Amazon Virtual Private Cloud
User Guide (API Version 2014-02-01)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Adding a Hardware Virtual Private Gateway to Your VPC

By default, instances that you launch into a virtual private cloud (VPC) can't communicate with your own network. You can enable access to your network from your VPC by attaching a virtual private gateway to the VPC, creating a custom route table, and updating your security group rules.

You can complete this process manually, as described on this page, or let the VPC creation wizard take care of many of these steps for you. For more information about using the VPC creation wizard to set up the virtual private gateway, see Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access or Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access.

Although the term VPN connection is a general term, in the Amazon VPC documentation, a VPN connection refers to the connection between your VPC and your own network.

For information about how you're charged for using a VPN connection with your VPC, see the Amazon VPC product page.

Components of Your VPN

A VPN connection consists of the following components.

Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection.

For information about how many virtual private gateways you can have per region, as well as the limits for other components within your VPC, see Amazon VPC Limits.

Customer Gateway

A customer gateway is a physical device or software application on your side of the VPN connection.

For a list of customer gateways that we have tested with Amazon VPC, see Amazon Virtual Private Cloud FAQs.

VPN Configuration Examples

The following diagrams illustrate single and multiple VPN connections. The VPC has an attached virtual private gateway, and your network includes a customer gateway, which you must configure to enable the VPN connection. You set up the routing so that any traffic from the VPC bound for your network is routed to the virtual private gateway.

When you create multiple VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same external location. You can also use it to create VPN connections to multiple geographic locations.

Single VPN Connection

VPN layout

Multiple VPN connections

Multiple VPN layout

VPN Routing Options

When you create a VPN connection, you must specify the type of routing that you plan to use. The type of routing that you select can depend on the make and model of your VPN devices. If your VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection. If your device does not support BGP, specify static routing. For a list of static and dynamic routing devices that have been tested with Amazon VPC, see the Amazon Virtual Private Cloud FAQs.

When you use a BGP device, you don't need to specify static routes to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway. If you use a device that doesn't support BGP, you must select static routing and enter the routes (IP prefixes) for your network that should be communicated to the virtual private gateway. Only IP prefixes that are known to the virtual private gateway, whether through BGP advertisement or static route entry, can receive traffic from your VPC.

We recommend that you use BGP-capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down. Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.

What You Need for a VPN Connection

To use Amazon VPC with a VPN connection, you or your network administrator must designate a physical appliance as your customer gateway and configure it. We provide you with the required configuration information, including the VPN preshared key and other parameters related to setting up the VPN connection. Your network administrator typically performs this configuration. For information about the customer gateway requirements and configuration, see the Amazon Virtual Private Cloud Network Administrator Guide.

The following table lists the information that you need to have so that we can establish your VPN connection.

ItemHow UsedComments

The type of customer gateway (for example, Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha)

Specifies how to format the returned information that you use to configure the customer gateway.

For information about the specific devices that we've tested, see What customer gateway devices are known to work with Amazon VPC? in the Amazon VPC FAQ.

Internet-routable IP address (static) of the customer gateway's external interface.

Used to create and configure your customer gateway (it's referred to as YOUR_UPLINK_​ADDRESS)

The value must be static and can't be behind a device performing network address translation (NAT).

(Optional) Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway, if you are creating a dynamically routed VPN connection.

Used to create and configure your customer gateway (referred to as YOUR_BGP_ASN).

If you use the wizard in the console to set up your VPC, we automatically use 65000 as the ASN.

You can use an existing ASN assigned to your network. If you don't have one, you can use a private ASN (in the 64512–65534 range). For more information about ASNs, see the Wikipedia article.

Amazon VPC supports 2-byte ASN numbers.

Internal network IP ranges that you want advertised over the VPN connection to the VPC.

Used to specify static routes.

Configuring Two VPN Tunnels for Your VPN Connection

You use a VPN connection to connect your network to a VPC. Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. It is important to configure both tunnels for redundancy. When one tunnel becomes unavailable (for example, down for maintenance), network traffic is automatically routed to the available tunnel for that specific VPN connection.

The following diagram shows the two tunnels of the VPN connection.

Using Redundant VPN Connections to Provide Failover

As described earlier, a VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable. To protect against a loss of connectivity in case your customer gateway becomes unavailable, you can set up a second VPN connection to your VPC by using a second customer gateway. By using redundant VPN connections and customer gateways, you can perform maintenance on one of your customer gateways while traffic continues to flow over the second customer gateway's VPN connection. To establish redundant VPN connections and customer gateways on your network, you need to set up a second VPN connection. The customer gateway IP address for the second VPN connection must be publicly accessible and can’t be the same public IP address that you are using for the first VPN connection.

The following diagram shows the two tunnels of the VPN connection and two customer gateways.

Dynamically routed VPN connections use the Border Gateway Protocol (BGP) to exchange routing information between your customer gateways and the virtual private gateways. Statically routed VPN connections require you to enter static routes for the network on your side of the customer gateway. BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs. We recommend that you configure your network to use the routing information provided by BGP (if available) to select an available path. The exact configuration depends on the architecture of your network.

Setting Up the VPN Connection

Use the following procedures to manually set up the VPN connection. Alternatively, you can create the VPC and subnets and complete the first five steps in this procedure using the VPC wizard. For more information, see Implementing Scenario 3 or Implementing Scenario 4.

To set up a VPN connection, you need to complete the following steps:

These procedures assume that you have a VPC with one or more subnets, and that you have the required network information (see What You Need for a VPN Connection).

Step 1: Create a Customer Gateway

To create a customer gateway

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Customer Gateways, and then click Create Customer Gateway.

  3. In the Create Customer Gateway dialog box, complete the following and then click Yes, Create:

    • In the Name tag field, optionally enter a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.

    • Select the routing type from the Routing list.

    • If you selected dynamic routing, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN) in the BGP ASN field.

    • Enter the static, Internet-routable IP address for your customer gateway device in the IP Address field. The address cannot be behind a device that performs network address translation (NAT).

Step 2: Create a Virtual Private Gateway

To create a virtual private gateway

  1. In the navigation pane, click Virtual Private Gateways, and then click Create Virtual Private Gateway.

  2. You can optionally enter a name for your virtual private gateway, and then click Yes, Create.

  3. Select the virtual private gateway that you created, and then click Attach to VPC.

  4. In the Attach to VPC dialog box, select your VPC from the list, and then click Yes, Attach.

Step 3: Update Your Route Tables and Enable Route Propagation

To add a route to the route table and enable route propagation

  1. In the navigation pane, click Route Tables, and then select the route table that's associated with the subnet; by default, this is the main route table for the VPC.

  2. On the Routes tab in the details pane, click Edit, do one of the following, and then click Save:

    • If you are using static routing for your VPN connection, add the static route used by your VPN connection in the Destination field and select the virtual private gateway ID from the Target list.

    • If you are using dynamic routing for your VPN connection, enter the IP prefix for your customer network in the Destination field and select the virtual private gateway ID in the Target list.

  3. On the Route Propagation tab in the details pane, click Edit, select the virtual private gateway that you created in the previous procedure, and then click Save.

    Note

    If you configure your VPN connection to use dynamic routing and you enable route propagation, the BGP-advertised routes from your customer gateway won't appear in the route table unless the status of the VPN connection is UP.

Step 4: Update Your Security Group to Enable Inbound SSH, RDP and ICMP Access

To add rules to your security group to enable inbound SSH, RDP and ICMP access

  1. In the navigation pane, click Security Groups, and then select the default security group for the VPC.

  2. On the Inbound tab in the details pane, add rules that allow inbound SSH, RDP and ICMP access from your network, and then click Save. For more information about adding inbound rules, see Adding and Removing Rules.

Step 5: Create a VPN Connection and Configure the Customer Gateway

To create a VPN connection and configure the customer gateway

  1. In the navigation pane, click VPN Connections.

  2. Click Create VPN Connection.

  3. In the Create VPN Connection dialog box, do the following, and then click Yes, Create:

    • In the Name tag field, optionally enter a name for your VPN connection. Doing so creates a tag with a key of Name and the value that you specify.

    • Select the virtual private gateway that you created earlier.

    • Select the customer gateway that you created earlier.

    • Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP):

      • If your VPN router supports BGP, select Dynamic (requires BGP).

      • If your VPN router does not support BGP, select Static. In the Static IP Prefixes field, specify each IP prefix for the private network of your VPN connection, separated by commas.

  4. It may take a few minutes to create the VPN connection. When it's ready, select the connection, and then click Download Configuration.

  5. In the Download Configuration dialog box, select the vendor, platform, and software that corresponds to your customer gateway device or software, and then click Yes, Download.

  6. Give the configuration file to your network administrator, along with this guide: Amazon Virtual Private Cloud Network Administrator Guide. After the network administrator configures the customer gateway, the VPN connection is operational.

Step 6: Launch an Instance Into Your Subnet

To launch an instance into your subnet

  1. Open the Amazon EC2 console.

  2. On the dashboard, click Launch Instance.

  3. On the Choose an Amazon Machine Image (AMI) page, choose an AMI, and then click Select.

  4. Choose an instance type, and then click Next: Configure Instance Details.

  5. On the Configure Instance Details page, select your VPC from the Network list, and your subnet from the Subnet list. Click Next until you reach the Configure Security Group page.

  6. Select theSelect an existing security group option, and then select the default group that you modified earlier. Click Review and Launch.

  7. Review the settings that you've chosen. Make any changes that you need, and then click Launch to select a key pair and launch the instance.

Testing the End-to-End Connectivity of Your Instance

After you set up your VPN connection and launch an instance, you can test the connection by pinging the instance. You need to use an AMI that responds to ping requests, and you need to ensure that your instance's security group is configured to enable inbound ICMP. We recommend you use one of the Amazon Linux AMIs. If you are using instances running Windows Server, you'll need to log in to the instance and enable inbound ICMPv4 on the Windows firewall in order to ping the instance.

Important

You must configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic.

You can monitor the status of your VPN connections using the Amazon VPC console or by using the Amazon EC2 API/CLI. You can view information about your VPN connections, including its state, the time since last state change, and descriptive error text.

To test end-to-end connectivity

  1. After the instance is running, get its private IP address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance's details.

  2. From a computer in your network that is behind the customer gateway, use the ping command with the instance's private IP address. A successful response is similar to the following:

    PROMPT> ping 10.0.0.4
    Pinging 10.0.0.4 with 32 bytes of data:
    
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    Reply from 10.0.0.4: bytes=32 time<1ms TTL=128
    
    Ping statistics for 10.0.0.4:
    Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),
    
    Approximate round trip times in milliseconds:
    Minimum = 0ms, Maximum = 0ms, Average = 0ms

You can now use SSH or RDP to connect to your instance in the VPC. For more information about how to connect to a Linux instance, see Connect to Your Linux Instance in the Amazon Elastic Compute Cloud User Guide. For more information about how to connect to a Windows instance, see Connect to Your Windows Instance in the Amazon Elastic Compute Cloud Microsoft Windows Guide.

Replacing Compromised Credentials

If you believe that the tunnel credentials for your VPN connection have been compromised, you can change the IKE preshared key. To do so, delete the VPN connection, create a new one using the same virtual private gateway, and configure the new keys on your customer gateway. You also need to confirm that the tunnel's inside and outside addresses match, because these might change when you recreate the VPN connection. While you perform the procedure, communication with your instances in the VPC stops, but the instances continue to run uninterrupted. After the network administrator implements the new configuration information, your VPN connection uses the new credentials, and the network connection to your instances in the VPC resumes.

Important

This procedure requires assistance from your network administrator group.

To change the IKE pre-shared key

  1. Delete the VPN connection. For more information, see Deleting a VPN Connection. You don't need to delete the VPC or the virtual private gateway.

  2. Create a new VPN connection and download the new configuration file. For more information, see Step 5: Create a VPN Connection and Configure the Customer Gateway.

Deleting a VPN Connection

If you no longer need a VPN connection, you can delete it.

Important

If you delete your VPN connection and then create a new one, you have to download new configuration information and have your network administrator reconfigure the customer gateway.

To delete a VPN connection

  1. Open the Amazon VPC console.

  2. In the navigation pane, click VPN Connections.

  3. Select the VPN connection and click Delete.

  4. In the Delete VPN Connection dialog box, click Yes, Delete.

If you no longer require a customer gateway, you can delete it. You can't delete a customer gateway that's being used in a VPN connection.

To delete a customer gateway

  1. In the navigation pane, click Customer Gateways.

  2. Select the customer gateway to delete and click Delete.

  3. In the Delete Customer Gateway dialog box, click Yes, Delete.

If you no longer require a virtual private gateway for your VPC, you can detach it.

To detach a virtual private gateway

  1. In the navigation pane, click Virtual Private Gateways.

  2. Select the virtual private gateway and click Detach from VPC.

  3. In the Detach from VPC dialog box, click Yes, Detach.

If you no longer require a detached virtual private gateway, you can delete it. You can't delete a virtual private gateway that's still attached to a VPC.

To delete a virtual private gateway

  1. Select the virtual private gateway to delete and click Delete.

  2. In the Delete Virtual Private Gateway dialog box, click Yes, Delete.