Amazon Virtual Private Cloud
User Guide (API Version 2014-02-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Adding a Hardware Virtual Private Gateway to Your VPC

By default, instances that you launch into a virtual private cloud (VPC) can't communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, and updating your security group rules.

You can complete this process manually, as described on this page, or let the VPC creation wizard take care of many of these steps for you. For more information about using the VPC creation wizard to set up the virtual private gateway, see Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access or Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access.

Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network.

For information about how you're charged for using a VPN connection with your VPC, see the Amazon VPC product page.

Components of Your VPN

A VPN connection consists of the following components.

Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection.

For information about how many virtual private gateways you can have per region, as well as the limits for other components within your VPC, see Amazon VPC Limits.

Customer Gateway

A customer gateway is a physical device or software application on your side of the VPN connection.

For a list of customer gateways that we have tested with Amazon VPC, see Amazon Virtual Private Cloud FAQs.

VPN Configuration Examples

The following diagrams illustrate single and multiple VPN connections. The VPC has an attached virtual private gateway, and your network includes a customer gateway, which you must configure to enable the VPN connection. You set up the routing so that any traffic from the VPC bound for your network is routed to the virtual private gateway.

When you create multiple VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same external location. You can also use it to create VPN connections to multiple geographic locations.

Single VPN Connection

VPN layout

Multiple VPN connections

Multiple VPN layout

VPN Routing Options

When you create a VPN connection, you must specify the type of routing that you plan to use. The type of routing that you select can depend on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection. If your device does not support BGP, specify static routing. For a list of static and dynamic routing devices that have been tested with Amazon VPC, see the Amazon Virtual Private Cloud FAQs.

When you use a BGP device, you don't need to specify static routes to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use a device that doesn't support BGP, you must select static routing and enter the routes (IP prefixes) for your network that should be communicated to the virtual private gateway. Only IP prefixes that are known to the virtual private gateway, whether through BGP advertisement or static route entry, can receive traffic from your VPC.

We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.

What You Need for a VPN Connection

To use Amazon VPC with a VPN connection, you or your network administrator must designate a physical appliance as your customer gateway and configure it. We provide you with the required configuration information, including the VPN preshared key and other parameters related to setting up the VPN connection. Your network administrator typically performs this configuration. For information about the customer gateway requirements and configuration, see the Amazon Virtual Private Cloud Network Administrator Guide.

The following table lists the information that you need to have so that we can establish your VPN connection.

ItemHow UsedComments

The type of customer gateway (for example, Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha)

Specifies how to format the returned information that you use to configure the customer gateway.

For information about the specific devices that we've tested, see What customer gateway devices are known to work with Amazon VPC? in the Amazon VPC FAQ.

Internet-routable IP address (static) of the customer gateway's external interface.

Used to create and configure your customer gateway (it's referred to as YOUR_UPLINK_​ADDRESS)

The value must be static and can't be behind a device performing network address translation (NAT).

(Optional) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway, if you are creating a dynamically routed VPN connection.

Used to create and configure your customer gateway (referred to as YOUR_BGP_ASN).

If you use the wizard in the console to set up your VPC, we automatically use 65000 as the ASN.

You can use an existing ASN assigned to your network. If you don't have one, you can use a private ASN (in the 64512–65534 range). For more information about ASNs, see the Wikipedia article.

Amazon VPC supports 2-byte ASN numbers.

Internal network IP ranges that you want advertised over the VPN connection to the VPC.

Used to specify static routes.

Configuring Two VPN Tunnels for Your VPN Connection

You use a VPN connection to connect your network to a VPC. Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. It is important to configure both tunnels for redundancy. When one tunnel becomes unavailable (for example, down for maintenance), network traffic is automatically routed to the available tunnel for that specific VPN connection.

The following diagram shows the two tunnels of the VPN connection.

Using Redundant VPN Connections to Provide Failover

As described earlier, a VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable. To protect against a loss of connectivity in case your customer gateway becomes unavailable, you can set up a second VPN connection to your VPC by using a second customer gateway. By using redundant VPN connections and customer gateways, you can perform maintenance on one of your customer gateways while traffic continues to flow over the second customer gateway's VPN connection. To establish redundant VPN connections and customer gateways on your network, you’ll need to set up a second VPN connection. The customer gateway IP address for the second VPN connection must be publicly accessible and can’t be the same public IP address that you are using for the first VPN connection.

The following diagram shows the two tunnels of the VPN connection and two customer gateways.

Dynamically routed VPN connections use the Border Gateway Protocol (BGP) to exchange routing information between your customer gateways and the virtual private gateways. Statically routed VPN connections require you to enter static routes for the network on your side of the customer gateway. BGP advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs. We recommend that you configure your network to use the routing information provided by BGP (if available) to select an available path. The exact configuration depends on the architecture of your network.

Setting Up the VPN Connection

Use the following procedure to manually set up the VPN connection. Alternatively, you can create the VPC and subnets and complete the first four steps in this procedure using the VPC wizard. For more information, see Implementing Scenario 3 or Implementing Scenario 4.

This procedure assumes that you have a VPC with one or more subnets, and that you have the required network information (see What You Need for a VPN Connection).

  1. Create a customer gateway.

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, click Customer Gateways, and then click Create Customer Gateway.

    3. Specify the routing type and the static IP address for your customer gateway device, and then click Yes, Create.

  2. Create a virtual private gateway and attach it to the VPC.

    1. In the navigation pane, click Virtual Private Gateways, and then click Create Virtual Private Gateway.

    2. You can optionally provide a name for for your virtual private gateway, and then click Yes, Create.

    3. Select the virtual private gateway that you just created, and then click Attach to VPC.

    4. In the Attach to VPC dialog box, select the VPC from the list, and then click Yes, Attach.

  3. Add a route to the route table and enable route propagation.

    1. In the navigation pane, click Route Tables, and then select the route table that's associated with the subnet; by default, this is the main route table for the VPC.

    2. On the Routes tab in the details pane, click Edit, and then do one of the following and then click Save:

      • If you are using static routing for your VPN connection, add the static route used by your VPN connection in the Destination box and select the virtual private gateway ID from the Target list.

      • If you are using dynamic routing for your VPN connection, enter the IP prefix for your customer network in the Destination box and select the virtual private gateway ID in the Target list.

    3. On the Route Propagation tab in the details pane, click Edit, select the virtual private gateway associated with the VPC from the list, and then click Save.

      Note

      If you configured your VPN connection to use dynamic routing and you've enabled route propagation, the BGP advertised routes from your customer gateway won't appear in the route table unless the status of the VPN connection is UP.

  4. Add rules to the security group to allow SSH and RDP access from your network. For more information about adding inbound rules, see Adding and Removing Rules.

    1. In the navigation pane, click Security Groups, and then select the default security group for the VPC.

    2. On the Inbound tab in the details pane, add a rule for inbound SSH access and a rule for inbound RDP access to the group from your network, and then click Save.

  5. Create a VPN connection.

    1. In the navigation pane, click VPN Connections.

    2. Click Create VPN Connection.

    3. In the Create VPN Connection dialog box, do the following, and then click Yes, Create:

      • Select your customer gateway.

      • Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP):

        • If your VPN router supports BGP, select Dynamic.

        • If your VPN router does not support BGP, select Static. In the Static IP Prefixes field, specify each IP prefix for the private network of your VPN connection, separated by commas.

  6. Configure the customer gateway.

    1. In the navigation pane, click VPN Connections.

    2. Select your VPN connection, and then click Download Configuration.

    3. Give the configuration information to your network administrator, along with this guide: Amazon Virtual Private Cloud Network Administrator Guide. After the network administrator configures the customer gateway, the VPN connection is operational.

  7. Launch an instance into the subnet.

    1. Open the Amazon EC2 console.

    2. On the dashboard, click Launch Instance.

    3. On the Choose an Amazon Machine Image (AMI) page, choose an AMI, and then click Select.

    4. On the Configure Instance Details page, select a VPC from the Network list, and select a subnet from the Subnet list. Click Review and Launch to accept the default settings in the rest of the wizard, and go directly to the Review Instance Launch page.

    5. Review the settings that you've chosen. Make any changes that you need, and then click Launch to select a key pair and launch the instance.

Testing the End-to-End Connectivity of Your Instance

After you set up your VPN connection and launch an instance, you can test the connection by pinging the instance. You just need to use an AMI that responds to ping requests. We recommend you use one of the Amazon Linux AMIs. If you are using instances running Windows Server, you'll need to log in to the instance and enable inbound ICMPv4 on the Windows firewall in order to ping the instance.

Important

You must configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic.

You can monitor the status of your VPN connections using the Amazon VPC console or by using the Amazon EC2 API/CLI. You can view information about your VPN connections, including its state, the time since last state change, and descriptive error text.

To test the end-to-end connectivity

  1. After the instance is running, get its private IP address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance's details.

  2. From a computer in your network that is behind the customer gateway, use the ping command with the instance's private IP address. A successful response is similar to the following:

    PROMPT> ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data:
    
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    
    Ping statistics for 10.0.0.4:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    
    Approximate round trip times in milliseconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

You can now use SSH or RDP to connect to your instance in the VPC. For more information about how to connect to a Linux instance, see Connect to Your Linux Instance in the Amazon Elastic Compute Cloud User Guide. For more information about how to connect to a Windows instance, see Connect to Your Windows Instance in the Amazon Elastic Compute Cloud Microsoft Windows Guide.

Replacing Compromised Credentials

If you believe that the tunnel credentials for your VPN connection have been compromised, you can change the IKE preshared key. To do so, delete the VPN connection, create a new one using the same virtual private gateway, and configure the new keys on your customer gateway. You also need to confirm that the tunnel's inside and outside addresses match, because these might change when you recreate the VPN connection. While you perform the procedure, communication with your instances in the VPC stops, but the instances continue to run uninterrupted. After the network administrator implements the new configuration information, your VPN connection uses the new credentials, and the network connection to your instances in the VPC resumes.

Important

This procedure requires assistance from your network administrator group.

To change the IKE preshared key

  1. Delete the VPN connection. You don't need to delete the VPC or the virtual private gateway.

    1. Open the Amazon VPC console.

    2. In the navigation pane, click VPN Connections.

    3. Select the VPN connection and click Delete.

    4. In the Delete VPN Connection dialog box, click Yes, Delete.

  2. Create a new VPN connection.

    1. On the same VPN Connections page, click Create VPN Connection. Notice that your virtual private gateway and customer gateway are already selected.

    2. Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP). If you are unsure, see Amazon Virtual Private Cloud FAQs.

      • If your VPN router supports Border Gateway Protocol (BGP), select Dynamic.

      • If your VPN router does not support BGP, select Static. In the Static IP prefixes box, enter each IP prefix for your network.

    3. Click Yes, Create.

  3. Download a new customer gateway configuration, which your network administrator must implement. This new configuration replaces the previous gateway configuration that used the old IKE preshared key.

    1. Select the VPN connection that you just created, and then click Download Configuration.

    2. Select the customer gateway's vendor, platform, and software version, and then click Yes, Download.

    3. Save the text file and give it to your network administrator, along with the Amazon Virtual Private Cloud Network Administrator Guide.

Deleting a VPN connection

If you no longer need a VPN connection, you can delete it.

Important

If you delete your VPN connection and then create a new one, you have to download new configuration information and have your network administrator reconfigure the customer gateway.

To delete a VPN connection

  1. Open the Amazon VPC console.

  2. In the navigation pane, click VPN Connections.

  3. Select the VPN connection and click Delete.

  4. In the Delete VPN Connection dialog box, click Yes, Delete.

If you no longer require a customer gateway, you can delete it. You can't delete a customer gateway that's being used in a VPN connection.

To delete a customer gateway

  1. In the navigation pane, click Customer Gateways.

  2. Select the customer gateway to delete and click Delete.

  3. In the Delete Customer Gateway dialog box, click Yes, Delete.

If you no longer require a virtual private gateway for your VPC, you can detach it.

To detach a virtual private gateway

  1. In the navigation pane, click Virtual Private Gateways.

  2. Select the virtual private gateway and click Detach from VPC.

  3. In the Detach from VPC dialog box, click Yes, Detach.

If you no longer require a virtual private gateway, you can delete it. You can't delete a virtual private gateway that's still attached to a VPC.

To delete a virtual private gateway

  1. Select the virtual private gateway to delete and click Delete.

  2. In the Delete Virtual Private Gateway dialog box, click Yes, Delete.