloud provider. This tunnel uses encryption to ensure the privacy and integrity of data during transmission, facilitating secure communication between resources in different environments. It is particularly beneficial for organizations that need to securely exchange data across multiple locations or cloud infrastructures.

This guide provides a step-by-step walkthrough for setting up a Site-to-Site VPN connection between AWS and Huawei Cloud, detailing the configurations on both platforms to achieve secure and reliable connectivity.

Overview of the Setup

To establish the VPN connection, we will configure components in both AWS and Huawei Cloud.

  • Huawei Cloud: We will set up a VPN Gateway, a Customer Gateway, and create a VPN Connection.
  • AWS: We will configure a Customer Gateway, a Virtual Private Gateway, and a VPN Connection.

Before beginning, ensure that VPCs and subnets are already set up in both environments. Additionally, configure an interconnection subnet on Huawei Cloud (e.g., 192.32.2.0/24) to handle routing traffic between AWS and Huawei Cloud.

The interconnection subnet in Huawei Cloud serves as a dedicated network space for managing traffic between the two environments. This subnet is utilized by the VPN Gateway to process incoming and outgoing traffic specifically designated for the VPN connection. Defining a clear network range for communication helps prevent conflicts or routing issues within the VPC and ensures seamless connectivity.

Resource Map

To establish the VPN connection, the following resource map will be followed:

  1. Huawei Cloud:
  • VPN Gateway
  • Customer Gateway
  • VPN Connections

2. AWS:

  • Customer Gateway
  • VPN Gateway
  • Site-to-Site VPN Connection
  • Route Table Modifications

3. Additional Steps:

  • AWS: VPN Connection Static Route Addition
  • Huawei Cloud: Route Table Modifications

Key Considerations:

  1. VPN Gateway IPs are required by both sides:
  • Each cloud provider’s VPN Gateway acts as the gateway device for the connection.
  • AWS requires the active IP address of Huawei Cloud’s VPN Gateway to create the Customer Gateway.
  • Similarly, Huawei Cloud needs the corresponding information from the AWS side.

2. AWS Tunnel IPs are needed for Huawei Customer Gateway setup:

  • After creating the Site-to-Site VPN Connection in AWS (Step 4), AWS generates tunnel IPs.
  • These IPs are crucial for configuring Huawei Cloud. Two Customer Gateways need to be created in Huawei Cloud based on these IP addresses.

3. Sequential Setup:

  • Huawei Cloud’s VPN Connections (Step 6) depend on information obtained from AWS VPN Tunnels.
  • Therefore, follow the VPN connection setup in the order outlined below to avoid any issues during the installation process. These steps are critical to successfully finalizing the VPN setup on Huawei Cloud.

Installation Steps

Huawei Cloud — VPN Gateway 1️⃣

Go to the Virtual Private Network interface on Huawei Cloud. Click VPN Gateways, then select Buy S2C VPN Gateway.

Billing Mode:

  • Select Pay-Per-Use or Yearly/Monthly, depending on your requirements.

Network Settings:

  • Choose Public Network.
  • Associate the VPN Gateway with your VPC.

Interconnection Subnet:

  • Specify the subnet details (e.g., 192.32.2.0/24) to enable interconnection between Huawei Cloud and AWS.

BGP ASN (Autonomous System Number):

  • Leave the default value unless a specific ASN is required for your setup.

The BGP ASN (Autonomous System Number) is a unique identifier used in Border Gateway Protocol (BGP) to distinguish different networks (or autonomous systems) participating in routing. It is critical in scenarios involving dynamic routing between networks.

Active/Standby Setup:

  • Choose the Active/Standby or Active/Active configuration based on your needs.
  • Select Professional 1 / Professional 2 specification.
  • Set the availability zones to AZ-1 and AZ-2 to setup highly available connection.

Choose Active/Standby if you prioritize simplicity and cost savings and your workload doesn’t require load balancing or high throughput.

Choose Active/Active if you need maximum performance, load balancing, or increased bandwidth. Your workload demands the use of both tunnels simultaneously.

Elastic IP:

  • Create two Elastic IPs (EIPs).
  • Choose bandwidth appropriate to your architecture.

The VPN Gateway will generate two public IP addresses: one active and one standby.
Take note of the IP addresses, as it will be required in the following configuration steps.

AWS — Customer Gateway 2️⃣

In AWS, navigate to the VPC service. Under Virtual Private Network, select Customer Gateways and configure the following:

Name:

  • Enter a descriptive name, such as "aws-to-huaweicloud-cgw".

BGP ASN:

  • Ensure this matches the BGP ASN configured in Huawei Cloud.

IP Address:

  • Provide the Active EIP Address of the Huawei VPN Gateway.

Certificate ARN and Device:

  • Leave these fields empty unless specific requirements dictate otherwise.

AWS — VPN Gateway 3️⃣

In AWS, navigate to the VPC service. Under Virtual Private Network, select Virtual Private Gateways and configure the following:

Custom ASN:

  • Assign an ASN different from the one used in Huawei Cloud (e.g., 65000).

AWS — Site-to-Site VPN Connection 4️⃣

In AWS, navigate to the VPC service. Under Virtual Private Network, select Site-to-Site VPN Connections and configure the following:

Name:

  • Assign a descriptive name for the connection.

Target Gateway Type:

  • Select Virtual Private Gateway, then choose the VPN Gateway created in Step 3.

Customer Gateway ID:

  • Select the Customer Gateway created in Step 2.

Local IPv4 and Remote IPv4:

  • Leave these fields as default.

Routing Option:

  • For Dynamic Routing (BGP), no additional configuration is required.
  • For Static Routing, specify one or more IP prefixes in CIDR notation (e.g., 192.168.1.0/24, 192.168.2.0/24) to advertise to your VPC.
  • Static IP Prefix (if applicable):
    Enter the prefixes separated by commas to define the routes.

Tunnel Options:

  • You can use the default tunnel settings.
  • If you prefer to use pre-shared keys for tunnel authentication:
  • Tunnel 1: Enter a pre-shared key.
  • Tunnel 2: Enter a pre-shared key.

Note: Keep these pre-shared keys handy, as they will be required for the Huawei Cloud VPN Connection setup.

  • Tunnel Activity Logs:
    It is recommended to leave this option turned off to minimize costs.

Post-Creation Notes:

  • After creating the connection, it is expected to show a Down state initially because the Huawei Cloud side has not yet been configured.
  • When you view this VPN connection in AWS, you will see two Tunnel Outside IP Addresses. Note these IP addresses for later use.

Huawei Cloud — Customer Gateways 5️⃣

Note the Outside IP addresses for Tunnel 1 and Tunnel 2 from the AWS Site-to-Site Connection created in Step 4. So you will create two seperate customer gateways for each ip address.

For Tunnel 1:

  • Use the Outside IP address of Tunnel 1.
  • Ensure the BGP ASN matches the value configured in AWS.

For Tunnel 2:

  • Use the Outside IP address of Tunnel 2.
  • Ensure the BGP ASN matches the value configured in AWS.

Huawei Cloud — VPN Connections 6️⃣

For each Customer Gateway created in Step 5, create a separate VPN Connection. Follow these steps to create two VPN Connections:

Name:

  • Assign a unique and descriptive name for each connection.

VPN Gateway:

  • Choose the VPN Gateway created earlier.

Gateway IP Address:

  • Specify the corresponding Gateway IP Address .

Customer Gateway: Select the appropriate Customer Gateways (created in Step 5).

Routing:

  • Choose Static Routing or Dynamic Routing (BGP) based on your setup.

Customer Subnet:

  • Enter the AWS subnet CIDRs that will be accessible through this connection.

Interface IP Address Assignment:

  • Assign interface IPs manually, or use the default values.

PSK (Pre-Shared Key):

  • Enter the pre-shared keys created in Step 4 for each connection. Ensure each connection uses the correct PSK.

Policy Settings:

  • Leave the policy settings as default.

AWS — Route Table Modifications 7️⃣

To enable AWS subnets to communicate with Huawei Cloud subnets over the VPN connection, update the route tables associated with the relevant AWS subnets:

  1. Navigate to AWS VPC Service: Go to the Route Tables section under the VPC service.
  2. Identify the Relevant Route Table: Select the route table associated with the AWS subnets that require VPN access to Huawei Cloud.
  3. Add a Route:
  • Destination: Enter the CIDR block(s) of the Huawei Cloud subnets that need to be accessed.
  • Target: Select the AWS Virtual Private Gateway connected to the Huawei Cloud VPN.

Huawei Cloud — Route Table Modifications 8️⃣

Huawei Cloud typically handles route tables automatically, but it’s recommended to verify the route tables for accuracy.

AWS — VPN Connection Static Route Addition 9️⃣ (For Static Routes)

If you selected Static Routing as the routing mode, you need to add Huawei Cloud subnets as static routes in the AWS VPN Connection. Follow these steps:

  1. Navigate to VPN Connection: In the AWS Management Console, go to the VPC service and select the Virtual Private Network section.
  2. Select the VPN Connection: Locate and click on the VPN Connection you created earlier.
  3. Add Static Routes:
  • Go to the Static Routes section.
  • Add the CIDR blocks of the Huawei Cloud subnets that need to be accessed through the VPN.

Conclusion ⛅️

By following these steps, you can successfully establish a secure Site-to-Site VPN connection between AWS and Huawei Cloud. Once all configurations are complete:

  1. Verify Connection Status:
    Ensure that the VPN connection statuses on both AWS and Huawei Cloud are shown as normal or connected.
  2. Test Network Traffic:
    Perform connectivity tests by exchanging traffic between the AWS and Huawei Cloud subnets to confirm that the setup is functioning correctly.

This type of secure connection enables seamless and efficient data exchange between two distinct cloud environments, providing a reliable solution for organizations requiring inter-cloud or hybrid cloud communication.

Site To Site Vpn
AWS
Huawei
Cloud Computing

--

--

Asrın Andırın
Asrın Andırın

Written by Asrın Andırın

29 Followers
87 Following

DevOps Engineer

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams