Menu
Amazon Virtual Private Cloud
User Guide

Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access

The configuration for this scenario includes a virtual private cloud (VPC) with a single private subnet, and a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. There is no Internet gateway to enable communication over the Internet. We recommend this scenario if you want to extend your network into the cloud using Amazon's infrastructure without exposing your network to the Internet.

Configuration for Scenario 4

The following diagram shows the key components of the configuration for this scenario.

Diagram for scenario 4: VPC with only a virtual private gateway

Important

For this scenario, the Amazon VPC Network Administrator Guide describes what your network administrator needs to do to configure the Amazon VPC customer gateway on your side of the VPN connection.

Basic Components for Scenario 4

The following list describes the basic components presented in the configuration diagram for this scenario:

  • A virtual private cloud (VPC) of size /16 (example CIDR: 10.0.0.0/16). This provides 65,536 private IP addresses.

  • A VPN-only subnet of size /24 (example CIDR: 10.0.0.0/24). This provides 256 private IP addresses.

  • A VPN connection between your VPC and your network. The VPN connection consists of a virtual private gateway located on the Amazon side of the VPN connection and a customer gateway located on your side of the VPN connection.

  • Instances with private IP addresses in the subnet range (examples: 10.0.0.5, 10.0.0.6, and 10.0.0.7), which enables the instances to communicate with each other and other instances in the VPC.

  • A route table entry that enables instances in the subnet to communicate with other instances in the VPC, and a route table entry that enables instances in the subnet to communicate directly with your network.

For more information about subnets, see Your VPC and Subnets and IP Addressing in Your VPC. For more information about your VPN connection, see Adding a Hardware Virtual Private Gateway to Your VPC. For more information about configuring a customer gateway, see the Amazon VPC Network Administrator Guide.

Routing for Scenario 4

Your VPC has an implied router (shown in the configuration diagram for this scenario.) For this scenario, the VPC wizard creates a route table that routes all traffic destined for an address outside the VPC to the VPN connection, and associates the route table with the subnet. Otherwise, you'd need to create and associate the route table yourself.

The following table shows what the route table looks like for the example addresses used in the configuration diagram for this scenario. The first row describes the entry for local routing in the VPC; this entry enables the instances in this VPC to communicate with each other. The second row describes the entry for routing all other subnet traffic to the virtual private gateway, which is specified using its AWS-assigned identifier (for example, vgw-1a2b3c4d).

DestinationTarget

10.0.0.0/16

local

0.0.0.0/0

vgw-xxxxxxxx

The VPN connection is configured either as a statically-routed VPN connection or as a dynamically routed VPN connection (using BGP). If you select static routing, you'll be prompted to manually enter the IP prefix for your network when you create the VPN connection. If you select dynamic routing, the IP prefix is advertised automatically to your VPC through BGP.

The instances in your VPC can't reach the Internet directly; any Internet-bound traffic must first traverse the virtual private gateway to your network, where the traffic is then subject to your firewall and corporate security policies. If the instances send any AWS-bound traffic (for example, requests to Amazon S3 or Amazon EC2), the requests must go over the virtual private gateway to your network and then to the Internet before reaching AWS.

Security for Scenario 4

AWS provides two features that you can use to increase security in your VPC: security groups and network ACLs. Both features enable you to control the inbound and outbound traffic for your instances, but security groups work at the instance level, while network ACLs work at the subnet level. Security groups alone can meet the needs of many VPC users. However, some VPC users decide to use both security groups and network ACLs to take advantage of the additional layer of security that network ACLs provide. For more information about security groups and network ACLs and how they differ, see Security in Your VPC.

For scenario 4, you'll use the default security group for your VPC but not network ACLs. If you'd like to use a network ACL, see Recommended Rules for Scenario 4.

Recommended Security Group Rules

Your VPC comes with a default security group whose initial settings deny all inbound traffic, allow all outbound traffic, and allow all traffic between the instances assigned to the security group. We recommend that you add inbound rules to the default security group to allow SSH traffic (Linux) and Remote Desktop traffic (Windows) from your network.

Important

The default security group automatically allows assigned instances to communicate with each other, so you don't have to add a rule to allow this. If you use a different security group, you must add a rule to allow this.

The following table describes the inbound rules that you should add to the default security group for your VPC.

Default Security Group: Recommended Rules

Inbound
Source Protocol Port Range Comments

Private IP address range of your network

TCP

22

(Linux instances) Allow inbound SSH traffic from your network

Private IP address range of your network

TCP

3389

(Windows instances) Allow inbound RDP traffic from your network


Implementing Scenario 4

Use the following process to implement scenario 4 using the VPC wizard.

To prepare your customer gateway

  1. Determine the appliance you'll use as your customer gateway. For information about the devices that we've tested, see Amazon Virtual Private Cloud FAQs. For more information about the requirements for your customer gateway, see the Amazon VPC Network Administrator Guide.

  2. Obtain the Internet-routable IP address for the customer gateway's external interface. The address must be static and may be behind a device performing network address translation (NAT).

  3. Gather the list of internal IP ranges (in CIDR notation) that should be advertised across the VPN connection to the virtual private gateway (if you are using a statically routed VPN connection). For more information, see VPN Routing Options.

Next, use the VPC wizard as described in the following procedure to create your VPC and a VPN connection.

To implement scenario 4 using the VPC wizard

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. If you have no VPC resources, locate the Your Virtual Private Cloud area of the dashboard and choose Get started creating a VPC, or choose Start VPC Wizard.

  3. Select the fourth option, VPC with a Private Subnet Only and Hardware VPN Access, and then choose Select.

  4. On the first page of the wizard, confirm the details for your VPC and private subnet, and then choose Next.

  5. On the Configure your VPN page, do the following, and then choose Create VPC:

    • In Customer Gateway IP, specify the public IP address of your VPN router.

    • Optionally specify a name for your customer gateway and VPN connection.

    • In Routing Type, select one of the routing options as follows:

      • If your VPN router supports Border Gateway Protocol (BGP), select Dynamic (requires BGP).

      • If your VPN router does not support BGP, choose Static. In IP Prefix, add each IP prefix for your network.

      For more information about which option to choose, see Amazon Virtual Private Cloud FAQs. For more information about dynamic versus static routing, see VPN Routing Options.

  6. When the wizard is done, choose VPN Connections in the navigation pane. Select the VPN connection that the wizard created, and choose Download Configuration. In the dialog box, select the vendor for the customer gateway, the platform, and the software version, and then choose Yes, Download.

  7. Save the text file containing the VPN configuration and give it to the network administrator along with this guide: Amazon VPC Network Administrator Guide. The VPN won't work until the network administrator configures the customer gateway.

For this scenario, you need to update the default security group with new inbound rules that allow SSH and Remote Desktop (RDP) access from your network. If the instances won't initiate outbound communication, we can also remove the default outbound rule. Reminder: the initial settings of the default security group block all inbound traffic, allow all outbound traffic, and allow instances assigned to the group to communicate with each other.

To update the rules for the default security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Choose Security Groups in the navigation pane, and then select the default security group for the VPC. The details pane displays the details for the security group, plus tabs for working with its inbound and outbound rules.

  3. On the Inbound Rules tab, choose Edit and add rules for inbound traffic as follows:

    1. Select SSH from the Type list, and enter your network's private IP address range in the Source field.

    2. Choose Add another rule, then select RDP from the Type list, and enter your network's private IP address range in the Source field.

    3. Choose Save.

      Security group: Add inbound SSH access
  4. On the Outbound Rules tab, choose Edit, locate the default rule that enables all outbound traffic, choose Remove, and then choose Save.

After your network administrator configures your customer gateway, you can launch instances into your VPC. If you're already familiar with launching instances outside a VPC, then you already know most of what you need to know to launch an instance into a VPC.

To launch an instance

  1. Start the launch wizard:

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. Choose Launch Instance on the dashboard.

  2. Follow the directions in the wizard. Choose an AMI, choose an instance type, and then choose Next: Configure Instance Details.

  3. On the Configure Instance Details page, select the VPC that you created earlier from the Network list, and then select a subnet. Choose Next: Add Storage.

  4. On the next two pages of the wizard, you can configure storage for your instance, and add tags. On the Configure Security Group page, select the Select an existing security group option, and select the default security group. Choose Review and Launch.

  5. Review the settings that you've chosen. Make any changes that you need, and then choose Launch to choose a keypair and launch your instance.

In scenario 4, you need a DNS server that enables your VPN-only subnet to communicate with servers in your network. You must create a new set of DHCP options that includes your DNS server and then configure the VPC to use that set of options.

Note

Your VPC automatically has a set of DHCP options with domain-name-servers=AmazonProvidedDNS. This is a DNS server that Amazon provides to enable any public subnets in your VPC to communicate with the Internet over an Internet gateway. Scenario 4 doesn't have any public subnets, so you don't need this set of DHCP options.

To update the DHCP options

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose DHCP Options Sets.

  3. Choose Create DHCP Options Set.

  4. In the Create DHCP Options Set dialog box, in the Domain name servers box, enter the address of your DNS server, and then choose Yes, Create. In this example, your DNS server is 192.0.2.1.

  5. In the navigation pane, choose Your VPCs.

  6. Select the VPC, and then choose Edit in the Summary tab.

  7. Select the ID of the new set of options from the DHCP options set list and then choose Save.

  8. (Optional) The VPC now uses this new set of DHCP options and therefore uses your DNS server. If you want, you can delete the original set of options that the VPC used.

You can now use SSH or RDP to connect to your instance in the VPC. For information about how to connect to a Linux instance, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances. For information about how to connect to a Windows instance, see Connect to Your Windows Instance in the Amazon EC2 User Guide for Microsoft Windows Instances.