Setting Up a Site-to-Site VPN Connection Between Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS)

This document provides a comprehensive guide on establishing a secure and encrypted Site-to-Site VPN connection between Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS). The VPN connection ensures seamless and secure communication between the two cloud environments.

Prerequisites

Before proceeding with the setup, ensure the following prerequisites are met:

OCI Prerequisites:

• An OCI account with necessary permissions.

• A Virtual Cloud Network (VCN) with subnets.

AWS Prerequisites:

• An AWS account with necessary permissions.

• A Virtual Private Cloud (VPC) with subnets.

Additionally, you should be familiar with OCI and AWS networking concepts, as well as general networking principles such as CIDR subnetting and IP ranges.

Configuration Steps

Since AWS allows modifications to resources after creation, we will begin by creating the necessary resources on the AWS side. It's important to note that OCI does not allow certain modifications to the VPN configuration after resources are created. Therefore, we need to ensure that the public IP addresses are obtained and configured correctly before finalizing the setup.

Step 1: Login to AWS Console

1. Log in to the AWS Management Console.

2. In the AWS Console search bar, type VPC and select VPC Console.

3. In the VPC Console, search for Customer Gateway or directly search for it in the search bar.

Step 2: Create a Customer Gateway

1. Navigate to the Customer Gateway section.

2. Click on Create Customer Gateway.

1. Use the following details:

   • Name: rushabh-cgw

   • ASN: 31898 (This is the BGP ASN of Oracle's commercial cloud).

   • IP Address: Use a random address like 1.1.1.1

2. Click Create.

What is ASN? (Explained Simply)

An Autonomous System Number (ASN) is a unique number assigned to each network on the internet that helps in routing traffic between networks. It's like an address that allows different networks to communicate using the Border Gateway Protocol (BGP).

Step 3: Create AWS Transit Gateway

1. Navigate to the Transit Gateway section in the AWS Console.

2. Click on Create Transit Gateway.

   

3. Use the following details:

   • Name: rushabh-aws-to-qa-trans-gateway

   • Keep all other values as default.

4. Click Create.

   

Step 4: Create Transit Gateway Attachment

1. Go to the Transit Gateway Attachments section.

2. Click Create Transit Gateway Attachment.

3. Use the following details:

   • Name: rushabh-tgw-attachment

   • Transit Gateway: Select the one created earlier.

   • Attachment Type: VPC.

   • VPC ID: Select the required VPC.

   • Subnet ID: Select the required subnets or all subnets in the VPC.

4. Click Create Attachment.

   

Note: Ensure you attach the proper VPC (Normally Hub VPC) and select all required subnets that you want to advertise to OCI through BGP routing

Step 5: Create Site-to-Site VPN Connection

1. Navigate to Site-to-Site VPN Connections.

2. Click Create VPN Connection.

   

3. Use the following details:

   • Name: aws-to-oci-vpn-conn

   • Target Type: Select Transit Gateway.

   • Transit Gateway: Select the one created earlier.

   • Customer Gateway: Select the one created in Step 2.

   • Routing Options: BGP (Dynamic).

   • Tunnel Inside IP Version: IPv4.

     

4. In Tunnel 1 Options, configure the following:

   • Tunnel Inside IPv4 CIDR: 169.254.80.0/30

   • If you don’t configure it will randomly assign one.

5. Navigate to Create VPN Connection.

   

Note: For Tunnel1 Inside IPv4 CIDR, select a /30 CIDR from the link-local 169.254.0.0/16 range. OCI does not allow the following IP ranges:

• 169.254.10.0 - 169.254.19.255

• 169.254.100.0 - 169.254.109.255

• 169.254.192.0 - 169.254.201.255

Step 6: Download VPN Configuration

1. Once the VPN connection is created, go to the VPN Connections page.

2. Select the VPN connection and click on Download Configuration.

   

3. In the download configuration page:

   • Vendor: Generic

   • IKE Version: IKEv2

4. Click Download and save the configuration for later use.

   

You can check the tunnel IP's info from the download file or check the Tunnel details from the VPN connection page.

Step 7: Login to Oracle Cloud and Add CPE in Oracle Cloud

1. Log in to the Oracle Cloud Console.

2. Navigate to Networking > Customer Connectivity > Customer-Premises Equipment.

3. Click Create CPE.

   

4. Use the following details:

   • Name: oci-cpe

   • Compartment: Choose your compartment based on your need.

   • IP Address: Enter the public IP address of the AWS Customer Gateway (This will be obtained from AWS VPN setup mentioned as Outside IP address).

5. Click Create CPE.

6. 

Step 8: Create a Dynamic Routing Gateway (DRG)

1. Navigate to Dynamic Routing Gateways (DRG).

2. Click Create DRG.

3. Use the following details:

   • Name: aws-demo-drg

4. Click Create DRG.

   

Step 9: Create DRG Attachment to VCN

1. Select the DRG created earlier.

2. Click on Create VCN Attachments.

3. Use the following details:

   • Name: demo-oracle-qa-vcn-attach

   • VCN: Select the Virtual Cloud Network (VCN) to attach.

4. Click Create Attachment.

   

Step 10: Create Site-to-Site Connection

1. Go to IPSec Connections.

2. Click Create IPSec Connection.

3. Use the following details:

   • Name: oci-vpn-conn

   • Compartment: Use default value or one you need.

   • DRG: Select the one created earlier.

   • Customer-Premises Equipment (CPE): Select the CPE created in previous steps.

   • Route to your on-prem Network: Use the IP range of the on-prem network (Amazon's end).

4. In Tunnel 1:

   • IKE Version: IKEv2

   • Routing Type: BGP

   • BGP ASN: 64512

   • IPv4 Inside Tunnel Interface - CPE: Use the value of Inside IPv4 CIDR assigned to AWS S2S endpoint and use the next value (e.g., if the value is 10.0.0.1/30, use 10.0.0.2/30).

   • IPv4 Inside Tunnel Interface - Oracle: Use the next value (e.g., if you used 10.0.0.2/30 earlier for IPv4 inside Tunnel Interface - CPE, use 10.0.0.3/30 for IPv4 inside Tunnel Interface - Oracle).

5. Click Create IPSec Connection.

   

Now Our site 2 Site is done as we ve planned to use demo_tunnel note down it’s public ip.

Now also find the shared secret key from oci as aws’s shared secret key we download in the COnfiguration file contains unaccepted characters so we arent able to use that. so we will configure oci shared key into the aws end. so note it down

Step 11: Create Customer Gateway with OCI Tunnel1 Public IP Address

1. Go to the Customer Gateway section.

2. Click on Create Customer Gateway.

   

3. Use the following details:

   • Name: rushabh-cgw-public

   • ASN: 31898 (This is the BGP ASN of Oracle's commercial cloud).

   • IP Address: Use the public IP address assigned to the tunnel created on the Oracle end (e.g., 152.67.250.8).

4. Click Create. ( Once done you’ll see output like below image, On how to create Customer gateway refer step 2)

   

Step 12: Modify VPN Connection

1. Go to Site-to-Site VPN, select the VPN, and choose Modify VPN Connection.

   

2. Update the VPN connection with the new Customer Gateway details.

   

3. Wait till modification is getting completed. Once done proceed to next step.

Step 13: Modify VPN Tunnel Options

1. Paste the pre-shared key you copied from the Oracle Cloud's tunnel.

   

   

2. Ensure you save the settings.

Step 14: Check the Tunnel and BGP Status

1. Verify the status of the VPN tunnel. One tunnel will be down. One will come up in a while eventually.

2. Check the BGP status and ensure routes are being advertised correctly.

   

   

3. Eventually in AWS and Oracle one tunnel will show up.

   

4. Verify the AWS VPC CIDR for confirmation in OCI’s end.

   

Conclusion

Congratulations! You have successfully set up a Site-to-Site VPN connection between Oracle Cloud Infrastructure (OCI) and Amazon Web Services (AWS). The connection is now ready to use, and you can configure routes as needed to utilize the VPN for secure communication between the two cloud environments.