Multi Cloud: Connecting Azure to AWS and GCP

Overview

Companies are relying more and more on multiple cloud (multi cloud) providers. However, setting up the connectivity between those providers is difficult. And, maintaining and monitoring the tunnels is time-consuming and cumbersome to troubleshoot.

Aviatrix simplifies this by providing simple, point-and-click tunnel creation between cloud providers. Additionally, Aviatrix gives you a single, centralized location from which to troubleshoot and monitor your connections.

Getting Started

The Aviatrix Controller automates, monitors, and reacts to events in each cloud environment on your behalf. In order to do this, we’ll need to configure a few things in each cloud to support this.

We’ll walk through these steps in the following sections. Once complete, you can connect to one or both cloud providers.

Start by logging into the Azure Portal.

Step 1. Install Aviatrix Controller from the Azure Marketplace

The first step is to install the Aviatrix Controller from the Azure Marketplace. Select the Aviatrix Cloud Gateway to AWS and GCP from the Marketplace. Configure the new VM to meet your preferences and requirements. Be sure to allow inbound connections on port 443. Once ready, launch the new VM and continue to the next step.

Step 2. Prepare your Azure Account

While the VM is being deployed in the selected region, configure the following items:

Register Aviatrix with Active Directory

1. Go to the Azure Active Directory (available from the left navigation panel or More Services)

2. Click on Properties (available under Manage on the left inner navigation bar)

   Important

   Copy and save the Directory ID for later use. It will be referred to again as the Application Endpoint.

3. Click on App registrations (available under Manage on the left inner navigation bar)

4. Click on the + New application registration along the top

   

5. Populate the fields as follows:

Field	Value
Name	Aviatrix Controller
Application type	Web app / API
Sign-on URL	http://aviatrix

6. Click the Create button at the bottom of the page.

Add a Key

1. Find and select the application you just registered in the list displayed

   

   Important

   Copy and save the Application ID for later. It will be referred to again later in this document as Application Client ID

2. Click on the Keys in the Settings pane on the right

   

3. Enter a new row:

Field	Value
Key description	Aviatrix
Expires	Never expires

4. Click Save

   

5. Copy the displayed key value and save it for later

   

Important

Save this value. It will be referred to again later in this document as Application Client Secret

6. Close the Keys window using the X in the upper right corner.

Add Required Permissions

1. Select the Aviatrix Controller application registration again (you may already be on it)

2. Click on the Required permissions just above Keys

   

3. Click + Add button

4. Click Select an API (on the right)

5. Find and select Windows Azure Service Management API

   

6. Click Select

7. In the Enable Access panel, click on Access Azure Service Management as organization users (preview) (checkbox next to it will become checked)

   

8. Click Select

9. Click Done

10. Close the Required Permissions panel by clicking on the X in the upper right corner.

Grant Permissions to Aviatrix Controller

1. Go to the Subscriptions service (available from the left navigation panel or from More Services)
2. Click on the subscription where Aviatrix Controller is installed

Important

Copy and save the Subscription ID for later

3. Click on Access Control (IAM)

   

4. Click + Add

5. Populate the fields as follows:

Field	Value
Role	Contributor
Assign access to	Azure AD user, group, or application
Select	Aviatrix Controller

6. Click Save
7. Close the Access control (IAM) panel by clicking on the X in the upper right corner

Step 3. Configure Aviatrix

Your Aviatrix Controller should be up and running by now. Go back to the Microsoft Azure portal and find the newly created instance. Open it and copy the Public IP address.

Open a browser and navigate to https://<public ip address>/ .

Tip

You may receive a warning about the certificate not matching. You can safely ignore this and continue to the page.

When you arrive at the login prompt, log in with the Username admin. The password is the private IP address of the Azure instance.

Tip

The Private IP address can be found on the instance page by clicking on the Networking navigation link.

After logging in, you will be prompted to provide your email address. This is used for alert notifications as well as for password recovery. Enter your email address and click OK.

Set the admin password to something you will remember and click Save.

If you require a proxy for this instance to get to the internet, enter that now. Otherwise, click Skip.

Finally, the software will be upgraded. Click the Run button and the latest version of the Controller will be downloaded and installed. This will take a few minutes. Once complete, the login prompt will appear.

Login with the username admin and the new password.

Azure

After logging in, click on the Azure ARM button to connect Aviatrix to your Azure account.

Create Account

Fill out the fields as follows:

Field	Expected Value
Account Name	The login/username for users who will have admin access to Azure resources. For example, AzureOpsTeam.
E-mail	The e-mail address for this team.
Password	Password for login to the controller
Confirm Password
ARM Subscription ID	The Subscription ID you saved in a previous step.
Application Endpoint	The Application Endpoint (i.e., the Directory ID) retrieved earlier.
Application Client ID	The Client ID (i.e., the Application ID ) saved earlier.
Application Client Secret	The Client Secret (i.e., the key value) displayed earlier.

Once complete, click the Create button at the bottom of the form.

Accept License Agreement

Before you can automate launching an Aviatrix Gateway, you must first subscribe to the Aviatrix Companion Gateway in the Azure Marketplace.

1. Search for aviatrix companion gateway
2. Select the result
3. Click on the link at the very bottom titled Want to deploy programmatically? Get started ➔
4. Click on the Enable status button.
5. Click Save

Create Gateway

The controller can now automate creating a Gateway within Azure. Switch back to the browser tab or window with the Aviatrix Controller.

Click on the Gateway in the left navigation bar:

Next, click on the + New Gateway button. Populate the Gateway Name and select the appropriate Region, VNet, and Public Subnet. The Gateway Size can be left at the smallest size. It can be scaled up (and out) later if needed.

Click OK to create the Gateway automatically. This will take a few minutes as it creates the instance in the selected region and sets up the appropriate route table entries, etc.

Once complete, click X Close.

Now you have a Gateway in Azure that can connect to either (or both) AWS or GCP.

AWS

Create Account

1. Go to the Onboarding section on your Controller.

   

2. Click on AWS

   Fill out the fields as follows:

Field	Expected Value
Account Name	The login/username for users who will have admin access to AWS resources. For example, AWSOpsTeam.
E-mail	The e-mail address for this team.
Password	Password for login to the controller
Confirm Password
AWS Account Number	You can find your account number on the AWS billing page
IAM role-based	Leave this unchecked for now. For production use, you’ll want to use IAM roles with specific permissions.
AWS Access Key ID	An admin user’s AWS access key ID
AWS Secret Key	An admin user’s AWS secret key

Once complete, click the Create button at the bottom of the form.

Deploy a Gateway in AWS

Head back over to the Gateways section in the Aviatrix Controller and click on + New Gateway button.

1. Select AWS for Cloud Type

2. Enter a Gateway name

3. Select the appropriate values for Region, VPC ID, and Public Subnet.

4. Keep the default Gateway Size at t2.micro.

5. Check Allocate New EIP so a new Elastic IP will be allocated on creation.

6. Click OK when ready.

   Tip

   Create a new VPC for testing.

Peer the Gateways

1. Click on the Peering navigation link on the Controller.

2. Click on + New Peering

   

3. Select the AWS Gateway and the Azure Gateway

   

4. Click OK

   

Complete

That’s it. Your Azure VNet instances can now talk to your AWS instances over a secure tunnel. You will soon receive an email notification that the tunnel is up. You’ll receive additional notifications if the tunnel goes down.

GCP

Prepare your Google Cloud Account

The Aviatrix Controller requires a few settings to be enabled in order for it to be able to interact with your Google Cloud account.

1. Find the Project ID From the Google Cloud Console Dashboard, copy and save the Project ID.

2. Enable GCloud Messaging Service The Controller relies on Google Cloud Pub/Sub APIs to communicate with the Gateways in GCP. Enable these APIs by going to the APIs & services Dashboard for the selected project. Click the Enable APIs and Services link at the top of the page.

Select Google Cloud Pub/Sub API from the list. Then, click Enable.

3. Create Credentials File Navigate back to the APIs & services Dashboard and select Credentials (or click here).

Click Create credentials drop down and select Service account key.

Select the Compute Engine default service account for the Service account and select JSON for Key type.

Then, click Create. A file will be downloaded to your computer. Find it and store it in a safe location. Then, click Close.

You are now ready to connect the Aviatrix Controller to your Google Cloud Platform account.

Create Account

1. Go to the Onboarding section on the Aviatrix Controller UI.

   

2. Click on Gcloud

   Fill out the fields as follows:

Field	Expected Value
Account Name	The login/username for users who will have admin access to Google Cloud resources. For example, GCPOpsTeam.
E-mail	The e-mail address for this team.
Password	Password for login to the controller
Confirm Password
GCloud Project ID	The Project ID saved earlier
GCloud Project Credentials	Select the credentials file created in an earlier step.

Once complete, click the Create button at the bottom of the form.

Deploy a Gateway in GCP

Head back over to the Gateways section in the Aviatrix Controller and click on + New Gateway button.

1. Select the Cloud Type to be GCloud.
2. Enter a Gateway name.
3. Select a VPC ID, and Public Subnet.
4. Keep the default Gateway Size of f1-micro.
5. Click OK when ready.

Peer the Gateways

1. Click on the Peering navigation link on the Controller.

2. Click on + New Peering

   

3. Select the AWS Gateway and the Azure Gateway

   

4. Click OK

   

Complete

That’s it. Your Azure VNet instances can now talk to your GCP instances over a secure tunnel. You will soon receive an email notification that the tunnel is up. You’ll receive additional notifications if the tunnel goes down.

Summary

If you peered your Azure account with both AWS and GCP, then you should see something like this on your Aviatrix Controller Dashboard:

Now that you have the accounts established, you can easily add connectivity to other VPCs in either AWS or GCP. And, of course, you can also connect AWS to GCP.