Multicloud with AWS and Hetzner

I wanted to reproduce an architecture my colleague showed me at work. In fact to reduce costs he proposed to move some computation out of Azure or AWS and port into Hetzner for them having very low costs.

Here’s what I did to test how to make AWS and Hetzner communicate

• Have 1 single network of 10.0.0.0/23
• Split it into 2 subnets: 10.0.0.0/24 (AWS), 10.0.1.0/24 (Hetzner)
• Spin up an EC2 instance with private IP 10.0.0.44
• Spin up 2 Hetzner Cloud instances with private IPs 10.0.1.2 and 10.0.1.3 respectively
• Assign a public IP to 10.0.1.2: 65.109.174.200
• On AWS, create a Customer Gateway representing 65.109.174.200
• On AWS, create a Site-to-Site VPN using the Customer Gateway
• On AWS, create a Transit Gateway with 2 attachments: one for the VPC containing the EC2 instance, one for the Site-to-Site VPN
• On AWS, add a static route to the Transit Gateway such that 10.0.1.0/24 is forwarded to the VPN
• On Hetzner, ssh into 10.0.1.2, configure IPsec to use the 2 tunnels of the Site-to-Site VPN
• On Hetzner, add a route for the network 10.0.1.0/24 such that packets for 10.0.0.0/24 will be routed through 10.0.1.2 (i.e. configure the routing of the hidden gateway of the network — 10.0.1.1 — to do that)
• On Hetzner, ssh into 10.0.1.2 and enable IP forwarding
• Check that ping works for the pairs: (10.0.1.2, 10.0.1.3), (10.0.1.2, 10.0.0.44), (10.0.1.3, 10.0.0.44)
• Remember to delete everything to avoid unwanted bills!