Nowadays, more companies move their application to the cloud. Mostly on AWS, GCP or Azure. Using cloud infrastructure reduce their investment in hardware purchase or managing server infrastructure. Despite many benefits of running workload on the cloud, some companies opt to use a multi and/or a hybrid cloud approach. There are several reasons for this, it could be government regulations, previous investment on data-center and servers, or any other reasons.
In paragon, we are using hybrid cloud. There are some workload we run on our private cloud, and some on Google Cloud Platform.
To connect our resource to Google Cloud Platform, we need to have secure connection. Google have several ways of hybrid connectivity, from cloud vpn to dedicated or partner interconnect, partner interconnect. For further information, please refer to gcp connectivity options.
In this article we will share on configuring google cloud platform and on premise hybrid connectivity using Mikrotik. We are using simple topology where one peer VPN connected to one devices. For using it in production, we recommend to scale into HA connectivity using more than 1 IP address and more than 1 device.
Deploying secure connection between google cloud platform and on-premise is pretty simple. Start by setup Cloud VPN Tunnels, Cloud VPN Gateways, Peer VPN Gateways and Cloud Routers on google cloud platform side. Then we configure mikrotik for ipsec tunnel and bgp peering.
Setup on Google Site
Open your GCP platform console using web browser and select a project for your instance. Here we use Hybrid VPN Project.
1.Select VPN from Hybrid Connectivity submenu, and click on create vpn connection.
2.Pick HA VPN as VPN Options
3.Choose your region and VPC Network.
4.Create new peer vpn gateway
5.Give unique name and insert public IP address
6.Assign cloud vpn gateway interface to your peer vpn gateway interface. Insert IKE pre-shared key or let google generate one for you. We also need to create new Cloud Router in this step.
7.To create a new BGP session, fill peer ASN, cloud router BGP IP and BGP Peer IP. Google require /30 link-local addressing for private BGP peering. We use 169.254.10.1 and 169.254.10.2
Here we finish configuration on google side.
Setup on Mikrotik
Our mikrotik is installed with version 6.46.4. This configuration might not -working on other version of mikrotik.
1.Create loopback address for our BGP peering.
/interface bridge add name=loopback-gvpn
/ip address add address=169.254.10.2/30 interface=loopback-gvpn
2.Create ipsec tunnel. We only need to define peer, identity and policy. Use pre-shared-key from previous google configuration in ipsec secret. Set 2 policy here, one for our VPN tunnel, and one for gcp vm instance.
/ip ipsec peer add address=126.96.36.199/32 exchange-mode=ike2 name=gcp-tun1
/ip ipsec identity peer=gcp-tun1 secret=xxxxxxxxxxxx
/ip ipsec policy add dst-address=169.254.10.1/32 peer=gcp-tun1 src-address=169.254.10.2/32 sa-dst-address=188.8.131.52 sa-src-address=xx.xx.xx.xx tunnel=yes
/ip ipsec policy add dst-address=10.184.0.0/20 peer=gcp-tun1 sa-dst-address=184.108.40.206 sa-src-address=xx.xx.xx.xx tunnel=yes
3.Check on google console if vpn tunnel is established.
4.Configure bgp peer. Since we use ospf protocol in our network, change redistribute-ospf to yes.
/routing bgp instance set default as=64901 router-id=169.254.10.2 redistribute-ospf=yes
/routing bgp peer add remote-address=169.254.10.1 remote-as=64900
5.Once mikrotik establish a BGP peering, our internal routes will be added in google cloud platform
Let see if our tunnel is connected
Now, let try if our internal server can communicate with vm instance on gcp. We setup a testing instance on GCP with internal IP 10.184.0.2
See if we can browse our vm instance using internal IP from paragon internal network.
Same website can be accessed through public address too.
From here we have a lot possibilities on how to use this approach. We can put reverse proxy in Google Cloud platform to expose our web application to public. This way, we can minimize our public network from surface attack. Or, simply use vm instance for private usage.
Most problems on configuring VPN to GCP come from firewall rules, and ipsec policy. Please check if your firewall not blocking ipsec tunnel and related ipsec policy is added.
Mikrotik Wiki on ipsec and bgp has a lot of information to guide you. Google Cloud Platform also has a well documented resource on cloud vpn.