VPN between on-Prem and AWS

Sometimes is necessary to have a secure connection between AWS services and on-premise devices. Or between two AWS accounts, or two VPCs in separated regions (as VPC peering is suitable only for VPCs within the same region -> update: intra-regions possible between certain regions. Yet, Security Groups are not visible between regions ). For these occasions, the solution can be based on AWS VPN connections -service that is found through VPC console. Furthermore, the VPN connections is divided to three parts; Virtual Gateway, Customer Gateway and VPN tunnel between these (i.e. VPN Connections). The VPN solution is based on two Ipsec tunnels; active-passive mode for redundancy.

First step is to create a CGW or -to be more precise- tell AWS what is the IP address of the on-prem VPN gateway. Therefore, the climax to configure CGW is to remember the IP address of the on-prem gateway. In addition, there is the decision between static and dynamic routing. The second step is creating VGW. That is a straightforward task, just give it a proper name and remember to attach it to the VPC.

Configuring VPN tunnel between these is the next step. Select previously created VGW and CGW. Static or dynamic routing? Naturally the decision should be consistent with the previous decision. Static is somewhat quicker to setup as there is no need to advertise routes. The setup of the static and dynamic routing are very similar. For dynamic routing, ASN should between 64512 and 65534 and routes to the AWS private CIDR block should be advertised at the CGW.

After VPN connection is created, select the connection and download configuration file for the on prem setup. There are numerous configuration files available and I am confident that even if the right one is absent, those available ones can be used to help finding the right steps&values. The file contains step by step instructions how to configure the CGW. (Majority of the lines can be copy-pasted and only a few lines require some tuning. Double check the IP values and CIDR blocks as well as keep in mind that on-prem is the <left> side and AWS is the <right> side.)

Finally update VPC route tables. Route all traffic with “destination: <on-prem CIDR block>” to VGW in those route tables that are preferred (most likely private route table(s)). Don’t forget to update security groups to allow traffic from on-prem CIDR block.

AWS side of the task is done.

 

-Tero

Leave a Reply

Your email address will not be published. Required fields are marked *