Reading Time: 3 minutes
Follow by Email

In this article I am going to walk you through setting up a site-to-site VPN between Azure and AWS. Provisionally this has always been a pain as AWS never supported IKEv2. In February of 2019 AWS changed this. Before you had to use a 3rd party network virtual appliance (NVA) either on Azure or AWS to establish the VPN.


At the time of writing this article BGP is not supported

Lets get to it

I am going to assume you already have an Azure VPN created and also an AWS VPN created.

In AWS navigate to the VPC you want to connect to Azure and create a new Customer Gateways. Enter a Name and the Public IP Address of you Azure Virtual Network Gateway. Then click Create Customer Gateway.

Now in AWS create a Virtual Private Gateway. Here enter the same Name you used when creating the Customer Gateway. Then click Create Virtual Private Gateway.

Still in AWS Create VPN Connection. Enter the Name we used above, select the Virtual Private Gateway you just created. Pick the Customer Gateway ID you just created also. For the Routing Options click Static and then enter Azure vNet range. Enter the existing PSK you have also. Then Click Create VPN Connection at the bottom of the form.

Download the configuration and select Generic.

In the downloaded file look for the following:

IPSec Tunnel # 1

Pre-Shared Key:

Outside IP Addresses:

Virtual Private Gateway

Now go to Azure and create a Local network gateway.

Here enter a name. Under the IP address enter the Virtual Private Gateway address from the text file. In the Address Space box enter VPC IP range from AWS. Select your subscription, resource group and location as normal.

Next we need to create the connection. Find your Virtual Network Gateway, locate Connections on the left and click Add.

In here, enter a Name, Select Site-to-Site for Connection Type, The Virtual network gateway should be picked already. Select your new Local network gateway, enter your PSK. Then pick the Resource group and Location.

After a short while the VPN will be up.

Its now time to add some routes.

Back in AWS go to Route Table under your VPC. You may need to create a route table if you do not have one. Under the Route Propagation click Edit route propagation

Tick the box to propagate. And then click Save.

Setting up the second tunnel

Create another local network gateway and use the settings under IPSec Tunnel # 2 from the downloaded text file.

To test

The best way to test is to create a VM on both sides, allow ping through the firewall and ping each other.

I hope you found this article helpful, I am no AWS expert and managed to do this so hopefully you are too. If you do have any questions please reach out.

Follow by Email
Categories: AWSAzure

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.


Yhonattan · April 23, 2019 at 3:45 pm

I have a question
How does the VPN perform on AWS with IKEv2?
When I download the Generic configuration it all refers to IKEv1.

    Pixel Robots. · April 24, 2019 at 9:09 am

    My config file said the same, but it still works. I believe AWS have just not updated their process of creating the file yet to state IKEv2.

Wolffart Tamás · August 17, 2020 at 11:21 am

This sounds promising, but even tough VPN tunnel is up, routing still does not work – and AWS side does not let setting static routing – only at that option – but in fact it says for the tunnel that there is dynamic routing and pinging back and forth does not work

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *