Adding a Hardware Virtual Private Gateway to Your VPC
By default, instances that you launch into a virtual private cloud (VPC) can't communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, and updating your security group rules.
You can complete this process manually, as described on this page, or let the VPC creation wizard take care of many of these steps for you. For more information about using the VPC creation wizard to set up the virtual private gateway, see Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access or Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access.
Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network.
- Components of Your VPN
- VPN Configuration Examples
- VPN Routing Options
- What You Need for a VPN Connection
- Configuring Two VPN Tunnels for Your VPN Connection
- Using Redundant VPN Connections to Provide Failover
- Setting Up the VPN Connection
- Testing the End-to-End Connectivity of Your Instance
- Replacing Compromised Credentials
- Editing Static Routes for a VPN Connection
- Deleting a VPN Connection
- API and CLI Overview
For information about how you're charged for using a VPN connection with your VPC, see the Amazon VPC product page.
Components of Your VPN
A VPN connection consists of the following components.
Virtual Private Gateway
A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection.
For information about how many virtual private gateways you can have per region, as well as the limits for other components within your VPC, see Amazon VPC Limits.
A customer gateway is a physical device or software application on your side of the VPN connection. When you create a VPN connection, the VPN tunnel comes up when traffic is generated from your side of the VPN connection. The virtual private gateway is not the initiator; your customer gateway must initiate the tunnels. If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down. To prevent this, you can use a network monitoring tool to generate keepalive pings; for example, by using IP SLA.
For more information about customer gateways, see Your Customer Gateway in the Amazon VPC Network Administrator Guide.
For a list of customer gateways that we have tested with Amazon VPC, see Amazon Virtual Private Cloud FAQs.
VPN Configuration Examples
The following diagrams illustrate single and multiple VPN connections. The VPC has an attached virtual private gateway, and your network includes a customer gateway, which you must configure to enable the VPN connection. You set up the routing so that any traffic from the VPC bound for your network is routed to the virtual private gateway.
When you create multiple VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same external location. You can also use it to create VPN connections to multiple geographic locations.
Single VPN Connection
Multiple VPN connections
VPN Routing Options
When you create a VPN connection, you must specify the type of routing that you plan to use. The type of routing that you select can depend on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection. If your device does not support BGP, specify static routing. For a list of static and dynamic routing devices that have been tested with Amazon VPC, see the Amazon Virtual Private Cloud FAQs.
When you use a BGP device, you don't need to specify static routes to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use a device that doesn't support BGP, you must select static routing and enter the routes (IP prefixes) for your network that should be communicated to the virtual private gateway. Only IP prefixes that are known to the virtual private gateway, whether through BGP advertisement or static route entry, can receive traffic from your VPC.
We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.
What You Need for a VPN Connection
To use Amazon VPC with a VPN connection, you or your network administrator must designate a physical appliance as your customer gateway and configure it. We provide you with the required configuration information, including the VPN preshared key and other parameters related to setting up the VPN connection. Your network administrator typically performs this configuration. For information about the customer gateway requirements and configuration, see the Amazon VPC Network Administrator Guide.
The following table lists the information that you need to have so that we can establish your VPN connection.
The type of customer gateway (for example, Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha)
Specifies how to format the returned information that you use to configure the customer gateway.
For information about the specific devices that we've tested, see What customer gateway devices are known to work with Amazon VPC? in the Amazon VPC FAQ.
Internet-routable IP address (static) of the customer gateway's external interface.
Used to create and configure your customer gateway (it's referred to as YOUR_UPLINK_ADDRESS)
The IP address value must be static and may be behind a device performing network address translation (NAT); however, NAT traversal (NAT-T) is not supported.
The IP address value must be unique within the region. If the IP address is
already in use by another VPN connection in any AWS account in the same region, you
will get an
(Optional) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway, if you are creating a dynamically routed VPN connection.
Used to create and configure your customer gateway (referred to as YOUR_BGP_ASN).
If you use the wizard in the console to set up your VPC, we automatically use 65000 as the ASN.
You can use an existing ASN assigned to your network. If you don't have one, you can use a private ASN (in the 64512–65534 range). For more information about ASNs, see the Wikipedia article.
Amazon VPC supports 2-byte ASN numbers.
Internal network IP ranges that you want advertised over the VPN connection to the VPC.
Used to specify static routes.
Configuring Two VPN Tunnels for Your VPN Connection
You use a VPN connection to connect your network to a VPC. Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. It is important to configure both tunnels for redundancy. When one tunnel becomes unavailable (for example, down for maintenance), network traffic is automatically routed to the available tunnel for that specific VPN connection.
The following diagram shows the two tunnels of the VPN connection.
Using Redundant VPN Connections to Provide Failover
As described earlier, a VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable. To protect against a loss of connectivity in case your customer gateway becomes unavailable, you can set up a second VPN connection to your VPC and virtual private gateway by using a second customer gateway. By using redundant VPN connections and customer gateways, you can perform maintenance on one of your customer gateways while traffic continues to flow over the second customer gateway's VPN connection. To establish redundant VPN connections and customer gateways on your network, you need to set up a second VPN connection. The customer gateway IP address for the second VPN connection must be publicly accessible and can’t be the same public IP address that you are using for the first VPN connection.
The following diagram shows the two tunnels of the VPN connection and two customer gateways.
Dynamically routed VPN connections use the Border Gateway Protocol (BGP) to exchange routing information between your customer gateways and the virtual private gateways. Statically routed VPN connections require you to enter static routes for the network on your side of the customer gateway. BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs. We recommend that you configure your network to use the routing information provided by BGP (if available) to select an available path. The exact configuration depends on the architecture of your network.
Setting Up the VPN Connection
Use the following procedures to manually set up the VPN connection. Alternatively, you can create the VPC and subnets and complete the first five steps in this procedure using the VPC wizard. For more information, see Implementing Scenario 3 or Implementing Scenario 4.
To set up a VPN connection, you need to complete the following steps:
Step 1: Create a Customer Gateway
Step 2: Create a Virtual Private Gateway
These procedures assume that you have a VPC with one or more subnets, and that you have the required network information (see What You Need for a VPN Connection).
Create a Customer Gateway
To create a customer gateway
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, click Customer Gateways, and then click Create Customer Gateway.
In the Create Customer Gateway dialog box, complete the following and then click Yes, Create:
In the Name tag field, optionally enter a name for your customer gateway. Doing so creates a tag with a key of
Nameand the value that you specify.
Select the routing type from the Routing list.
If you selected dynamic routing, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) in the BGP ASN field.
Enter the static, Internet-routable IP address for your customer gateway device in the IP Address field. The address may be behind a device performing network address translation (NAT); however, NAT traversal (NAT-T) is not supported.
Create a Virtual Private Gateway
To create a virtual private gateway
In the navigation pane, click Virtual Private Gateways, and then click Create Virtual Private Gateway.
You can optionally enter a name for your virtual private gateway, and then click Yes, Create.
Select the virtual private gateway that you created, and then click Attach to VPC.
In the Attach to VPC dialog box, select your VPC from the list, and then click Yes, Attach.
Enable Route Propagation in Your Route Table
To enable instances in your VPC to reach your customer gateway, you must configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway. You can enable route propagation for your route table to automatically propagate those routes to the table for you.
For static routing, the static IP prefixes that you specify for your VPN configuration
are propagated to the route table after you've created the VPN connection. For dynamic
routing, the BGP-advertised routes from your customer gateway are propagated to the route
table when the status of the VPN connection is
To enable route propagation
In the navigation pane, click Route Tables, and then select the route table that's associated with the subnet; by default, this is the main route table for the VPC.
On the Route Propagation tab in the details pane, click Edit, select the virtual private gateway that you created in the previous procedure, and then click Save.
For static routing, if you do not enable route propagation, you must manually enter the static routes used by your VPN connection. To do this, select your route table, then on the Routes tab in the details pane, click Edit. Add the static route used by your VPN connection in the Destination field, select the virtual private gateway ID from the Target list, and then click Save.
Update Your Security Group to Enable Inbound SSH, RDP and ICMP Access
To add rules to your security group to enable inbound SSH, RDP and ICMP access
In the navigation pane, click Security Groups, and then select the default security group for the VPC.
On the Inbound tab in the details pane, add rules that allow inbound SSH, RDP and ICMP access from your network, and then click Save. For more information about adding inbound rules, see Adding and Removing Rules.
Create a VPN Connection and Configure the Customer Gateway
To create a VPN connection and configure the customer gateway
In the navigation pane, click VPN Connections.
Click Create VPN Connection.
In the Create VPN Connection dialog box, do the following, and then click Yes, Create:
In the Name tag field, optionally enter a name for your VPN connection. Doing so creates a tag with a key of
Nameand the value that you specify.
Select the virtual private gateway that you created earlier.
Select the customer gateway that you created earlier.
Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP):
If your VPN router supports BGP, select Dynamic (requires BGP).
If your VPN router does not support BGP, select Static. In the Static IP Prefixes field, specify each IP prefix for the private network of your VPN connection, separated by commas.
It may take a few minutes to create the VPN connection. When it's ready, select the connection, and then click Download Configuration.
In the Download Configuration dialog box, select the vendor, platform, and software that corresponds to your customer gateway device or software, and then click Yes, Download.
Give the configuration file to your network administrator, along with this guide: Amazon VPC Network Administrator Guide. After the network administrator configures the customer gateway, the VPN connection is operational.
Launch an Instance Into Your Subnet
To launch an instance into your subnet
Open the Amazon EC2 console.
On the dashboard, click Launch Instance.
On the Choose an Amazon Machine Image (AMI) page, choose an AMI, and then click Select.
Choose an instance type, and then click Next: Configure Instance Details.
On the Configure Instance Details page, select your VPC from the Network list, and your subnet from the Subnet list. Click Next until you reach the Configure Security Group page.
Select the Select an existing security group option, and then select the default group that you modified earlier. Click Review and Launch.
Review the settings that you've chosen. Make any changes that you need, and then click Launch to select a key pair and launch the instance.
Testing the End-to-End Connectivity of Your Instance
After you set up your VPN connection and launch an instance, you can test the connection by pinging the instance. You need to use an AMI that responds to ping requests, and you need to ensure that your instance's security group is configured to enable inbound ICMP. We recommend you use one of the Amazon Linux AMIs. If you are using instances running Windows Server, you'll need to log in to the instance and enable inbound ICMPv4 on the Windows firewall in order to ping the instance.
You must configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic.
You can monitor the status of your VPN connections using the Amazon VPC console or by using the Amazon EC2 API/CLI. You can view information about your VPN connections, including its state, the time since last state change, and descriptive error text.
To test end-to-end connectivity
After the instance is running, get its private IP address (for example,
10.0.0.4). The Amazon EC2 console displays the address as part of the instance's details.
From a computer in your network that is behind the customer gateway, use the ping command with the instance's private IP address. A successful response is similar to the following:
ping 10.0.0.4Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms
You can now use SSH or RDP to connect to your instance in the VPC. For more information about how to connect to a Linux instance, see Connect to Your Linux Instance in the Amazon EC2 User Guide for Linux Instances. For more information about how to connect to a Windows instance, see Connect to Your Windows Instance in the Amazon EC2 User Guide for Microsoft Windows Instances.
Replacing Compromised Credentials
If you believe that the tunnel credentials for your VPN connection have been compromised, you can change the IKE preshared key. To do so, delete the VPN connection, create a new one using the same virtual private gateway, and configure the new keys on your customer gateway. You also need to confirm that the tunnel's inside and outside addresses match, because these might change when you recreate the VPN connection. While you perform the procedure, communication with your instances in the VPC stops, but the instances continue to run uninterrupted. After the network administrator implements the new configuration information, your VPN connection uses the new credentials, and the network connection to your instances in the VPC resumes.
This procedure requires assistance from your network administrator group.
To change the IKE pre-shared key
Delete the VPN connection. For more information, see Deleting a VPN Connection. You don't need to delete the VPC or the virtual private gateway.
Create a new VPN connection and download the new configuration file. For more information, see Create a VPN Connection and Configure the Customer Gateway.
Editing Static Routes for a VPN Connection
For static routing, you can add, modify, or remove the static routes for your VPN configuration.
To add, modify, or remove a static route
In the navigation pane, click VPN Connections.
In the Static Routes tab, click Edit.
Modify your existing static IP prefixes, or click Remove to delete them. Click Add Another Route to add a new IP prefix to your configuration. When you are done, click Save.
If you have not enabled route propagation for your route table, you must manually update the routes in your route table to reflect the updated static IP prefixes in your VPN connection. For more information, see Enable Route Propagation in Your Route Table.
Deleting a VPN Connection
If you no longer need a VPN connection, you can delete it.
If you delete your VPN connection and then create a new one, you have to download new configuration information and have your network administrator reconfigure the customer gateway.
To delete a VPN connection
Open the Amazon VPC console.
In the navigation pane, click VPN Connections.
Select the VPN connection and click Delete.
In the Delete VPN Connection dialog box, click Yes, Delete.
If you no longer require a customer gateway, you can delete it. You can't delete a customer gateway that's being used in a VPN connection.
To delete a customer gateway
In the navigation pane, click Customer Gateways.
Select the customer gateway to delete and click Delete.
In the Delete Customer Gateway dialog box, click Yes, Delete.
If you no longer require a virtual private gateway for your VPC, you can detach it.
To detach a virtual private gateway
In the navigation pane, click Virtual Private Gateways.
Select the virtual private gateway and click Detach from VPC.
In the Detach from VPC dialog box, click Yes, Detach.
If you no longer require a detached virtual private gateway, you can delete it. You can't delete a virtual private gateway that's still attached to a VPC.
API and CLI Overview
You can use the command line or an API action to set up and manage your VPN connection. For more information, including a list of available API actions, see Accessing Amazon VPC.
Create a customer gateway
Create a virtual private gateway
Enable route propagation
Update your security group
For more information about working with security groups using a CLI, see API and CLI Overview.
Create a VPN connection
Add a static route
Delete a static route
Delete a VPN connection
Delete a customer gateway
Detach a virtual private gateway