Create full mesh VPN to Azure and AWS with Unifi USG

Hi folks,

in that Blog Post, I will explain how to create a full mesh VPN between

  • On-Prem
  • Azure
  • AWS

Great solution, but why I spend my time to blog about that solution and WHY I post something about AWS? It’s quiet simple, I have the environment to test that solution because I have an Azure test subscription , an AWS Test account and a really nice UniFi environment.

But why AWS? It’s also simple, I love new challenges and for me it’s important to get a broad knowledge about different Cloud providers. Maybe in the near future I will expand my solution with GCP too, but at the moment I doesn’t have a Test account.

Okay let’s stop the marketing about myself, here is a short overview about my On-Prem environment based on UniFi. Here a graphical overview and details below.

Not really the cheapest, but a really cool, stable and fast environment.

This BlogPost is splited into 6 sections

  1. Azure deployment
  2. AWS deployment
  3. Connect AWS to Azure
  4. Connect AWS to Unifi USG
  5. Connect Azure to Unifi USG
  6. Environment cleanup

The deployment scenarios are fully automated, I share the source code in my GITHUB account, feel free and download the ARM template or the AWS CloudFormation Stack Template. Great, lets start with the first deployment.


1.) Azure deployment

To finishing that section, I have to deploy the following components:

  • Azure Virtual Network
  • Azure Public IP
  • Azure VPN Gateway
  • Azure Local Network Gateways
  • Azure VPN Connections
  • Azure VM

The graphical view looks like the following:

For my point of view, some components are “CORE” components, so we maybe need an extra security layer like for example „Azure BluePrint”. To deploy those resources via Azure BluePrint we have to create an Azure ARM template. I’ve created an template for this solution. You can find that solution at my GITHUB Account

To test that solution without an Azure BluePrint, I‘ve added a deployment link to my GitHub account. In the readme.md file you find the following button.

Click to deploy the Azure resources. The only screen to fill out is the following:

IMPORTANT! fill out the VPN public IP from On-Prem and the VPN Public IP from the AWS Gateway.

WAIT, I don’t have any public IP from the AWS VPN Gateway because it doesn’t exist at the moment! No worries, add an temp IP and change the IP when everything is in place!

Click on “Next”, review the screen and click on “deploy”! You should get the following screen:

The deployment duration can take up to 30 minutes. When everything is done, you can see the following Azure resources:

Awesome, I love that easy setup in Azure!


2.) AWS deployment

Now we can deploy the AWS resources. Here is the same situation, but in that case I’ve created an AWS Cloud Formation Stack template. To deploy that template, we have to create an AWS S3 Storage first.

At the AWS console click on “Services” and select Storage/S3:

Next select “Create bucket” to deploy a new AWS S3 bucket:

Upload the template to the AWS S3 bucket. I’ve created an AWS Cloud Formation Stack template. You can download that file from my GITHUB Account.

Upload the file “deploy.json” to the S3 bucket.

Copy the „Object URL“. Select the uploaded file and copy the URL below, we need that URL at the next steps.

But first we have to create an AWS EC2 KeyPair. Open the Compute/EC2 section:

On the left side click on “Key Pairs

Click on “Create key pair” and create a new key. Define a name, select the file format (in my case.pem) and click on “Create key pair

Next open the AWS CloudFormation and select “Create Stack” on the right side:

Now, we need the S3 object URL:

I’ve you want to see the resources which will be created, click on “View in Designer”. I‘ve added the possibility at the template development. Here an overview:

Strange CloudFormation template right? The following components will be deployed:

  • AWS::EC2::VPC
  • AWS::EC2::Subnet
  • AWS::EC2::SecurityGroup
  • Two AWS::EC2::Route
  • AWS::EC2::VPNGateway
  • Two AWS::EC2::CustomerGateway(s)
  • Two AWS::EC2::VPNConnectionRoute(s)
  • AWS::EC2::Instance
  • AWS::EC2::NetworkInterface

and much more. What you can see, in AWS there is a fine granular deployment required.

Now we can validate and deploy the Template. On the top of the designer you can find the validate button:

An when everything was fine click the deploy button:

Next, we have to define the following parameters:

  • Stack name: Demo-FullMesh-VPN
  • AzureCDIR: Leave 10.2.0.0/16
  • AzureGatewayIP: Please enter the Public IP from your Azure Gateway deployment
  • EC2KeyPair: Please enter the KeyPair name define before
  • OnPremCIDR: Please enter the On-Premis subnet
  • OnPremGWIP: Please enter your On-Prem GatewayIP

An important part, define a Tag for that solution, do not change anything else and click on “Next”

At the End you can see an overview about your configuration. If everything was in place, click on “Create Stack”. The deployment will be started. Wait until finished, it can take some minutes.

In the “Output” section from your CloudFormation Stack, you can find required information. Keep this in mind, you need that information later.

Great, everything was deployed successfully! For my point of view, AWS CloudFormation is also a really cool solution to implement IasC scenarios. The only difference between AWS and Azure, in AWS you have to use AWS CloudFormation and it’s possible to write the code in JSON and YAML.


3.) Connect AWS to Azure

Now it’s time to connect the two Cloud provider AWS and Azure. Durring the installation, I’ve defined a temp shared secret in Azure, now it’s time to change this secret with the pre defined key from AWS. Open the AWS Console and select the VPC service:

Inside the VPC section, go to the “Site-to-Site VPN connection section on lower left side:

On the right side, you can find two new VPN Connections named:

  • Demo-Prod-Con-Azure
  • Demo-Prod-Con-Home

Please select the VPN Connection “Demo-Prod-Con-Azure ” and click on “Download Configuration” at the top

Change the input to the following and click on “Download

Open the configuration file and scroll down to the section “Internet Key Exchange Configuration”

Here you can find the pre defined “Pre-Shared Key”. Copy the secret and open the Azure Portal. In the search bar on top add the name “Demo-Prod-GW-Con-AWS” and select the connection object.

Select the “Shared key” section on the left side, add the secret which you’ve copied before and click on “Save“. Next, we have to update the local network gateway in Azure. Search for the object “Demo-Prod-GW-LNGW-AWS”

Click on the configuration tab at the left side.

At the configuration document you can find the public IP about of the gateway in the section “Outside IP Addresses”:

Please copy the IP from that section, past it to the configuration section/IP address and click on “Save“.

When everything was saved successfully, the connection should be fine. To verify, search for the Azure VPN gateway “Demo-Prod-GW” and select “Connections” on the left side. No worries, it can take some minutes to update.

In AWS you can find the state, when you open the service VPC, scroll down to the option “Site-to-Site VPN Connection” and select the connection “Demo-Prod-Con-AWS”. Then open the “Tunnel Details” and you can see the following:

Tunnel1 should be “UP“.

We don’t deploy an “Active Active” connection in that solution, but it’s for production environment the better choice!

Cool, the connection between AWS and Azure is up and running. Now we can start with the On-Prem Connection to AWS and Azure.


4.) Connect AWS to Unifi USG

First we will start with the On-Prem to Azure connection. Open your Unifi controller portal and switch to the settings menu. At that point select the VPN option and inside that the “VPN Connections” section:

Now we have to download the configuration for the On-Prem connection at AWS. Follow the steps below:

Change the input and click on “Download

Open the configuration file and scroll down to the section “Internet Key Exchange Configuration”

Here you can find the pre defined “Pre-Shared Key”. Copy the secret and add that to the UniFi configuration page. Next copy the ” Outside IP Addresses” and past it to the „Peering IP“ section:

Click on “Next” and change the input to the following:

Click “Done”

Now we have to add a „Static route“ for your AWS VPN connection. Select the Gateway menu on the left side, then the „Static Routes” section and create a new “Static Route” with the following variables:

Great, it’s time to test the connection between On-Prem and AWS. During the AWS Cloud Formation Stack deployment, the stack also deployed an AWS EC2 instance. Now you need the output information from above.

Switch to the directory location, where you’ve download the EC2 KeyPair and execute the following command:

ssh -i "%KeyPair%.pem" ec2-user@%OutputIPfromCFStack%

5.) Connect Azure to Unifi USG

Great, my last Step is the connection between On-Prem and Azure. Open the VPN Connection section at you Unifi Controller again and select “Create Unifi to Unifi VPN

Next fill out the configuration like the following:

Copy the Azure VPN Gateway public IP and add it to the “Peer IP” section. The default Pre-Shared Key (defined in my ARM Template) is: “VPNDemoSharedKey01“. Finally add your On-Prem public IP to the „Local WAN IP“ section.

Click on “Next

Change the advanced settings to:

Finally we have to define a separate “Static Route” for the Azure VPN connection. Open the Gateway settings and behind that section the “Static Route” option. Create a new “Static Route” with the following variables:

Now we can test the connection from On-Prem to Azure. During the deployment, the template also deploy an Azure VM, now we can use the template output to get the private IP address of that machine. Open the Template deployment settings and take a look to the “output” section (otherwise, select the Azure VM object, click on connect and select ssh).

Next Step open the PowerShell once more and type the command:

ssh adminuser@%VMIPAdress%

Enter the passwort for the adminuser. I’ve defined a default password (please change this after successfully logged in):

Demo-FullMesh-VPN

Great, we are now connected to the Azure VM.


Awsome, we have now a fullmesh VPN connection between AWS, Azure and On-Prem in place. It looks like the following:


6.) Environment cleanup

If you want to cleanup all provisioned resources in Azure and AWS, it’s quiet simple.

Start with the Azure environment first. We’ve created an Azure Resource group named: “Demo-FullMesh-VPN”. Click on that resource group and select “delete”. Important! Sometimes the delete process cannot delete the whole resources in one step and you have to delete the resource group in a second step.

Next cleanup the AWS environment. Select the deployed AWS Cloud Formation Stack and click on delete. It’s also really simple, but sometimes the delete process doesn’t finished successfully (same like Azure ?!? 😉 ). Please check after a few minutes if the AWS Cloud formation Stack was deleted successfully.