meshr / Blog / Connecting Servers Across AWS, GCP, and Azure Without VPN Gateways
· multi-cloudtutorialnetworking

Connecting Servers Across AWS, GCP, and Azure Without VPN Gateways

How to build a single flat network across multi-cloud infrastructure using meshr. No VPC peering, no NAT gateways, no BGP. Just one command per server.

By meshr team

The Multi-Cloud Networking Problem

Most companies don’t run in a single cloud. You have production workloads on AWS because that’s where you started. Some data analytics pipeline on GCP because BigQuery is irresistible. An Azure instance because a customer required it. And somewhere, a few bare-metal servers in a colocation facility running the database that nobody wants to migrate.

Getting all of these to talk to each other used to be a full-time job:

  • VPC peering — only works within a single cloud, and transitive peering is a headache
  • Cloud VPN gateways — expensive, slow, and each direction is configured separately
  • Direct Connect / ExpressRoute — $$$$ and months of lead time
  • Building your own VPN on EC2 — OpenVPN tuning, BGP, routing tables, a fragile yak to shave forever

None of these scale gracefully when you add the fifth region, the third cloud, or the sixteenth new engineer who needs SSH access to everything.

The Mesh VPN Approach

Instead of treating each cloud as an island connected by bridges, a mesh VPN treats every server as a peer in a single flat network. You get one encrypted interface (say meshr0) on every host, and every host can reach every other host by name or IP, regardless of which cloud, region, or datacenter they’re physically in.

The setup is the same whether the host is in AWS, GCP, Azure, or your basement:

curl -fsSL https://get.meshr.to/install.sh | sudo bash
meshr login -t <your-setup-key>
meshr up

That’s it. Three commands. No routing tables to edit, no security groups to open, no BGP sessions to negotiate.

What You Get

Once your hosts join the mesh, you have:

  • Direct peer-to-peer connectivity whenever possible (when firewalls allow)
  • Automatic fallback to a relay when direct P2P isn’t possible
  • Unified IP space — every server gets a stable IP in the mesh (e.g., 10.0.0.5), independent of its cloud IP
  • Split DNS — access any peer by name (server1.meshr, db-primary.meshr)
  • End-to-end encryption — traffic is encrypted at the source and decrypted at the destination, never visible to the cloud provider

And because it’s peer-to-peer, there’s no single gateway bottleneck. Your AWS us-east-1 instance talks directly to your GCP europe-west4 instance. No traffic flows through a central hub unless you explicitly want it to.

A Concrete Example

Let’s say you have:

  • api-prod running on AWS EC2 in us-east-1
  • worker-1, worker-2 running on GCP Compute Engine in europe-west4
  • postgres-primary running on DigitalOcean in fra1
  • metrics running on your home server behind a NAT

Without a mesh VPN, connecting these is multi-week infrastructure project. With meshr:

  1. Install the agent on each host (same command)
  2. Each host gets a mesh IP: 10.0.0.2, 10.0.0.3, 10.0.0.4, 10.0.0.5
  3. api-prod can connect to postgres-primary.meshr:5432 directly
  4. metrics can scrape all four workers via their mesh IPs
  5. You can SSH into any of them from your laptop by adding yourself to the mesh

Total setup time: about 10 minutes for four hosts.

Access Control

Flat networks are convenient, but you don’t want every server to reach every other server unconditionally. A proper mesh VPN enforces policies at the tunnel level.

In meshr, you’d define:

  • Group: production — contains the API and workers
  • Group: databases — contains postgres-primary
  • Policy: Allow productiondatabases on TCP port 5432
  • Policy: Deny everything else

Now the workers can talk to the database, but if someone compromises a worker, they can’t pivot to the metrics server or to your laptop. The blast radius is bounded by the explicit policies you set.

Why This Matters

Multi-cloud used to be a luxury — “we’re in one cloud because networking across multiple is too hard.” That’s no longer true. With a mesh VPN, you can deploy services wherever makes the most sense (compute here, data there, a GPU in a third place) without worrying about how they’ll connect.

The cloud becomes a commodity. Your network becomes portable. And you stop paying per-GB egress fees for traffic between your own servers.

Get Started

Try it with a free meshr account. Install the agent on any server you have access to:

curl -fsSL https://get.meshr.to/install.sh | sudo bash
meshr login
meshr up

Repeat on a second server, and within 30 seconds they can ping each other by name — even if one is in AWS and the other is a Raspberry Pi under your desk.

Start free · Multi-cloud feature page · See how meshr compares

Build your mesh, free.

Every meshr feature is free while we're in beta. Spin up a secure mesh network in minutes.

Build your mesh free See how meshr compares →