Connecting AWS and Alibaba Cloud networks using managed VPN solutions

These days, it’s not so uncommon to hear that a client’s production infrastructure is split between two or more cloud providers. In this post, I’d like to share our experience of connecting AWS and Alibaba cloud providers in a secure way, and I will show you step-by-step how to connect virtual private clouds (VPCs) between these providers.

image from fulldonate.com

Smartling’s Global Delivery Network (GDN) is designed and hosted in several AWS regions. We determined that for the best performance, GDN proxies need to be placed as close as possible to the client’s origin servers. Although this worked well for most of our current clients with servers based in the U.S. and Europe, one of our clients with a server based in China, offered to host our service, internally, to reduce the chance of performance issues.

A while back, we experimented with AWS in China, however, we faced some of the following challenges:

• Our test system worked, but due to the inconsistent internet performance in China between different internet providers, made it a no-go for us.
• Our system was designed to work on Amazon Linux instances but our client used the Alibaba service. Since we weren’t supporting the second environment (ie. any other Linux operating system), we instead made our GDN environment work with Kubernetes. Once this was done, we had to figure out how to connect AWS and the Alibaba networks because the GDN communicates heavily with other Smartling services.

The cluster should actually be located inside the Alibaba Cloud while having access to resources like databases, brokers, and other internal services from our AWS account. At the same time, we wanted to keep the number of custom solutions to a minimum. Therefore, all networking should be done with cloud provider managed services, without custom VPN solutions, proxies, etc. Moving forward, we were able to satisfy all these requirements.

Prerequisites

• AWS account with VPC. In our case, its IPs range will be 172.80.64.0/19
• Alibaba account with VPC. In our case, its IPs range will be 192.168.0.0/16
• General knowledge about networking and VPC.

Procedures

Note: The following steps will go back and forth between AWS and Alibaba. This is because the creation of one resource in the AWS account provides data to create a related resource on the Alibaba account and vice versa.

1. Log in to your Alibaba account and select VPC > VPN Gateways. Click Create VPN Gateway. During the VPN Gateway creation, you will need to choose its region, VPC, and provide its name. Note: The IPsec-VPN feature should be enabled. For example:

As soon as your VPN Gateway has been created, write down its IP address because you will need it later. Below is a screenshot with marked IP addresses that should be captured.

2. Now let’s go to AWS and create Virtual Private Gateway. Go to the VPC section > Virtual Private Gateways and click Create Virtual Private Gateway. You will need to specify its Name. ASN value can be kept as the default.

3. After the AWS Virtual Private Gateway has been created, attach it to the VPC which you want to link with the Alibaba Cloud.

4. You’ll now create the AWS Customer Gateway, but before this let me provide some background information about these Customer Gateways. Both cloud providers (AWS and Alibaba) have services called Customer Gateway. Customer Gateway is an external and public access for the cloud provider network interface which will be used as a second side of the VPN connection. Therefore, for the AWS Customer Gateway’s IP address, it will be the IP address of the Alibaba VPN Gateway, and for Alibaba, it will be the IP address of the AWS VPN. Keeping this in mind let’s create the AWS customer Gateway.
For this go to VPC section > Customer Gateways and click Create. AWS will ask you about the following details:

a. Name: the name of your Customer Gateway

b. Routing: Static

c. IP Address: IP address of Alibaba VPN Gateway created into 1 step. In our case, it is 47.254.72.128

Click Create Customer Gateway to finish the creation of it.

5. We are almost finished with AWS side. We need to initialize the first part of the VPN connection, and after that, it will be completely configured on the Alibaba side. Go to VPC > VPN Connections > Create VPN Connection and use the following parameters for it:

a. Name: a name of your VPN connection

b. Virtual Private Gateway: AWS Virtual Private Gateway that you have created in step 2

c. Customer Gateway: choose Exists and choose AWS Customer Gateway that you have created in step 4

d. Routing Options: choose static and set CIDR of Alibaba VPC as Static IP Prefixes. In our case, it is 192.168.0.0/16

After AWS has finished the creation of the VPN connection, you need to get the IP addresses for that connection. In order to find them, go to VPC > VPN Connections. Click the name of the newly created VPN connection, go to the Tunnel Details tab, and write down the Outside IP Address. For example:

In addition to this, you need to get the Pre-Shared Key from the AWS VPN Connection in order to configure the Alibaba VPN Connection. This is a part of the IPsec related configuration. For this, go to VPC > VPN Connections and click on the created VPN connection, then click Download Configuration at the top of the AWS console. (A new menu will appear.) From within the new menu, choose Vendor — General and click Ok. This will initiate downloading of the .txt file with the VPN configuration. That is all from the AWS side. We will now go back to the AWS web console to check the status of the VPN tunnel as soon as we have finished the Alibaba configuration steps.

6. Go back to the Alibaba web console and create a Customer Gateway. Remember, the Customer Gateway’s IP address for Alibaba will be the IP address of the AWS VPN Connection. You should use the IP address of 1 Tunnel of the AWS VPN Connection. In our case, it is 34.194.44.159. If you don’t remember the IP address, consult step 5. The reason why AWS provides two IP addresses is because AWS takes care of HA of your VPN connection and creates two tunnels, so if there is an issue with the first one, they can immediately switch you to the second.

7. We are now one step before establishing a connection between two cloud giants. This step will contain slightly more parameters than the previous one. On this step, we will finish the creation of the VPN connection from the Alibaba side. In Alibaba, Web console, go to VPC > VPN > IPSec Connections and click Create IPsec Connection. For that connection you should use the following parameters:

a. Name — A name for your connection

b. VPN Gateway — Alibaba VPN gateway created in step 1

c. Customer Gateway — Recently created Alibaba Customer Gateway

d. Local Network — IP range of Alibaba VPC. In our case, it is 192.168.0.0/16

e. Remote Network — IP range of AWS VPC. In our case, it is 172.80.64.0/19

f. Effective Immediately — Yes

g. Click on switch for Advanced Configuration

h. Pre-Shared Key — Here should be a key for the 1 IPSec Tunnel from the AWS VPN Configuration file that you have downloaded.

i. Version — ikev1

j. Negotiation Mode — main

k. Encryption Algorithm — aes

l. Authentication Algorithm — sha1

m. DH Group — group2

The following screenshot of the Alibaba console should help you fill in all the values in the proper places:

8. That’s it! You have now created a bridge between two cloud providers. A few minutes after completing the last step, you should get the following statuses of the VPN connections:

a. For Alibaba IPSec connection you should see — Phase 2 of IKE Tunnel Negotiation Succeeded

b. For AWS VPN Connection status of your 1 Tunnel should be UP.

Remember, AWS brings up two VPN tunnels to ensure that your VPN connection is always up. While your VPCs can already communicate with each other, you should always have a backup connection which can be used in case of need, so this is the best moment to configure it. For this, you just need repeat part of our previous steps:

1. On the Alibaba side, create a new Customer Gateway which will be pointed to the IP address of the second AWS tunnel. Check step 5 if you are not sure which IP to use. In our case, it is 34.198.177.52.
2. While you are still on the Alibaba side, create a new IPsec connection where you will use the same VPN Gateway and newly created Customer Gateway for the second tunnel. Settings like Pre-Shared-key for the second AWS tunnel can be found in the .txt file that you have previously downloaded in step 5.

Once you’ve finished the IPsec connection creation for the second tunnel, the AWS page with the status for your VPN connection should report that both tunnels are up and running. Now, the network routing still needs to be configured so that our VPCs know that for a specific IP range, a VPN device should be used as a next hop, but make sure that this will only take 1-minute from each side.

Routing configuration

Alibaba side

1. Go to VPC > Route Tables and click on the route table name related to the VPC in question.
2. Click Add Route Entry and as Destination CIDR Block, specify the IP range of the AWS VPC. In our case, it will be 172.80.64.0/19.
3. As Next Hop Type, choose VPN Gateway and as VPN Gateway, choose created Alibaba VPN Gateway.

AWS side

1. In the AWS web console, go to VPC > Route Tables.
2. Find the route table related to your VPC and click Edit.
3. As a Destination for your new route, it uses the Alibaba VPC IP range. In our case 192.168.0.0/16
4. As a Target, choose the AWS Virtual Private Gateway that you have previously created.

Now we are done. Really done :) no more additional steps or small configuration changes. Just log in to the instance inside AWS or Alibaba and ping your favorite IP address from another network.

Summary

As you can see, common cloud technologies can supply you with completely serverless and managed links between different cloud providers located on different continents. All these steps can be done directly in your web browser without any terminal magic. We hope that our experience will save you a lot of time if you need to move part of your infrastructure to the Alibaba cloud provider.