Setting Up Site-to-Site VPN Connectivity from OCI to Azure Virtual WAN
April 25, 2024 | 13 minute readIntroduction
We often come across a requirement to build site-to-site VPN between OCI and Azure for multi-cloud architectures; and for this, OCI has a simplified official document.
However, there are situations where the customer needs to implement OCI-Azure Interconnect using the Azure Virtual WAN.
The Azure Virtual WAN is a networking service that brings together many networking, security, and routing functionalities. These functionalities include branch connectivity (via connectivity automation from Virtual WAN Partner devices such as SD-WAN or VPN CPE), Site-to-site VPN, remote user VPN, Private connectivity (ExpressRoute), and Intra-cloud connectivity (transit connectivity for VNETs).
Please refer to the official documentation to learn more about Azure Virtual WAN or other Microsoft products.
In this blog post, I will walk you through the process to implement a site-to-site VPN between OCI and Azure Virtual WAN.
Prerequisites
- Basic understanding of Cloud Networking concepts and components of both clouds, e.g., VPN, VCN, DRG, VNET, Subnet, Routing, etc.
- Provision VNET, VCN, subnets, compute instances, and required routing and security rules as it suits your business needs.
Let’s start with the step-by-step process:
Step 1: Login to the Azure console
Step 2: Create Virtual WAN
Search Virtual WAN & click on create Virtual WAN.
Select the Resource Group, Region, and choose a name for Virtual WAN. Please note the Virtual WAN Type should be left as “Standard”. Click on “Review + Create”.
Note: A WAN is a global resource and doesn't live in a particular region. However, you must select a region in order to manage and locate the WAN resource that you create.
Validation passed! Click ‘Create’.
Step 3: Create Virtual WAN Hub
Open Virtual WAN, click on “Hubs” under Connectivity from the left menu options, select “New Hub” from the top menu.
Specify the Region, Name, Private Address Space, Hub Capacity, and Routing Preference for the Hub and Click on “Next: Site to Site >”.
On the next tab, click on “Yes” to create Site-to-Site VPN. Azure’s AS Number is 65515. Select the Gateway Scale Unit as per your requirement; I’ve chosen the minimum value for this lab. Then select “Internet” as the Routing Preference.
Skip remaining options and directly click on “Review + Create”.
Validation passed! Click “Create”.
Step 4: Create Virtual Network Connections on vWAN page
Open Virtual WAN, click on “Virtual network connections” under Connectivity from the left menu options, select “Add connection” from the top menu.
Enter the name for this VNET connection and select the correct VNET and Hub used for the connection.
Click on “Create”.
As shown on the page below, the Hub and VNET are peered.
Step 5: Edit VPN Gateway
Click on the Hub you created in the previous step.
Click on Gateway Configuration.
Take a note of the AS Number and Public IP Address; this will be required when setting up BGP over VPN. Enter the BGP Peer IP address under Customer BGP IP Address.
Note: In Azure, you must select an address from the Azure-reserved APIPA address range for VPN, which is from 169.254.21.0 to 169.254.22.255. In this lab, I have selected 169.254.21.10/31.
Click Edit - > Confirm.
Step 6: Login to the OCI console
Step 7: Create CPE (Customer-premises equipment)
Click on OCI Console menu, navigate to Networking -> Customer-premises equipment.
Click on ‘Create CPE’.
Enter the Azure’s VPN Public IP Address, noted in Step 5.
Step 8: Create OCI Site-to-Site VPN
Click on OCI Console menu, navigate to Networking -> “Site-to-Site VPN”.
Click on “Create IPsec connection”.
Select the CPE created in the previous step and fill in the remaining details such as Name, Compartment, and DRG.
Scroll down, enter the shared secret, the routing type is BGP. Enter BGP ASN and inside tunnel interface IP as noted in Step 5.
Scroll down, expand the Phase one and Phase two configuration options.
Check “Set custom configuration” for both Phase one and Phase two. Select the respective parameters and take note of them. We need to match them exactly with the Azure VPN configuration.
Click on “Create IPsec connection”.
The IPsec implementation on the OCI side is complete, but the IPsec status is “Down” because the implementation on the Azure side is still pending.
Take note of the OCI VPN Public IP, then switch to Azure portal.
Step 9: Create Azure Virtual WAN VPN Site
Click on Azure Virtual WAN Hub, navigate to VPN (Site to site) -> click on “Create new VPN site”.
Select the region, enter the name, and specify the device vendor. Skip the private address space, as we are using BGP for this VPN configuration.
Click on “Next: Links >”.
On this “Links” tab, enter the OCI VPN link details:
- Link Name – OCI-Azure. A name for this link.
- Link Speed – This is the speed of the VPN device at the branch location. Example: 100, which means 100 Mbps.
- Link Provider Name – OCI.
- Link IP address – 129.146.18.218 (This is OCI VPN Public IP, noted in Step 8).
- Link BGP address - 169.254.21.11 (This is the BGP peer address, noted in Step 5).
- Link ASN – 31898 (OCI BGP ASN).
Click on “Next: Review + Create >”.
Validation passed! Click on “Create”.
Step 10: Connect VPN Site
Click on Azure Virtual WAN Hub, navigate to VPN (Site to site) -> Clear the filter.
Select the site “OCI”, created in Step 9, then click on “Connect VPN sites”.
Enter the Phase 1 and Phase 2 parameters, as well as the Pre-shared key (PSK) entered on OCI in Step 8.
Click on “Connect”.
Step 11: VPN and BGP status verification
In a few minutes, you will see the connection status as “Connected”.Top of Form
Click on the VPN site name “OCI” to verify further information.
On this page, you can verify the connectivity status for the peered site (OCI VPN), including details such as VPN Public IP, BGP Peer IP, and ASN.
Check the “Effective route” on Azure VM’s VNIC.
Switch to the OCI console to verify the status of the VPN connectivity on the other side.
Click on the OCI Console menu, navigate to Networking -> “Site-to-Site VPN” -> select the VPN “OCI-Azure_VPN” -> select the first tunnel “Tunnel-1”.
Notice that the VPN and BGP status are UP. Also, verify the BGP peer IP and ASN.
Note: On the OCI side, only the 1st tunnel has been configured. For redundancy, please repeat the same steps to add a second tunnel to the existing vWAN VPN site.
Let's verify the dynamic route advertisement on the OCI side.
Click on the OCI Console menu, navigate to Networking -> “Dynamic Routing Gateway” -> select the DRG then click on “VCN Attachments” under “Resources” -> Click on “Autogenerated DRG Route Table for “VCN Attachments” under “DRG Route Table”.
Click on “Get all route rules”.
Notice that we are dynamically learning Azure VNET and Virtual WAN CIDR blocks through BGP over VPN.
Step 12: Connectivity Test
Login to the Compute Instance running on OCI and ping the private IP of the Azure Virtual Machine.
From OCI: 10.0.20.122
Login to the Virtual Machine running on Azure and ping the private IP of the OCI Compute Instance.
From Azure: 10.0.0.4
The connectivity test has been successfully completed!
Thank you for reading this blog. Hope you enjoyed it!