AWS Device Farm
Developer Guide (API Version 2015-06-23)

Working with Amazon Virtual Private Cloud Across Regions

This section describes how to reach your VPC endpoint in another region. If Device Farm and your endpoint are in the same region, see Using Amazon Virtual Private Cloud (VPC) Endpoints in Device Farm.

You can connect any two VPCs in different regions, as long as they have distinct, non-overlapping CIDR blocks. This ensures that all of the private IP addresses are unique and allows all of the resources in the VPCs to address each other without the need for any form of network address translation. For more information about CIDR notation, see RFC 4632.

Device Farm VPC Cross-Region Example

VPC Component VPC-1 VPC-2
CIDR 10.0.0.0/16 172.16.0.0/16
Public subnet 10.0.0.0/24 172.16.0.0/24
Private subnet 10.0.1.0/24 172.16.1.0/24
VPN instance private IP 10.0.0.5 172.16.0.5
VPN instance elastic IP EIP-1 EIP-2

This section describes a cross-region scenario. Device Farm is located in the AWS us-west-2 region and is referred to here as VPC-1. The second VPC in this example is in another AWS region and is referred to as VPC-2.


            Work with private devices across regions.

Prerequisites

  • Two VPCs configured with both public and private subnets.

  • An Elastic IP address associated with each of the VPC-1 and VPC-2 public subnets.

Step 1: Connect Device Farm to a VPC in the Same Region

Establish a private connection (AWS PrivateLink) between Device Farm and an endpoint in your VPC. For more information, see Using Amazon Virtual Private Cloud (VPC) Endpoints in Device Farm.

Step 2: Set Up an OpenVPN server in the Device Farm Region (VPC-1)

  1. Go to the Amazon VPC console. You might be prompted for your AWS credentials.

  2. From the VPC Dashboard, choose Launch EC2 Instances.

  3. From the left navigation bar, choose AWS Marketplace.

  4. Search for OpenVPN Access Server.

    
                        Choose the OpenVPN AMI.
  5. Choose Select to display the OpenVPN summary page.

  6. Choose Continue to go to the next page.

  7. Choose an Amazon EC2 instance type.

  8. Choose Next: Configure Instance Details.

    1. From Subnet, choose your public subnet.

  9. Accept the defaults on these pages:

    1. Choose Next: Add Storage to go to the next page.

    2. Choose Next: Add Tags.

    3. Choose Next: Configure Security Group.

  10. Confirm the OpenVPN security group settings:

    • SSH port 22

    • Custom TCP Rule port 943

    • HTTPS port 443

    • Custom UDP Rule port 1194

    Choose Review and Launch.

  11. Choose any media type, and then choose Next.

  12. Choose Launch.

  13. Choose an existing or create one, and then choose Launch Instances.

  14. It can take some time for the instance to launch. Choose View Instances to track the status of your Amazon EC2 instance.

  15. Disable the source and destination IP address checks for your VPC traffic.

    1. On the EC2 Instances page, from Actions, choose Networking.

    2. Choose Change Source/Dest.

    3. Choose Yes, Disable.

    
                        Disable OpenVPN source and destination checks.

To configure your OpenVPN server

  1. Sign in to your OpenVPN Amazon EC2 instance using SSH using the user name openvpnas and the key pair you set for this instance. For more information, see Connecting to Your Linux Instance Using SSH.

  2. The OpenVPN Access Server Setup wizard runs automatically when you first sign in. Use this command to run it again:

    sudo vpn-init --ec2

Step 3: Set Up OpenVPN in a Second Region (VPC-2)

Use the information in step 2 to set up an OpenVPN server in the public subnet of your second region (VPC-2).

Step 4: Configure VPC-1

  1. Go to the Amazon VPC console. You might be prompted for your AWS credentials.

  2. Choose Customer Gateways.

    1. Choose Create Customer Gateway.

    2. For Routing, choose Static.

    3. For Name, enter a name for your gateway.

    4. For IP Address, enter the public IP address of your OpenVPN Access Server instance.

    5. Choose Create Customer Gateway.

    6. If successful, the customer gateway ID is displayed. Choose Close to continue.

  3. Choose Virtual Private Gateways.

    1. For Name, enter a name for your VPG.

    2. Choose Create Virtual Private Gateway.

  4. Choose the virtual private gateway that you just created

    1. From Actions, choose Attach to VPC.

    2. From VPC, choose your VPC.

    3. From Routing Options, Ccoose Static.

      1. Enter your IP address in CIDR notation.

    4. Choose Yes, Attach.

  5. Choose Route Tables.

    1. Choose the routing table that corresponds to your subnet.

    2. On the Route Propagation tab, Choose the VGW identifier for the virtual private gateway that you created earlier, and then choose Add.

  6. Choose VPN Connections.

    1. Choose Create VPN Connection.

    2. From Virtual Private Gateway, choose your virtual private gateway.

    3. From Customer Gateway ID, choose your existing customer gateway.

    4. From Routing Options, choose Static.

      1. For Static IP Addresses, enter your Elastic IP address. For example, if your static IP address is 10.12.34.56, then your CIDR notation for the IP prefix is 10.12.34.0/24.

    5. Choose Create VPN Connection.

    6. If successful, a VPN connection ID is displayed. Choose Close to continue.

  7. Choose Use Static Routing.

  8. Enter the Elastic IP address of the OpenVPN Access VPN server. Choose the VPN connection that was created, and then note the Tunnel 1 and Tunnel 2 IP addresses in the console.

  9. Choose Download Configuration.

  10. Use SSH to connect to your OpenVPN Access Server instance and open the /etc/ipsec.conf file:

    sudo /etc/ipsec.conf
  11. Edit the rightsubnet= value to point to your VPC CIDR mask.

  12. Under the VPC-CUST-GW1 and VPC-CUST-GW2 sections, add the Tunnel 1 and Tunnel 2 IPs and save the file.

  13. Open the /etc/ipsec.secrets file and enter the preshared keys from the VPC-1 configuration file you downloaded earlier.

  14. To start the VPN connection, issue the ipsec start command.

    You can see the status of your VPN connection entries in the Amazon VPC console.

Step 5: Configure VPC-2

Use the information in step 4 to configure VPC-2. Configure the routing tables in both VPCs to send traffic to the other VPC through the VPC EC2 instances.

Note

You might need to configure multiple route tables for your public and private subnets depending on which subnets you want to route traffic between.

For more information about this use case with an alternative VPN implementation, see Connecting Multiple VPCs with EC2 Instances (SSL).

Step 6: Create a Test Run

You can create test runs using the VPCE configuration from step 1. For more information, see Create a Test Run in AWS Device Farm or Create a Session.