This article will introduce a case study on creating a connection between 2 different cloud platforms.

Company ABC had developed a correspondence tool in finance that is similar to Slack or Skype, yet is lacking the multi-layer message encryption feature. The application is used by many large banks like HSBC and Citibank, especially during the Covid-19 outbreak, where people have to Work from Home.

At the beginning, the application was deployed on VM to Google Cloud. The CI/CD system with Jenkins as the major platform is built on Google’s K8S. However, with the strong growth of cloud AWS, EC2 servers of AWS are used along with the old VM platform on GCP.

This had set a problem: How can resources on the old GCP (VM, K8S cluster) ensure private and secure connections with resources on AWS (EC2…).

For example, a Jenkins agent launched on GCP’s K8S cluster can connect (ping, curl…) to an EC2 on AWS’s VPC.

Using Cloud NAT gateway

K8S cluster’s workers all lie in the private sub-net, Cloud NAT can be used to connect outside the GCP’s network.

NAT or Network Address Translation allows the Private network address to access external network. More details regarding NAT can be found here.

Thus, Jenkins k8s cluster can be set up with an additional NAT gateway to allow access outside GCP. More reference can be found at https://cloud.google.com/nat/docs/using-nat#gcloud

You can let gcp self-allocate IP for NAT or manually create an external IP for NAT.

On AWS EC2, configure security group, set inbound rules to allow connection, one example is opening the HTTPs 443 gate for NAT.

The Jenkins Agent on GCP’s K8S can thus connect to EC2 on AWS via HTTPS 443 gate.

Site-to-site VPN between GCP and AWS with dynamic BGP routing

As NAT is still a public IP and exposed on the internet, Company ABC should want to create a secured connection between GCP and AWS, without going out to the public internet. A VM on GCP can connect (Ping, curl…) to AWS’s EC2 using private IP (internal network).

Follows is the VPC site-to-site solution used:

GCP’s VCM and AWS’s EC2 both lies in the VPC, and the request is that VM and EC2 must be able to ping or curl via private IP.

On general, this can be done using the following step:

  1. On GCP, create a Cloud VPN gateway and VPN tunnel.
  2. On AWS, create Virtual Private Gateway and Site to Site VPN connection.

Step 1: Create classic VPN gateway and VPN Tunnel

VPN tunnel is a secured tunnel between 2 networks. Data packages transferred between the 2 will be packaged securely and sent via this tunnel.

More information can be found at https://cloud.google.com/vpn/docs/how-to/creating-static-vpns

Successful creation will show the following result:

Step 2: On AWS, create Virtual Private Gateway, Customer gateway, and Site to Site VPN connection

 

Create a virtual private gateway and attach to VPC

The result will be as below:

Create site-to-site VPN connection

You can run the result through cli or console with the newly-created customer-gateway-id and vpn-gateway-id.

The UP status for VPN connection between the 2 clouds can be seen as Successful.

The resources on GCP can thus connect with those on AWS via internal IP, which is not public on the internet, ensuring a secured connection.

Conclusion

The aforementioned 2 methods have their own advantages and disadvantages. Cloud NAT is simple, yet unsecured as it uses Cloud NAT IP – a public address. On the other hand, VPN uses a separate and private connection and thus is a complicated but secured method. Administrators should choose the method appropriate for their level of demand.

Do Trong Nguyen – FPT Software

Related posts: