Netreo is now BMC. Read theBlog

Connect Amazon VPC to Azure

By: NetreoNoaa
April 12, 2021

In this post, we will see how an AWS Virtual Private Cloud (VPC) connects to Azure infrastructure using the dedicated VPN connection. For a guide on how to connect Azure using VPN Gateway to AWS VPC see this post.

Table of Contents:

Insight into the VPC environment

This is how the various AWS and Azure services mentioned throughout the post interact with each other:

VPC Environment

The goal is that the VM from AWS VPC is able to reach the VM on Azure by configuring a VPN connection in AWS VPC.

An AWS VPC is a virtual network isolated from the other virtual networks in AWS. This allows a high level of customization by letting administrator to choose the subnets, the IP addresses, to configure the route tables, to specify which subnets are public and which are private.

A subnet is public if it has a default route pointing to an Internet Gateway. In this way, any EC2 instances from the public subnet can access the Internet.

Sometimes the VPC has to be reachable from other places in a secured way. This remote location can be the on-premise data center or other cloud vendors, like Azure.

AWS VPC allows customers to securely connect to these remote locations using VPN connections. This frees administrators from handling all the VPN configuration, operation and troubleshooting overhead.

To use this service, an administrator has to provide some critical information:

  • Remote IP address with which the VPN connection will be established. This is called Customer Gateway.
  • The type of routing used to exchange routes: static or dynamic. In case of the latter, the BGP Autonomous System Number is required

The VPN connection is established through two IPsec tunnels over which routes are exchanged. AWS provides the parameters that will bring up the two tunnels and it is the responsibility of the remote side to configure its device accordingly.

If there is any mismatch between the two sides, the IPsec tunnels will not come up and there will be no connectivity between the two locations.

The Virtual Private Gateway (VPG) service from AWS is similar to Virtual Network Gateway (VNG) from Azure. Both provide a possibility to connect remote locations (they can even be inside the same cloud vendor or on-premises or in another cloud vendor) to a VPC/virtual network. However, every time one of these two services is used, the peer has to fulfill the AWS/Azure requirements in order to bring up the IPsec tunnels and each of these two have different sets of requirements. This leads to the inability to connect an AWS VPC to an Azure virtual network using VPG on AWS side and VNG on Azure side.

One of these two sides will need to take a step back and accept the configuration requirements from its peer.

In this specific case, the Azure VM will be configured as IPsec endpoint by installing several packages and configuring IPsec using the parameters given by AWS. On top of this, BGP on Quagga will exchange routes with AWS Virtual Private gateway.

Azure connection setup

1. The VM in Azure:

VM Azure

2. The IP addresses from this VM:

As mentioned before, the focus in this post is not to show how to configure a VPC, but how to connect it to an on-premise network or, in this case, to Azure.

AWS connection setup

The VPC in AWS was created and the CIDR allocated is

1. Define the Customer Gateway:

Customer GAteaway

2. Create a new Customer Gateway and provide the public IP address from Azure VM. To advertise routes between VPC and Azure VM, dynamic routing will be used, in this case, BGP. The BGP Autonomous System Number will be 65001, but this is just a preference.

Customer Gateaway VPC

3. The Customer Gateway is available:

Available VPC Gateaway

4. Create a Virtual Private Gateway:

Private Gateaway

5. The Virtual Private Gateway is detached by default:

Virtual Private Gateway VPN

6. We will attach it to the VPC:

Attach VPC

7. Configure the VPN connections:

VPN Connection

8. The VPN connection requires resources like Customer Gateway and Virtual Private Gateway and the type of routing:

VPN Connection Azure

9. This is the VPN connection that will connect the VPC to Azure VM:

Create VPN Connection

10. At this moment, the Virtual Private Gateway waits for the remote side to initiate the IPsec connection. Because the Azure VM is not yet configured properly for IPsec, the two tunnels will be down:

Virtual Private Gateway

11. AWS provides specific parameters for IPsec tunnels and BGP configuration that the remote side has to use.

In case the remote side uses an appliance tested by AWS (for instance a Cisco device), then AWS can provide the device configuration straight away. In case the remote side uses a device for which AWS cannot provide a configuration (like in this case, a Linux box), then the generic configuration file will contain all the parameters needed to bring up the VPN connection between the VPC and any given device:

AWS Download Configuration

12. Once the Azure is configured properly, the two IPsec tunnels come up and 3 BGP routes(due to dynamic routing) are received from the Azure VM.

Bringing-up the tunnels does not take long, but there were issues with the IPsec configuration on Azure VM side caused by a typo. If everything is correct, the IPsec tunnels should come up in seconds.

VPN To Azure

13. The VPN routes will not appear in the VPC routing table unless one of these happens:

  • the BGP routes are manually put in the routing table
  • route propagation is enabled.

Route propagation allows automatic VPN routes to be added in the routing table:

VPN routes

14. The routes are present in the VPC routing table. You can tell which routes are from the remote side by seeing that the target (next-hop) is the Virtual Private Gateway. In this case, the route in question is the one, that is the internal range of the Azure VM:

VPN routes Azure

Testing the connection

Just to check this from both sides, on Azure VM, the VPC subnet ( is tested via BGP:

Azure VM VPC

If everything is correct, there should be connectivity between a VM in AWS VPC ( subnet) and the Azure VM ( subnet). For this, a VM was spawned in the AWS VPC with address

connectivity between a VM in AWS VPC

And there is connectivity between the two VMs:

This means that the VPN connection between the AWS VPC and Azure VM is working correctly and traffic can pass through it.

Virtual network gateway monitoring

Azure Portal provides basic monitoring for Azure Virtual Network Gateway. Users that require advanced monitoring, auto-scaling or self-healing features, should learn more about Netreo. Along with advanced features designed to keep Azure Virtual Network Gateway stable, Netreo also provides powerful dashboards, historical reporting, various integrations to popular ITSM and other IT tools and much more.

Bonus Tip: see the detailed comparison of Netreo vs the native Azure monitoring features.

How to configure Azure Virtual Network Gateway monitoring with Netreo

In the following example, we will see how to configure Azure Virtual Network Gateway monitoring in a few easy steps. Netreo comes with preconfigured metrics and alerts as seen below:

Default Azure Virtual Network Gateway monitoring metrics:

Azure virtual network monitoring metrics

Default preconfigured alerts for the virtual network gateway monitoring:

Default preconfigured alerts for the virtual network gateway monitoring

Alerts on the connection outage

This alert fires when it if there is no connection for the defined period of time. Below is the alert configuration pane in the Netreo dashboard:

Alerts on the connection outage

Sample alert case when the IPsec tunnel on AWS side was brought down:

Active alerts azure

Once the IPsec tunnel on AWS side is brought up, the alert is cleared off:

IPsec tunnel

Alerts on the high bandwidth utilization

This alert monitors the traffic rate on either egress or ingress side of the VPN connection. Below is a sample configuration in the Netreo dashboard. By default, it monitors the level of 80% on 100Mbps connection. If the threshold is reached and sustained for more than two minutes, the alert fires.

Alerts on the high bandwidth utilization

In the example above the default threshold was set to 80% of a 10Mbps connection to trigger the alert quicker. Although the screenshot below monitors the entire throughput of the connection (ingress and egress), for this sample case only the Azure VM was sending traffic to the AWS VM and therefore the egress direction of the connection had around 19Mpbs. The sustained rate for more than two minutes triggered the alert:

default threshold azure

The alert clears off after the throughput on egress direction falls below 8Mbps.

Further metrics and alerts can be configured for a virtual network gateway depending on the specific requirements for each particular case. However, one would always want to know whether the VPN connections are up.

Pro Tip: 5 Azure performance metrics every administrator should keep in mind

Suggested Reading:
  1. An in-depth introduction to Azure Virtual Network monitoring
  2. Connect Azure using VPN Gateway to AWS VPC
  3. How to monitor Azure Virtual Network Gateways using Netreo
  4. Improved performance in Azure VPN Gateways

Ready to get started?

Get in touch or schedule a demo

Get Started Learn More