Configure your AWS resources

After you configure your Google Cloud resources, configure your Amazon Web Services (AWS) resources.

Before you begin

Before starting, you must already have an AWS VPC. For more information, see Create a VPC.

Create a Direct Connect gateway

A Direct Connect gateway connects your AWS port to your AWS VPC.

AWS console

To create a Direct Connect gateway, complete the following steps:

Go to the Direct Connect gateway page.
Click Create Direct Connect gateway.
On the Create Direct Connect gateway page, enter the required information:
1. Enter a Name for the gateway.
2. Enter an Amazon-side ASN. This value must match the Peer ASN value that you used when you configured a Border Gateway Protocol (BGP) session in Google Cloud.
Click Create Direct Connect gateway.

AWS CLI

To create a Direct Connect gateway, use the create-direct-connect-gateway command. For example:

aws directconnect create-direct-connect-gateway \
  --direct-connect-gateway-name GATEWAY_NAME \
  --amazon-side-asn AMAZON_ASN

Replace the following:

GATEWAY_NAME: the name of the gateway
AMAZON_ASN: the ASN that you're using to represent Amazon; this value must match the peer-asn value when you created the Border Gateway Protocol (BGP) session on the Cloud Router

Create a virtual private interface

Before you can begin using your Direct Connect gateway, you must create a private virtual interface for each of your LAGs. A private virtual interface lets you access an Amazon VPC by using private IP addresses.

The function of a private virtual interface is similar to the function of a Google Cloud VLAN attachment. However, one difference is that you configure a BGP peering session as part of the process of creating the interface, rather than doing it later.

AWS console

To create a private virtual interface, complete the following steps:

Go to the Virtual interfaces page.
Click Create virtual interface.
On the Create virtual interface page, enter the required information:
- Leave Type set to Private.
- Enter a Virtual interface name.
- Select the appropriate Connection.
- Set Virtual interface owner to the appropriate value.
- Leave Gateway type set to Direct Connect Gateway -- Recommended.
- Set Direct Connect gateway to the gateway that you just created.
- In the Virtual Local Area Network (VLAN) field, enter the value that you used for VLAN ID when you created your VLAN attachments in Google Cloud.
- Set BGP ASN to the value of the ASN used by your Google Cloud Router.
- Expand Additional settings. In the form that is displayed, some values are labeled as optional, but they are required by Cross-Cloud Interconnect. Do the following:
  - Leave Address family - optional set to IPv4.
  - In the Your router peer ip - optional field, enter the address on your VLAN attachment that represents Google Cloud; that is, the Cloud Router BGP IP value.
  - In the Amazon router peer IP - optional field, enter the address on your VLAN attachment on your VLAN attachment AWS; that is, the BGP IP Peer value.
  - In the BGP authentication key - optional field, enter the same MD5 authentication key that you used when you configured a BGP peering session in Google Cloud.
Click Create virtual interface.
Repeat steps 1 through 4 for your second LAG.

AWS CLI

To create virtual interfaces, you use the aws directconnect create-private-virtual-interface command. Complete the following steps:

Create the virtual interface for your first LAG:
```
   aws directconnect create-private-virtual-interface \
   --connection-id DXLAG_ID \
   --region REGION \
   --new-private-virtual-interface `echo '{
       "virtualInterfaceName": "INTERFACE_NAME",
       "vlan": VLAN_ID,
       "asn": GOOGLE_SIDE_ASN,
       "authKey": "YOUR_KEY",
       "amazonAddress": "AMAZON_ADDRESS",
       "customerAddress": "GOOGLE_ADDRESS",
       "directConnectGatewayId": "GATEWAY_ID"
   }' | jq -r tostring`
```
Replace the following:
- DXLAG_ID: the ID of the LAG; if you don't have this value, retrieve it by using the aws directconnect describe-lags command
- REGION: the region where the LAG is located
- INTERFACE_NAME: a name for the new private virtual interface
- VLAN_ID: the same ID that you used when creating your VLAN attachments in Google Cloud
- GOOGLE_SIDE_ASN: the Google Cloud Router ASN
- YOUR_KEY: the same MD5 authentication key you used when you configured a BGP peering session in Google Cloud
- AMAZON_ADDRESS: the address that represents AWS on your VLAN attachment; that is, the customerRouterIpAddress value
- GOOGLE_CLOUD_ADDRESS: the address that represents Google Cloud on your VLAN attachment; that is, the cloudRouterIpAddress value
- GATEWAY_ID: the ID of your Direct Connect gateway
Create the virtual interface for your second LAG:
```
   aws directconnect create-private-virtual-interface \
   --connection-id DXLAG_ID_2 \
   --region REGION_2 \
   --new-private-virtual-interface `echo '{
       "virtualInterfaceName": "INTERFACE_NAME_2",
       "vlan": VLAN_ID_2,
       "asn": GOOGLE_SIDE_ASN,
       "authKey": "YOUR_KEY",
       "amazonAddress": "AMAZON_ADDRESS_2",
       "customerAddress": "GOOGLE_ADDRESS_2",
       "directConnectGatewayId": "GATEWAY_ID"
   }' | jq -r tostring`
```
Replace the following:
- DXLAG_ID_2: the connection ID of your second LAG; if you don't have this value, retrieve it by using the aws directconnect describe-lags command
- REGION_2: the region where the LAG is located
- INTERFACE_NAME_2: a name for the new private virtual interface
- VLAN_ID_2: the same ID that you used when creating your VLAN attachments in Google Cloud
- GOOGLE_SIDE_ASN: the Google Cloud Router ASN
- YOUR_KEY: the same MD5 authentication key you used when you configured a BGP peering session in Google Cloud
- AMAZON_ADDRESS_2: the address that represents AWS on your VLAN attachment; that is, the customerRouterIpAddress value
- GOOGLE_ADDRESS_2: the address that represents Google Cloud on your VLAN attachment; that is, the cloudRouterIpAddress value
- GATEWAY_ID: the ID of your Direct Connect gateway

Create a virtual private gateway

A virtual private gateway provides access to an AWS VPC.

AWS console

To create a virtual private gateway, do the following:

Go to the Virtual private gateways page.
Click Create virtual private gateway.
On the Create virtual private gateway page, enter the required information:
- Optional: enter a Name tag for the gateway.
- For Autonomous System Number (ASN), select an ASN to represent AWS. Make sure you match the value that you entered for Peer ASN when you configured a BGP peering session in Google Cloud. Do one of the following:
  - If you used 64512, select Amazon default ASN.
  - If you used something else, select Custom ASN and enter the appropriate value.
Click Create virtual private gateway.

AWS CLI

To create a virtual private gateway, use the create-vpn-gateway command. For example:

aws directconnect create-vpn-gateway \
--type ipsec.1 \
--region REGION \
--amazon-side-asn ASN

Replace the following:

REGION: the name of your region
AMAZON_ASN: the ASN that you're using to represent Amazon; it must be the same value that you used when you created the BGP peer on the Google Cloud Cloud Router

Attach the virtual private gateway to your AWS VPC

For the virtual private gateway to work, you must attach it to your AWS VPC.

AWS console

To attach a private virtual interface to your AWS VPC, complete the following steps:

Go to the Virtual private gateways page.
Click the name of the virtual private gateway that you just created.
Click on the Actions menu, and select Attach to VPC.
On the Attach to VPC page, select the appropriate VPC.
Click Attach to VPC.

AWS CLI

To attach the gateway to your VPC, use the aws ec2 create-private-virtual-interface command. For example:

  aws ec2 attach-vpn-gateway \
    --vpn-gateway-id VIRTUAL_PRIVATE_GATEWAY_ID \
    --vpc-id VPC_ID \
    --region REGION

Replace the following:

VIRTUAL_PRIVATE_GATEWAY_ID: the ID of your virtual private gateway
VPC_ID: the ID of your AWS VPC
REGION: the region where your virtual private gateway is located

Associate the virtual private gateway with the Direct Connect gateway

To connect your Direct Connect gateway to your AWS VPC, associate the virtual private gateway with the Direct Connect gateway.

AWS console

To attach a private virtual interface to your AWS VPC, complete the following steps:

Go to the Direct Connect gateway page.
Click the name of your gateway.
Click Gateway associations.
Click Associate gateway.
On the Associate gateway page, set Gateways to the name of your virtual private gateway.
Click Associate gateways.

AWS CLI

To associate your virtual private gateway to your Direct Connect, you use the aws directconnect create-direct-connect-gateway-association command. For example:

 aws directconnect create-direct-connect-gateway-association \
   --direct-connect-gateway-id GATEWAY_ID \
   --virtual-gateway-id VIRTUAL_PRIVATE_GATEWAY_ID \
   --region REGION

Replace the following:

GATEWAY_ID: the ID of your Direct Connect gateway
VIRTUAL_PRIVATE_GATEWAY_ID: the ID of your virtual private gateway
REGION: the region where your Direct Connect gateway is located

Configure Google Cloud resources

Verify your connections