https://www.softbank.jp/biz/blog/cloud-technology/articles/202301/alibaba-azure-vpn/
https://learn.microsoft.com/ja-jp/azure/vpn-gateway/vpn-gateway-howto-aws-bgp
独自のカスタム APIPA アドレスを設定することもできます。
AWS では、トンネルごとに APIPA 範囲 169.254.0.0/16 の /30 Inside IPv4 CIDR が必要です。
また、この CIDR は、AZURE で予約されている VPN 用の APIPA 範囲 (169.254.21.0 から 169.254.22.255) 内にある必要があります。
AWS は CIDR 内の /30 の最初の IP アドレスを使用し、Azure は 2 番目の IP アドレスを使用します。
つまり、AWS /30 CIDR 内に 2 つの IP アドレス用の領域を予約する必要があります。
たとえば、AWS Inside IPv4 CIDR を 169.254.21.0/30 に設定した場合、
AWS は BGP IP アドレス 169.254.21.1 を使用し、Azure は IP アドレス 169.254.21.2 を使用します。
前提:
基礎ネットワークとVMインスタンスはTerraformで作成
その他はCLIで作成
Alibaba VPN Gateway作成画面でService-linked Role作成済み
IPSec tunnel使用本数: 1本
macから実施
設定の流れ:
1. Alibaba Cloud側での設定
VPN Gateway作成
2. Azure側での設定
仮想ネットワークゲートウェイ作成
ローカルネットワーク ゲートウェイ作成
接続作成
3. Alibaba Cloud側での設定
Customer Gateways作成
IPsec Connection作成
4. 動作確認
Azure:
東日本リージョン
vnet : 10.0.0.0/16
サブネット : 10.0.1.0/24
ゲートウェイサブネット: 10.0.1.0/24
Security Group : ICMP,SSH
ASN: 64512
Alibaba:
北京リージョン
VPC : 172.16.0.0/16
vSwitch : 172.16.1.0/24
Security Group : ICMP,SSH
ASN: 65000
-- 1. VPC、サブネット、VMインスタンス作成【Azure】
mkdir azure
cd azure
cat <<-'EOF' > main.tf
terraform{
required_providers{
azurerm={
source = "hashicorp/azurerm"
version = "=3.6.0"
}
}
}
# Configure the Microsoft Azure Provider
provider "azurerm" {
features {}
}
resource "azurerm_resource_group" "rg9999999" {
name = "rg9999999"
location = "Japan East"
}
resource "azurerm_virtual_network" "vnet01" {
name = "vnet01"
address_space = ["10.0.0.0/16"]
location = azurerm_resource_group.rg9999999.location
resource_group_name = azurerm_resource_group.rg9999999.name
}
resource "azurerm_subnet" "subnet01" {
name = "subnet01"
resource_group_name = azurerm_resource_group.rg9999999.name
virtual_network_name = azurerm_virtual_network.vnet01.name
address_prefixes = ["10.0.1.0/24"]
}
resource "azurerm_subnet" "GatewaySubnet" {
name = "GatewaySubnet"
resource_group_name = azurerm_resource_group.rg9999999.name
virtual_network_name = azurerm_virtual_network.vnet01.name
address_prefixes = ["10.0.2.0/24"]
}
resource "azurerm_public_ip" "pip01" {
name = "pip01"
location = azurerm_resource_group.rg9999999.location
resource_group_name = azurerm_resource_group.rg9999999.name
allocation_method = "Dynamic"
}
resource "azurerm_network_security_group" "nsg01" {
name = "nsg01"
location = azurerm_resource_group.rg9999999.location
resource_group_name = azurerm_resource_group.rg9999999.name
security_rule {
name = "SSH"
priority = 100
direction = "Inbound"
access = "Allow"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "22"
source_address_prefix = "*"
destination_address_prefix = "*"
}
security_rule {
name = "Alibaba"
priority = 110
direction = "Inbound"
access = "Allow"
protocol = "*"
source_port_range = "*"
destination_port_range = "*"
source_address_prefix = "172.16.1.0/24"
destination_address_prefix = "*"
}
}
resource "azurerm_network_interface" "nic01" {
name = "nic01"
location = azurerm_resource_group.rg9999999.location
resource_group_name = azurerm_resource_group.rg9999999.name
ip_configuration {
name = "internal"
subnet_id = azurerm_subnet.subnet01.id
private_ip_address_allocation = "Dynamic"
public_ip_address_id = azurerm_public_ip.pip01.id
}
}
resource "azurerm_network_interface_security_group_association" "nsg01_nic01" {
network_interface_id = azurerm_network_interface.nic01.id
network_security_group_id = azurerm_network_security_group.nsg01.id
}
resource "azurerm_linux_virtual_machine" "vm01"{
name = "vm01"
resource_group_name = azurerm_resource_group.rg9999999.name
location = azurerm_resource_group.rg9999999.location
size = "Standard_B1ls"
admin_username = "azureuser"
network_interface_ids = [
azurerm_network_interface.nic01.id,
]
admin_ssh_key {
username = "azureuser"
public_key = file("~/.ssh/id_rsa.pub")
}
os_disk{
caching = "ReadWrite"
storage_account_type = "Standard_LRS"
}
source_image_reference{
publisher = "Canonical"
offer = "0001-com-ubuntu-server-focal"
sku = "20_04-lts"
version = "latest"
}
}
output "public_ip_address" {
value = azurerm_linux_virtual_machine.vm01.public_ip_address
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
cd ..
-- 2. VPC、VSwitch、ECS作成【Alibaba】
mkdir alibaba
cd alibaba
cat <<-'EOF' > variables.tf
locals {
availability_zone1 = "cn-beijing-k"
availability_zone2 = "cn-beijing-l"
}
variable "instance_type" {
description = "instance_type"
type = string
default = "ecs.t6-c4m1.large"
}
variable "image_id" {
description = "image_id"
type = string
default = "aliyun_2_1903_x64_20G_alibase_20231221.vhd"
}
EOF
cat <<-'EOF' > main.tf
terraform {
required_version = ">= 1.0.0, < 2.0.0"
required_providers {
alicloud = {
source = "aliyun/alicloud"
version = "= 1.217.0"
}
}
}
provider "alicloud" {
region = "cn-beijing"
}
resource "alicloud_vpc" "vpc01" {
vpc_name = "vpc01"
description = "vpc01"
cidr_block = "172.16.0.0/16"
}
resource "alicloud_vswitch" "sw01" {
vswitch_name = "sw01"
description = "sw01"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "172.16.1.0/24"
zone_id = local.availability_zone1
}
resource "alicloud_vswitch" "sw02" {
vswitch_name = "sw02"
description = "sw02"
vpc_id = alicloud_vpc.vpc01.id
cidr_block = "172.16.2.0/24"
zone_id = local.availability_zone2
}
resource "alicloud_security_group" "sg01" {
name = "sg01"
description = "sg01"
vpc_id = alicloud_vpc.vpc01.id
security_group_type = "normal"
}
resource "alicloud_security_group_rule" "sg0101" {
type = "ingress"
ip_protocol = "tcp"
port_range = "22/22"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "0.0.0.0/0"
description = "sg0101"
}
resource "alicloud_security_group_rule" "sg0102" {
type = "ingress"
ip_protocol = "icmp"
port_range = "-1/-1"
security_group_id = alicloud_security_group.sg01.id
nic_type = "intranet"
policy = "accept"
priority = 10
cidr_ip = "10.0.1.0/24"
description = "sg0102"
}
resource "alicloud_vpc_ipv4_gateway" "gw01" {
ipv4_gateway_name = "gw01"
ipv4_gateway_description = "gw01"
vpc_id = alicloud_vpc.vpc01.id
enabled = true
}
# ルートテーブルへvSwitchの関連付け
resource "alicloud_route_table_attachment" "sw01_rt01" {
vswitch_id = alicloud_vswitch.sw01.id
route_table_id = alicloud_vpc.vpc01.route_table_id
}
# ルートテーブルへカスタムルート追加
resource "alicloud_route_entry" "rt0101" {
name = "rt0101"
route_table_id = alicloud_vpc.vpc01.route_table_id
destination_cidrblock = "0.0.0.0/0"
nexthop_type = "Ipv4Gateway"
nexthop_id = alicloud_vpc_ipv4_gateway.gw01.id
}
resource "alicloud_instance" "instance01" {
image_id = var.image_id
instance_type = var.instance_type
security_groups = [alicloud_security_group.sg01.id]
instance_name = "instance01"
system_disk_category = "cloud_essd"
system_disk_name = "instance01"
system_disk_size = 20
description = "instance01"
internet_charge_type = "PayByBandwidth"
internet_max_bandwidth_out = 0
host_name = "instance01"
vswitch_id = alicloud_vswitch.sw01.id
instance_charge_type = "PostPaid"
key_name = "alibabakey04"
deletion_protection = false
credit_specification = "Standard"
}
resource "alicloud_eip_address" "eip01" {
address_name = "eip01"
bandwidth = 1
deletion_protection = false
description = "eip01"
internet_charge_type = "PayByTraffic"
isp = "BGP"
payment_type = "PayAsYouGo"
netmode = "public"
}
# インスタンスとEIPの関連付け
resource "alicloud_eip_association" "instance01_eip01" {
instance_id = alicloud_instance.instance01.id
allocation_id = alicloud_eip_address.eip01.id
}
EOF
cat <<-'EOF' > outputs.tf
output "vpc01_id" {
value = alicloud_vpc.vpc01.id
description = "vpc01.id"
}
output "vpc01_route_table_id" {
value = alicloud_vpc.vpc01.route_table_id
description = "vpc01.route_table_id"
}
output "sw01_id" {
value = alicloud_vswitch.sw01.id
description = "sw01.id"
}
output "sw02_id" {
value = alicloud_vswitch.sw02.id
description = "sw02.id"
}
output "sg01_id" {
value = alicloud_security_group.sg01.id
description = "sg01.id"
}
output "gw01_id" {
value = alicloud_vpc_ipv4_gateway.gw01.id
description = "gw01.id"
}
output "instance01_id" {
value = alicloud_instance.instance01.id
description = "instance01.id"
}
output "eip01_id" {
value = alicloud_eip_address.eip01.id
description = "eip01.id"
}
EOF
terraform init
terraform fmt
terraform -version
terraform plan
terraform apply -auto-approve
# terraform destroy -auto-approve
cd ..
aliyun vpc CreateVpnGateway \
--Name vgw01 \
--VpcId vpc-111111111111111111111 \
--InstanceChargeType POSTPAY \
--AutoPay false \
--Bandwidth 10 \
--EnableIpsec true \
--EnableSsl false \
--VSwitchId vsw-111111111111111111111 \
--VpnType Normal \
--NetworkType public \
--DisasterRecoveryVSwitchId vsw-111111111111111111111 \
--force
コマンドは正常終了するが、DescribeVpnGatewaysしてもリソースは確認できない
→ GUIから実施
作成後、画面から「Enable Automatic Route」有効化も必要
aliyun vpc DescribeVpnGateways
aliyun vpc DescribeVpnGateway \
--VpnGatewayId vpn-111111111111111111111
-- 4. パブリックIPアドレスを作成する【Azure】
az network public-ip create \
--name pip21 \
--resource-group rg9999999 \
--allocation-method Static \
--location japaneast \
--sku Standard \
--tier Regional \
--version IPv4
az network public-ip list
az network public-ip show --resource-group rg9999999 --name pip21
-- 5. 仮想ネットワークゲートウェイを作成する【Azure】
az network vnet-gateway create \
--name vng21 \
--resource-group rg9999999 \
--vnet vnet01 \
--asn 64512 \
--bgp-peering-address 169.254.21.2,169.254.22.2 \
--client-protocol IkeV2 \
--gateway-type Vpn \
--location japaneast \
--public-ip-address pip21 \
--sku VpnGw1 \
--vpn-gateway-generation Generation1 \
--vpn-type RouteBased
約30分かかった
カスタムの Azure APIPA BGP IP アドレス がセットされていないため
下記を画面から更新
169.254.21.2
169.254.22.2
az network vnet-gateway list --resource-group rg9999999
az network vnet-gateway show --resource-group rg9999999 --name vng21
-- 6. ローカル ネットワーク ゲートウェイを作成する【Azure】
az network local-gateway create \
--gateway-ip-address 192.0.2.1 \
--name lng21 \
--resource-group rg9999999 \
--asn 65000 \
--bgp-peering-address 169.254.21.1 \
--location japaneast
※gateway-ip-addressはAlibaba側Tunnel #1の外部IPアドレス
az network local-gateway list --resource-group rg9999999
az network local-gateway show --resource-group rg9999999 --name lng21
-- 7. 接続を作成する【Azure】
az network vpn-connection create \
--name vpn21 \
--resource-group rg9999999 \
--vnet-gateway1 vng21 \
--enable-bgp \
--local-gateway2 lng21 \
--location japaneast \
--shared-key PreSharedKey1
画面から「カスタムBGPアドレスを有効にする」を有効化
az network vpn-connection list --resource-group rg9999999
az network vpn-connection show --resource-group rg9999999 --name vpn21
-- 8. カスタマーゲートウェイ作成【Alibaba】
aliyun vpc CreateCustomerGateway \
--IpAddress 192.0.2.2 \
--Name cgw01 \
--Asn 64512
※ IpAddressはAzure Tunnel #1 のパブリックIPアドレス
aliyun vpc DescribeCustomerGateways
aliyun vpc DescribeCustomerGateway \
--CustomerGatewayId cgw-111111111111111111111
-- 9. IPsec Connection作成【Alibaba】
aliyun vpc CreateVpnConnection \
--region cn-beijing \
--RegionId 'cn-beijing' \
--CustomerGatewayId 'cgw-111111111111111111111' \
--VpnGatewayId 'vpn-111111111111111111111' \
--Name vpn01 \
--LocalSubnet '0.0.0.0/0' \
--RemoteSubnet '0.0.0.0/0' \
--EffectImmediately true \
--TunnelOptionsSpecification.1.TunnelBgpConfig.LocalAsn 65000 \
--TunnelOptionsSpecification.1.TunnelBgpConfig.LocalBgpIp '169.254.21.1' \
--TunnelOptionsSpecification.1.TunnelBgpConfig.TunnelCidr '169.254.21.0/30' \
--TunnelOptionsSpecification.1.CustomerGatewayId 'cgw-111111111111111111111' \
--TunnelOptionsSpecification.1.EnableDpd true \
--TunnelOptionsSpecification.1.EnableNatTraversal true \
--TunnelOptionsSpecification.1.Role master \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeAuthAlg sha1 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeEncAlg aes \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeLifetime 86400 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeMode main \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkePfs group2 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.IkeVersion ikev2 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.LocalId '192.0.2.1' \
--TunnelOptionsSpecification.1.TunnelIkeConfig.Psk PreSharedKey1 \
--TunnelOptionsSpecification.1.TunnelIkeConfig.RemoteId '192.0.2.2' \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecAuthAlg sha1 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecEncAlg aes \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecLifetime 86400 \
--TunnelOptionsSpecification.1.TunnelIpsecConfig.IpsecPfs group2 \
--TunnelOptionsSpecification.2.TunnelBgpConfig.LocalAsn 65000 \
--TunnelOptionsSpecification.2.TunnelBgpConfig.LocalBgpIp '169.254.22.1' \
--TunnelOptionsSpecification.2.TunnelBgpConfig.TunnelCidr '169.254.22.0/30' \
--TunnelOptionsSpecification.2.CustomerGatewayId 'cgw-111111111111111111111' \
--TunnelOptionsSpecification.2.EnableDpd true \
--TunnelOptionsSpecification.2.EnableNatTraversal true \
--TunnelOptionsSpecification.2.Role slave \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeAuthAlg sha1 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeEncAlg aes \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeLifetime 86400 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeMode main \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkePfs group2 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.IkeVersion ikev2 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.LocalId '192.0.2.3' \
--TunnelOptionsSpecification.2.TunnelIkeConfig.Psk PreSharedKey1 \
--TunnelOptionsSpecification.2.TunnelIkeConfig.RemoteId '192.0.2.2' \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecAuthAlg sha1 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecEncAlg aes \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecLifetime 86400 \
--TunnelOptionsSpecification.2.TunnelIpsecConfig.IpsecPfs group2 \
--force \
--EnableTunnelsBgp true
aliyun vpc DescribeVpnConnections
aliyun vpc DescribeVpnConnection \
--VpnConnectionId vco-111111111111111111
-- 10. VPN GatewayのPolicy-based Routing設定【Alibaba】
aliyun vpc CreateVpnPbrRouteEntry \
--VpnGatewayId vpn-111111111111111111111 \
--RouteSource "172.16.1.0/24" \
--RouteDest "10.0.1.0/24" \
--NextHop vco-111111111111111111 \
--Weight 100 \
--PublishVpc true \
--Priority 10
aliyun vpc DescribeVpnPbrRouteEntries \
--VpnGatewayId vpn-111111111111111111111
-- 11. BGPステータス確認 【Azure】
az network vpn-connection show \
--name vpn21 \
--resource-group rg9999999
"connectionStatus": "Connected"
になるまで時間がかかる
-- 12. ルートテーブル修正
-- 12.1 Alibaba(172.16.1.0/24)への経路(ターゲットは仮想ネットワーク・ゲートウェイ)をサブネットのルートテーブルに追加【Azure】
自動で追加されるため、不要
-- 12.2 Azure側(10.0.1.0/24)への経路(ターゲットはVPN Gateway)をサブネットのルートテーブルに追加【Alibaba】
自動で追加されるため、不要
-- 13. pingで疎通確認【Azure】
ping 172.16.1.80
-- 14. pingで疎通確認【Alibaba】
ping 10.0.1.4
-- 15. クリーンアップ【Azure】
-- VPN接続削除
az network vpn-connection list \
--resource-group rg9999999
az network vpn-connection delete \
--name vpn21 \
--resource-group rg9999999
-- ローカル ネットワーク ゲートウェイ削除
az network local-gateway list \
--resource-group rg9999999
az network local-gateway delete \
--name lng21 \
--resource-group rg9999999
-- 仮想ネットワークゲートウェイ削除
az network vnet-gateway list \
--resource-group rg9999999
az network vnet-gateway delete \
--name vng21 \
--resource-group rg9999999
-- パブリックIPアドレス削除
az network public-ip list \
--resource-group rg9999999
az network public-ip delete \
--name pip21 \
--resource-group rg9999999
cd azure
terraform destroy -auto-approve
cd ..
az group list
az group delete \
--name NetworkWatcherRG \
--yes
-- 16. クリーンアップ【Alibaba】
-- Policy-based Routing削除
aliyun vpc DescribeVpnPbrRouteEntries \
--VpnGatewayId vpn-111111111111111111111
aliyun vpc DeleteVpnPbrRouteEntry \
--VpnGatewayId vpn-111111111111111111111 \
--RouteSource "172.16.1.0/24" \
--RouteDest "10.0.1.0/24" \
--NextHop vco-111111111111111111 \
--Weight 100 \
--Priority 10
-- IPsec Connection削除
aliyun vpc DescribeVpnConnections
aliyun vpc DeleteVpnConnection \
--VpnConnectionId vco-111111111111111111
-- Customer Gateways削除
aliyun vpc DescribeCustomerGateways
aliyun vpc DeleteCustomerGateway \
--CustomerGatewayId cgw-111111111111111111111
aliyun vpc DescribeVpnGateways
aliyun vpc DeleteVpnGateway \
--VpnGatewayId vpn-111111111111111111111
cd alibaba
terraform destroy -auto-approve
cd ..
