How to build a Google Cloud HA VPN Connection Between GCP and AWS with Terraform?

Architecture Diagram :

Objective

• Build custom VPC networks with user-specified CIDR blocks in Google Cloud and AWS
• Deploy a VM instance in each VPC network
• Create VPN gateways in each VPC network and related resources for two IPsec tunnels

Preparing your Google Cloud working environment

Clone the code:

1. In the Google Cloud Console, open a new Cloud Shell window and clone the code:

gsutil cp gs://spls/gsp854/autonetdeploy-multicloudvpn2.tar .
tar -xvf autonetdeploy-multicloudvpn2.tar
or 
git clone https://github.com/bgirigcloud/GCP-AWS-VPN.git 

1. Navigate to the directory:

cd autonetdeploy-multicloudvpn

The folder and file structure should be below like this

Verify the Google Cloud and AWS region and zone

terraform/gcp_variables.tf and terraform/aws_variables.tf

Creating access credentials

1. In the Google Cloud Console, in the Navigation Menu
2. Click IAM & Admin > Service Accounts.
3. Click the Compute Engine default service account , click on three vertical dots under Actions and select Manage keys, and click ADD KEY > Create new key.
4. Verify JSON is selected as the key type and click Create, which downloads your credentials as a file named [PROJECT_ID]-[UNIQUE_ID].json.
5. In your Cloud Shell terminal, verify you are still in the autonetdeploy-multicloudvpn folder.
6. To upload your downloaded JSON file from your local machine into the Cloud Shell environment, click More
7. and click Upload then choose your downloaded file and click Upload.
8. Navigate to the JSON file you downloaded and click Open to upload. The file is placed in the home (~) directory.
9. Use the ./gcp_set_credentials.sh script provided to create the ~/.config/gcloud/credentials_autonetdeploy.json file. This script also creates terraform/terraform.tfvars with a reference to the new credentials.

./gcp_set_credentials.sh ~/[PROJECT_ID]-[UNIQUE_ID].json

Note: Replace [PROJECT_ID]-[UNIQUE_ID] with the actual file name of your downloaded JSON key.

Create AWS access credentials

Open Google Cloud Shell : Run the following commands to create your credentials directory and file:

export username=`whoami`
mkdir /home/$username/.aws/
touch /home/$username/.aws/credentials_autonetdeploy

Run the following command to edit the credentials file. This is where you will put your generated AWS Access and Secret keys

nano /home/$username/.aws/credentials_autonetdeploy
[default]
aws_access_key_id=AKIA3INBXVI72ZO2Z4F4
aws_secret_access_key=bvQ+aMscVps34Q5ZZnazUGB2+kneKFr73P33iZIo

To save the file, use CTRL+X to exit, then type Y to save the changes, and hit Enter.

Run the following to inspect your security credentials file:

cat /home/$username/.aws/credentials_autonetdeploy

Once your file is correctly formatted, use the following command to set a Terraform environment variable to the correct AWS credentials file path:

export TF_VAR_aws_credentials_file_path=/home/$username/.aws/credentials_autonetdeploy

Note: A different way to do this would be to update the terraform/terraform.tfvars file to reference the AWS credentials file path.

Setting your project

Set your Google Cloud Project ID by using the following commands:

export PROJECT_ID=$(gcloud config get-value project)
gcloud config set project $PROJECT_ID

Use the provided script to update the project value in your configuration files for Terraform:

./gcp_set_project.sh

1. Review the updated file to verify that your project-id value has been inserted into terraform/terraform.tfvars. You can either use the cat command or the Cloud Shell Editor to verify the file.
2. Run the one-time terraform init command to install the Terraform providers for this deployment:

cd terraform
terraform init

1. Run the Terraform plan command to verify your credentials:

terraform plan

Using SSH keys for connecting to VM instances

Generate a key pair

1. In Cloud Shell, use ssh-keygen to generate a new key pair:

ssh-keygen -t rsa -f ~/.ssh/vm-ssh-key -C $username

When asked for a passphrase, press Enter twice to leave it blank.

1. Restrict access to your private key. This is a best practice.

chmod 400 ~/.ssh/vm-ssh-key

Import the public key to Google Cloud

In this section, you will import and register your key.

1. In Cloud Shell, register your public key with Google Cloud:

gcloud compute config-ssh --ssh-key-file=~/.ssh/vm-ssh-key

1. In the Cloud Console, navigate to the Compute Engine > Metadata page.
2. Click SSH Keys. Verify your SSH Key exists.
3. Under the Key Section, copy the SSH Key value. You will use this in the next section.

Import the public key to AWS

You can reuse the public key file generated with Google Cloud.

1. In the AWS Management Console, navigate to Services > Compute > EC2.

Note: Verify that you are in the US-East (N. Virginia) us-east-1 region.

1. In EC2 Dashboard, under the Network & Security group on the left, click Key Pairs.
2. Click Actions > Import Key Pair.
3. For the name, enter: vm-ssh-key.
4. Paste the contents of your Google Cloud public key (Compute Engine > Metadata > SSH Keys) into the Public key contents box.
5. Verify that the contents are of the expected form: ssh-rsa [KEY_DATA] [USERNAME].
6. Click Import Key Pair.

Examining Terraform configuration files

Deploying VPC networks, VM instances, VPN gateways, and IPsec tunnels

Number of resource will create in GCP by terraform

data.google_compute_zones.available

google_compute_address.gcp-ip

google_compute_external_vpn_gateway.external_gateway

google_compute_ha_vpn_gateway.gcp-vpn-gw

google_compute_firewall.gcp-allow-all

google_compute_firewall.gcp-allow-icmp

google_compute_firewall.gcp-allow-internet

google_compute_firewall.gcp-allow-ssh

google_compute_firewall.gcp-allow-vpn

google_compute_firewall.https

google_compute_instance.gcp-vm

google_compute_network.gcp-network

google_compute_router.gcp-router1

google_compute_router.gcp-router2

google_compute_router.gcp-router3

google_compute_router.gcp-router4

google_compute_router_interface.router_interface1

google_compute_router_interface.router_interface2

google_compute_router_interface.router_interface3

google_compute_router_interface.router_interface4

google_compute_router_peer.gcp-router1-peer

google_compute_router_peer.gcp-router2-peer

google_compute_router_peer.gcp-router3-peer

google_compute_router_peer.gcp-router4-peer

google_compute_subnetwork.gcp-subnet1

google_compute_vpn_tunnel.gcp-tunnel1

google_compute_vpn_tunnel.gcp-tunnel2

google_compute_vpn_tunnel.gcp-tunnel3

google_compute_vpn_tunnel.gcp-tunnel4

Number of resource will create in AWS by terraform

data.aws_ami.ubuntu

aws_customer_gateway.aws-cgw-1

aws_customer_gateway.aws-cgw-2

aws_default_route_table.aws-vpc

aws_eip.aws-ip

aws_instance.aws-vm

aws_internet_gateway.aws-vpc-igw

aws_security_group.aws-allow-icmp

aws_security_group.aws-allow-internet

aws_security_group.aws-allow-ssh

aws_security_group.aws-allow-vpn

aws_default_security_group.default

aws_subnet.aws-subnet1

aws_vpc.aws-vpc

aws_vpn_connection.aws-vpn-connection1

aws_vpn_connection.aws-vpn-connection2

aws_vpn_gateway.aws-vpn-gw

Deploy with Terraform

1. In Cloud Shell, navigate to the terraform directory:

cd ~/autonetdeploy-multicloudvpn/terraform

1. Use the Terraform validate command to validate the syntax of your configuration files. This validation check is simpler than those performed as part of the plan and apply commands in subsequent steps. The validate command does not authenticate with any providers.

terraform validate

1. Use the Terraform plan command to review the deployment without instantiating resources in the cloud. The plan command requires successful authentication with all providers specified in the configuration.

terraform plan

1. Use the Terraform apply command to create a deployment:

terraform apply

The apply command creates a deployment with backing resources in the cloud. In around four minutes, apply creates 30+ resources for you, including GCP and AWS VPC networks, VM instances, VPN gateways, and IPsec tunnels. The output of the apply command includes details of the resources deployed and the output variables defined by the configuration.

Type yes then enter to approve.

terraform output
aws_instance_external_ip = "3.234.111.104"
aws_instance_internal_ip = "172.16.0.100"
gcp_instance_external_ip = <<EOT
35.225.65.100
EOT
gcp_instance_internal_ip = "10.240.0.100"

1. Use the Terraform show command to inspect the deployed resources and verify the current state:

terraform show

To Verify that your Google Cloud VM instance is functioning by using the ssh command to connect to it:

ssh -i ~/.ssh/vm-ssh-key [GCP_EXTERNAL_IP]

1. Run the ping and curl commands in your ssh session:

ping -c 5 google.com
curl ifconfig.co/ip

Run simple network performance checks from the Google Cloud VM instance. Use pre-installed scripts to run a test on each network interface, both external and internal.

• Over external IPs:

/tmp/run_iperf_to_ext.sh

• Over VPN (internal IPs):

/tmp/run_iperf_to_int.sh

To verify that your AWS VM instance is functioning, use the ssh command to connect to it:

ssh -i ~/.ssh/vm-ssh-key ubuntu@[AWS_EXTERNAL_IP]

You will get a message asking to confirm the authenticity of the host. Type yes.

1. Run the ping and curl commands in your ssh session:

ping -c 5 google.com
curl ifconfig.co/ip

Run simple network performance checks from the AWS VM instance. Use pre-installed scripts to run a test on each network interface, both external and internal.

• Over external IPs:

/tmp/run_iperf_to_ext.sh

• Over VPN (internal IPs):

/tmp/run_iperf_to_int.sh

Reference docs: Link