Set up the AWS-Google Cloud VPN and network attachment

This document provides detailed steps for setting up a VPN connection betweenAmazon Web Services (AWS) and Google Cloud. The goal is to establish a reliable andsecurity-enhanced connection between the two cloud environments.

Before you begin

Ensure that you have the following:

• Access to AWS and Google Cloud accounts with appropriatepermissions.
• ExistingVirtual Private Clouds in both AWSand Google Cloud.

Set up networking on AWS

1. Create a virtual private gateway that is attached to the VPCwhere your database is deployed. For detailed instructions, seeCreate an AWS Direct Connect virtual private gatewayin the AWS documentation.
2. Create a customer gateway using the public IP address of your Google CloudVPN gateway. For detailed instructions, seeCreate a customer gatewayin the AWS documentation.
3. Create the VPN connection using the virtual private gateway and customergateway that you created earlier. For detailed instructions, seeGet started with AWS Client VPN andHow do I establish an encrypted connection over an AWS Direct Connect connection?in the AWS documentation.
4. Add routes to direct traffic to the Google Cloud IP ranges using theVPN connection. For detailed instructions, seeConfigure route tables andConfigure routingin the AWS documentation.

Set up networking on Google Cloud

The setup on Google Cloud requires creating the VPN gateway and VPNtunnels, configuring the routes, and creating the Google Cloudnetwork attachment.

Create the VPN gateway

Note: The following steps describe how to create aClassic VPN.You can create a high-availability (HA) VPN instead if it fits your use case.For more information, seeCreate an HA VPN gateway to a peer VPN gateway.

1. In the Google Cloud console, go to theCloud VPN gateways page.

   Go to Cloud VPN gateways

2. ClickCreate VPN gateway.

3. Select theClassic VPN option button.

4. Provide a VPN gateway name.

5. Select an existing VPC network in which to create the VPN gateway and tunnel.

6. Select the region.

7. ForIP address, create or choose an existing regionalexternal IP address.

8. Provide a tunnel name.

9. ForRemote peer IP address, enter the AWS VPN gatewaypublic IP address.

10. Specify options forIKE version andIKE pre-shared key.

11. Specify the routing options as required to direct traffic to theAWS IP ranges.

12. ClickCreate.

For more information, seeCreate a gateway and tunnel.

Create the network attachment

1. In the Google Cloud console, go to theNetwork attachments page.

   Go to Network attachments

2. ClickaddCreate network attachment.

3. Provide a name for the network attachment.

4. ForNetwork, select the appropriate VPC network.

5. ForRegion, choose where your VPN gateway is located.

6. ForSubnetwork, select the VPN tunnel that you created earlier.

7. ClickCreate network attachment.

For more information, seeCreate network attachments.

Test the VPN connection

1. Deploy the instances in both the AWS and Google CloudVPC environments.
2. To verify connectivity, attempt to ping or connect to instances across theVPN.
3. Ensure the security groups and firewall rules allow for traffic through theVPN.

Troubleshoot

If you are having issues setting up your network attachment, do the following:

• Ensure the VPN connections are up and running in both the AWSand Google Cloud consoles.
• Check the VPN logs for errors or dropped packets.
• Verify that the routing tables in both AWS andGoogle Cloud are correctly configured.
• Ensure that the necessary ports are open in both the AWSsecurity groups and the Google Cloud firewall rules.