IPSec VPN between OCI and AWS
I’ve been using the Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS) clouds for a number of years, but primarily it was either one or another. Only in a few cases was it required to connect each other and mainly get data from an AWS S3 bucket. But with the new OCI services, the idea of using both clouds is getting more attractive, and multi-cloud environments become more common. One of the main challenges for such a layout is the network. We have several options using dedicated connections or 3d party tools deployed on both sides, and all of them have their pros and cons. Today, I would like to talk about the most simplistic case when we use only native services on both sides and establish IPSec VPN connections between two clouds.
The first step is to make sure your Oracle OCI VCN doesn’t overlap the AWS VPC range. In my OCI for the Toronto region, I have the CIDR block as 10.11.0.0/22
and in the AWS Canada Central region, my CIDR is 220.127.116.11/20.
They are in totally different address spaces and I can safely connect them to each other.
We cannot change the Oracle side CPE VPN virtual device after creation for a VPN connection. We can only modify it’s IP address and some IP and secrets parameters for the tunnels. So, a better approach is to start from the AWS side and create a dummy Customer Gateway with dynamic routing.
The next step is to create a Virtual Private Gateway (VPG) on the AWS site. It plays the same role as the Oracle OCI Dynamic Routing Gateway.
We can see the gateway is still detached from the VPC. We need to attach it.
As soon as the VPG is attached, we can go forward and create a VPN connection on the AWS side.
After creating the connection, it will be in the “pending state,” but we can download the configuration in the form of a text file. We need to choose “Generic” for the configuration type. It will give us the required information to set up all the elements on the OCI site successfully. The configuration is a text file with all the properties of the VPN connection.
The first thing you need to verify is the “Pre-Shared Key” in the downloaded file. It can contain only numbers, letters, and spaces. If it has any other characters, then delete the VPN connection and create it again.
Now we are ready to work on the OCI site, and we start from the Customer-Premises Equipment (CPE). We copy the public IP for the AWS VPG from the downloaded configuration file.
And paste it to the public IP address for the new CPE.
The next step is to create a Dynamic Routing Gateway
and attach it to your VCN in the OCI. If you already have a DRG attached to your VCN, as I have, you don’t need to create another one.
The next step in the OCI is to create a VPN connection using our created CPE and DRG.
Click on “Show Advanced Options” and paste your pre-shared key and required IP addresses from the same configuration file you downloaded for the AWS VPN connection.
And put the values to the tunnel parameters.
Don’t miss the order – in the AWS file, the CPE inside interface is after the value for the Oracle interface.
The second tunnel is just a dummy tunnel, and you can put any values there. The reason is that our virtual interfaces cannot have more than one IP address.
On that, all our steps on the OCI part of the VPN connection are done. We need to wait when the VPN is provisioned and take a couple of parameters for configuration on the AWS side. You will need the public IP address for the tunnel.
And if you click on the tunnel, you can get the BGP ASN for Oracle.
Now we can go back and create a new Customer Gateway on AWS using those values.
And change our AWS VPN connection replacing the previously created dummy Customer Gateway with the new one.
After some time, one tunnel on both VPN connections should show the “up” status.
The last steps are to set up routing on AWS using our VPG as a destination for CIDR associated with the Oracle VCN.
And do the same on the OCI VCN route table, adding the route to the AWS VPC.
Don’t forget to open ports using security lists and groups for traffic on both sides. I prefer to use network security groups on OCI. They provide more granular access in comparison with security lists.
After opening ports we can ping and connect the hosts using private network addresses.
That will work for POC or some tests but if you decide to implement it on production you need to repeat all the steps creating an additional VPN connection using the same dynamic BGP. This will provide a proper redundant connection and if one of the links is negatively impacted, then the other one will be able to pick up the load.
You can see that in my case the ping is about 32 ms which is not terribly bad but might not be sufficient for a load that requires lower latency… In such a case, you probably need to look to Oracle FastConnect and AWS Direct connect.
I hope this small how-to can help to save some time. Happy testing.