Eazy SaaS
AWS Azure GCP Docker K8s Jenkins PostgreSQL
Blog Get in Touch

Multi-Cloud VPN: AWS to Azure

February 13, 2026 | AWS Azure VPN Multi-Cloud

IPsec between AWS VPC and Azure VNet.

Multi-Cloud VPN: Connecting AWS and Azure

Multi-cloud architectures are increasingly common — whether for redundancy, best-of-breed services, or M&A integration. Establishing a secure IPsec VPN between AWS VPC and Azure VNet enables workloads in both clouds to communicate privately.

Architecture Overview

AWS VPC (10.0.0.0/16) ←IPsec→ Azure VNet (172.16.0.0/16)

AWS Side:                    Azure Side:
Virtual Private Gateway      VPN Gateway (VpnGw1)
Customer Gateway             Local Network Gateway
  (Azure VPN GW public IP)     (AWS VGW public IP)

Azure Side Configuration

1. Create VPN Gateway

az network vnet-gateway create \
  --name azure-vpn-gw \
  --resource-group mygroup \
  --vnet my-vnet \
  --gateway-type Vpn \
  --vpn-type RouteBased \
  --sku VpnGw1 \
  --generation Generation1

2. Create Local Network Gateway (AWS endpoint)

az network local-gateway create \
  --name aws-local-gw \
  --resource-group mygroup \
  --gateway-ip-address 52.10.20.30 \
  --local-address-prefixes 10.0.0.0/16

3. Create Connection

az network vpn-connection create \
  --name aws-to-azure \
  --resource-group mygroup \
  --vnet-gateway1 azure-vpn-gw \
  --local-gateway2 aws-local-gw \
  --shared-key "YourSharedKeyHere" \
  --enable-bgp

AWS Side Configuration

# Create Customer Gateway (Azure VPN GW public IP)
aws ec2 create-customer-gateway \
  --type ipsec.1 \
  --public-ip 40.80.90.100 \
  --bgp-asn 65515

# Create VPN Connection
aws ec2 create-vpn-connection \
  --type ipsec.1 \
  --customer-gateway-id cgw-xxx \
  --vpn-gateway-id vgw-xxx \
  --options '{"StaticRoutesOnly":false}'

IPsec Parameters Alignment

Both sides must agree on encryption parameters. Use these compatible settings:

ParameterValue
IKE VersionIKEv2
EncryptionAES-256
IntegritySHA-256
DH GroupGroup 14 (2048-bit)
SA Lifetime28800 seconds (Phase 1), 3600 seconds (Phase 2)

BGP Configuration

Use BGP for dynamic route exchange between clouds:

  • AWS ASN: 64512 (default) or custom
  • Azure ASN: 65515 (default)
  • BGP enables automatic route learning and failover

High Availability

For production, deploy redundant tunnels:

  • AWS: Each VPN connection provides 2 tunnels automatically
  • Azure: Deploy VPN Gateway in active-active mode for 2 public IPs
  • Result: 4 tunnels total with automatic failover

Monitoring

  • AWS: CloudWatch metrics on VPN connection (TunnelState, TunnelDataIn/Out)
  • Azure: Azure Monitor metrics on VPN Gateway (TunnelIngressBytes, TunnelEgressBytes)
  • Set alerts on tunnel state changes in both clouds

Eazy SaaS Tip: We deploy multi-cloud VPNs with active-active gateways on both sides and automated monitoring. Our standard template includes Terraform modules for both AWS and Azure, making the setup repeatable and version-controlled.

← Back to Blog