VPN Site to Site Configuration

We can connect the On-premise data center to Amazon VPC using hard or soft VPN depending on the purpose and actual usage needs. To establish a Site to Site VPN connection, we will need to create and configure a Virtual Private Gateway VPG and a Customer Gateway CGW.

  • Virtual Private Gateway (VPG) is a control center connecting the virtual private network (VPN) installed on top of AWS.
  • A Customer Gateway (CGW) is a component that represents a hard or soft VPN device installed at the Customer end. VPN tunnel will be established immediately after data traffic is transmitted between AWS and the customer’s network. In that connection, we must specify the type of routing that will be used to ensure safety and quality in terms of data transmission. If the CGW on the customer side supports Border Gateway Protocol (BGP), then in the VPN connection configuration we must set the routing to dynamic routing. Otherwise, we must configure the connection routing as static routing. In case of using static routing, we must enter the exact necessary routes for the connection from the Customer side to the VPG set up at the AWS end. At the same time, routing for the VPC must also be configured to propagate to allow resources to exchange data in and out of the VPN tunnel connection between AWS and the Customer’s network system. Amazon VPC offers a variety of CGWs, and each CGW is assigned to a VPG, but a VPG can be associated with multiple CGWs (many-to-one design). . To support this model, CGW’s IP address must be unique within a region. Amazon VPC also provides the necessary information for Network Administrators to configure CGW and establish VPN connections to VPG on AWS. VPN connection always includes 2 Internet Protocol Security (IPSec) tunnels to ensure high availability of the connection. Below are the important features we need to know about VPG, CGW, and VPN: VPG is the front-end component of VPN tunnel located on AWS. CGW can be a hardware device or software application located on the Customer end of the VPN tunnel connection. You must initiate a VPN tunnel connection from CGWto VPG. VPG supports both dynamic routing (BGP) and static routing. VPN connection always has 2 tunnels to ensure high availability for connecting to VPC from the Customer site. The lab helps us learn how to establish a Site to Site VPN connection in AWS. In fact, this solution is quite popular due to its low cost and very easy configuration because AWS provides instructions for each type of device on the Customer end. The only thing the Customer cares about is preparing an internet connection to create a secure, secret tunnel (using IPSec) to connect to AWS through AWS VPN tunnel. Within the scope of the lab, assume that we have a Main office (VPC Consumer) and a Branch office (VPC Customer) located at 2 VPCs. On each VPC, create an EC2 that allows SSH from the outside, but does not have the ability to connect and ping each other using the Private IP address of each EC2. What we need to do is configure the VPN so that Private IP addresses can ping each other using Site-to-Site VPN.

diagram

Content

  1. Create Virtual Private Gateway
  2. Create Customer Gateway
  3. Create VPN Connection
  4. Customer Gateway Configuration