Key Use-Cases:
- Deployment and Securely integrate IBM Cloud Paks in a Hybrid Cloud deployment model
- Exploiting unique cloud capability across cloud service providers in a secure fashion while adopting Hybrid Cloud Deployment Model
- Hybrid Cloud Unified management solution which can be securely integrated using IPSec VPN Tunnel
Prerequisites -
IBM Cloud:
- Active IBM Cloud Account Type Pay-As-You-Go or Subscription
- IBM Cloud Login ID with IAM privilege to create/manage VPN Gateway and VPN Connection services
- IBM Cloud Gen-2 VPC, Subnet & Resource Group
- A VSI Instance on above Subnet
AWS Cloud:
- AWS Cloud Login Credentials
- AWS Cloud Login ID with privilege to create/manage Customer Gateway, Virtual private gateway and VPN Connection
- AWS Cloud VPC with a Subnet
- A EC2 instance
Step – 1 : VPN Gateway Setup on IBM Cloud1.1 Login to IBM Cloud
https://cloud.ibm.com/login
1.2 Navigate to VPN menu by selecting Navigation Menu --> VPC Infrastructure --> VPNs
1.3 From VPN Menu select “Create” button
1.4 Select “Site-to-site gateway” option as VPN connectivity Type. And select geographical location and IBM Cloud Region of your choice for creating the VPN Gateway.
1.5 Type in custom values for the VPN Setup as “VPN Gateway Name”, Resource group, and Subnet which you want to attach to the VPN
Note: Users should create a VPC & Subnets before creating this VPC appliance.
1.6 Select IPSec VPN Connectivity mode as “Policy-based”.
Note : At the time of writing this document (11th April 2022), IBM cloud supports “Policy Based” connectivity mode only for AWS connectivity.
1.7 Disable “VPN Connection for VPC” at the time of “VPN Gateway” creation process and click on “Create VPN gateway” button.
Note : VPN Gateway Appliance creation process will take ~5 minutes to complete.
1.8. Once the VPN gateway is ready, user should be able to see a green tick under “Status” column as below.
1.9. Create IKEPolicy for the VPN tunnel while VPN gateway appliance is getting installed. Select “IKE Policies” tab then click on “Create” button
1.10. Update the IKE Policy Location & Region details and this data should be inline with the Location/Region chosen for VPN Gateway Appliance.
1.11. Setup IKE Policy Details as below and press “create” button.
Type-in name of the IKE Policy, select resource group and leave other fields with default value. This policy will be used during VPN tunnel creation stage.
1.12. The new IKE policy will be appearing under IKE policy panel in few minutes as below.
1.13. Lets Create IPSec Policy for the VPN Tunnel. Go to “IPSec Policies” panel select “Create” button.
1.14. Update the IPSec Policy Location & Region details and this data should be inline with the Location/Region chosen for VPN Gateway Appliance deployment.
1.15. Configure IPsec Policy Details as below and press “create” button.
Type-in Name of the IPSec Policy, select Resource group, Enable "Perfect Forward Secrecy", set "Diffie-Hellman" group value as 2 and leave other fields with default value. This policy will be used during VPN tunnel creation stage.
1.16. The “IPsec Policy” will be start appearing under IPSec policies panel
Step – 2 : Setup IPSec VPN Infrastructure on AWS Cloud.
2.1. Login to AWS Cloud (
https://aws.amazon.com/) & Navigate to VPC Panel
2.2. Navigate to “VIRTUAL PRIVATE NETWORK (VPN)” Section then select “Customer Gateways”
2.3 Create Customer Gateway
Note : Before creating “Customer Gateway” in AWS, keep the IBM Cloud “VPN Gateway IP” (Public IP) ready & the IP address can be fetched from following screen.
Select “Create Customer Gateway” button. Under “IP Address” field enter IBM Cloud VPN Gateway IP Address and leave other fields with default value.
Leave other optional fields with default value & Select “Create customer gateway” button.
Customer gateway should be ready in few seconds with Status as “Available”
2.4. Create Virtual Private Gateway & Map Customer gateway to Virtual Private gateway
Select “Create virtual private gateway” under VPC menu. Type “Name-tag” value for easy reference & select “Create virtual private gateway” button.
Virtual private gateway should be ready in few seconds with Status as “Detached”
Now attach “Virtual private gateway” to VPC by Selecting “Action” tab followed by “Attach to VPC” option.
Select the VPC from dropdown then select “Attach VPC”.
“Virtual private gateway” Status should be in “Attaching” status for a minute then the Status changed to “Attached”.
2.5 Create VPN Connection by selecting “Site to Site VPN Connection” under “VIRTUAL PRIVATE NETWORK (VPN)”
Type Name Tag for the VPN Connection and Associate a “Virtual Private Gateway” to this VPN Connection:
Change Routing Option to “Static” and pass the AWS Cloud and IBM Cloud network CIDR details.
Note : Though the configuration is performed from AWS cloud, the “Local IPv4 Network CIDR” always refer to customer end network CIDR & “Remote IPv4 Network CIDR” refers to AWS side network CIDR. Dont get confused with this terminology.
2.5. Expand & Edit as expand “Tunnel 1 Option” and enable “Edit tunnel 1 options”
Modify Tunnel -1 settings as follows:
Leave other connection values with default value as below.
2.6. Setup Tunnel – 2 with same setting as above:
Select “Create VPN Connections” button
Now, VPN Connection is getting created in AWS Cloud & this process takes ~5 minutes to complete and wait for the VPN Connection Status to "Available" from “Pending”
2.7 Now, Select “Download Configuration” from VPN Connection page to get VPN Tunnel Configuration details . And this information will be used in IBM Cloud to configure VPN tunnel between IBM cloud and AWS Cloud.
While downloading the configuration, select following values.
2.8 Lets also update the routing table of the VPC which is attached with Virtual Private gateway:
Note : The routing table should be updated automatically, in case the routing table is not updated automatically please follow the steps below to update the routing table .
Select the VPC which is attached to “Virtual Private gateway”.
Navigate to the “Routes” tab in routable table tab & Select “Edit routes” tab:
Add IBM Subnet IP & Gateway Appliance ID
Select you gateway & Save changes:
The VPN Gateway attached VPC Routing table should be something like below.
Step- 3 : Establishing Connectivity between IBM Cloud and AWS Cloud
3.1. Login to IBM Cloud for establishing VPN tunnel from IBM Cloud to AWS Cloud. After login to IBM Cloud, Navigate to “VPNs” tab under Virtual Private Cloud menu. Then Select the VPN Gateway appliance which was created during Step-1
Now, Select 3 dots next to VPN Gateway appliance & Select “Create connection” tab.
3.2 We need to setup TWO tunnels between IBM Cloud and AWS Cloud. The AWS VPN Connection configuration details can be located from the downloaded VPN configurations file . And this file contains configurations for both Tunnel1 & Tunnel2. Look for following two info from the configuration files as a). Virtual Private Gateway IP and b). Pre-Shared Key
3.3 Update the Peer gateway address & Pre-shared key details in IBM Cloud. The Peer gateway address & Pre-shared key details can be found in the AWS configuration file under Tunnel -1 configuration.Also, update the IBM Network CIDR, AWS Network CIDR, map the IKE Policy & IPSec Policy to the tunnel.
Note : IKE Policy & IPSec Policy was created during Step-1 of this exercise.
As soon as we finish the VPN Connection configuration, the connection validation process between IBM & AWS cloud takes ~2 minutes to complete. During this time Status of the VPN connection will be “Down”.
Once the connection validation process is successful then the status of the tunnel will be changed to “Active”
3.4 Setup the second VPN Tunnel by navigating to “Create Connection” tab as below.
3.5 Update the Peer gateway address & Pre-shared key details in IBM Cloud. The Peer gateway address & Pre-shared key details can be found in the AWS configuration file under Tunnel -2 configuration.Also, update the IBM Network CIDR, AWS Network CIDR, map the IKE Policy & IPSec Policy to the tunnel.
Note : IKE Policy & IPSec Policy was created during Step-1 of this exercise.
As soon as we finish the VPN Connection configuration, the connection validation process between IBM & AWS cloud takes ~2 minutes to complete. During this time Status of the VPN connection will be “Down”.
Once the connection validation process is successful then the status of the tunnel will be changed to “Active”
Step – 4 : VPN connectivity Validation-
4.1.Validate the connectivity from IBM Cloud to AWS Cloud:
For Testing the connectivity, a test VSI server instance was created in IBM Cloud.The test VSI configuration is CentOS with a 1vCPU and 2GB RAM.
4.2 Login to this test VSI over SSH – 10.244.0.4:
4.3 From the test VSI (10.244.0.4), login to the test EC2 instance private IP 10.0.7.97 over SSH -
SSH connection is successful from IBM Cloud VSI instance to AWS Cloud EC2 instance Over Private IP.
4.4.Validate the connectivity from AWS Cloud to IBM Cloud:
For Testing the connectivity, a test EC2 server instance was created in AWS Cloud. Login to this test VSI over SSH – 10.0.7.97:
4.5. From the test EC2 instance private IP (10.0.7.97) login to the test VSI server private IP 10.244.0.4 on IBM Cloud -
SSH connection is successful from AWS Cloud EC2 instance to IBM Cloud VSI instance Over Private IP.
Congratulations! You have successfully setup a Point-to-Point IPSec tunnel between IBM Cloud and AWS Cloud!