Working with Amazon Virtual Private Cloud Across Regions - AWS Device Farm

Working with Amazon Virtual Private Cloud Across Regions

This topic describes how to reach an Amazon Virtual Private Cloud (Amazon VPC) endpoint in another AWS Region. If AWS Device Farm and your VPC endpoint are in the same AWS Region, see Using Amazon Virtual Private Cloud Endpoint Services with AWS Device Farm.

You can connect any two VPCs in different AWS Regions, as long as they have distinct, non-overlapping CIDR blocks. This ensures that all of the private IP addresses are unique and allows all of the resources in the VPCs to address each other without the need for any form of network address translation. For more information about CIDR notation, see RFC 4632.

This topic includes a cross-region example scenario in which Device Farm is located in the AWS US West (Oregon) Region (us-west-2) and is referred to as VPC-1. The second VPC in this example is in another AWS Region and is referred to as VPC-2.

Device Farm VPC Cross-Region Example
VPC Component VPC-1 VPC-2
Public subnet
Private subnet
VPN instance private IP address
VPN instance elastic IP address EIP-1 EIP-2

The following diagram shows the components in the example and the interactions between these components.

            Work with private devices across AWS Regions.


This example requires the following:

  • Two VPCs that are configured with public and private subnets.

  • An Elastic IP address that's associated with each of the VPC-1 and VPC-2 public subnets.

Step 1: Connect Device Farm to a VPC in the Same Region

Establish a private connection, as an AWS PrivateLink connection, between Device Farm and an endpoint in your VPC. For more information, see Using Amazon Virtual Private Cloud Endpoint Services with AWS Device Farm.

Step 2: Set Up an OpenVPN Server in the Device Farm Region (VPC-1)

  1. Open the Amazon VPC console. You might be prompted for your AWS credentials.

  2. From the VPC Dashboard, choose Launch EC2 Instances.

  3. From the left navigation bar, choose AWS Marketplace.

  4. Search for OpenVPN Access Server.

                        Choose the OpenVPN AMI.
  5. Choose Select to display the OpenVPN summary page, and then choose Continue.

  6. Choose an Amazon EC2 instance type.

  7. Choose Next: Configure Instance Details. For Subnet, choose your public subnet.

  8. Accept the defaults on these pages:

    1. Choose Next: Add Storage.

    2. Choose Next: Add Tags.

    3. Choose Next: Configure Security Group.

  9. Confirm the OpenVPN security group settings:

    • SSH – Port 22

    • Custom TCP Rule – Port 943

    • HTTPS – Port 443

    • Custom UDP Rule – Port 1194

  10. Choose Review and Launch.

  11. Choose any media type, and then choose Next.

  12. Choose Launch.

  13. Choose or create an instance, and then choose Launch Instances.

  14. It can take some time for the instance to launch. Choose View Instances to track the status of your Amazon EC2 instance.

  15. Disable the source and destination IP address checks for your VPC traffic:

    1. On the EC2 Instances page, from Actions, choose Networking, and then choose Change Source/Dest Check.

    2. Choose Yes, Disable.

                        Disable OpenVPN source and destination checks

To configure your OpenVPN server

  1. Sign in to your OpenVPN Amazon EC2 instance using SSH, the user name openvpnas, and the key pair that you set for this instance. For more information, see Connecting to Your Linux Instance Using SSH.

  2. The OpenVPN Access Server Setup wizard runs automatically when you first sign in. Use this command to run it again:

    sudo vpn-init --ec2

Step 3: Set Up an OpenVPN Server in a Second Region (VPC-2)

Use the information in step 2 to set up an OpenVPN server in the public subnet of your second region (VPC-2).

Step 4: Configure VPC-1

  1. Open the Amazon VPC console. You might be prompted for your AWS credentials.

  2. Choose Customer Gateways, enter the gateway settings, and create the customer gateway:

    1. Choose Create Customer Gateway.

    2. For Routing, choose Static.

    3. For Name, enter a name for your gateway.

    4. For IP Address, enter the public IP address of your OpenVPN Access Server instance.

    5. Choose Create Customer Gateway.

    6. If successful, the customer gateway ID is displayed. Choose Close.

  3. Choose Virtual Private Gateways, and then create the virtual private gateway (VPG):

    1. For Name, enter a name for your VPG.

    2. Choose Create Virtual Private Gateway.

  4. Choose the VPG that you just created, and attach it to the VPC:

    1. From Actions, choose Attach to VPC.

    2. From VPC, choose your VPC.

    3. From Routing Options, choose Static. Enter your IP address in CIDR notation.

    4. Choose Yes, Attach.

  5. Choose Route Tables, and then configure the routing settings:

    1. Choose the routing table that corresponds to your subnet.

    2. On the Route Propagation tab, choose the VGW identifier for the virtual private gateway that you created earlier, and then choose Add.

  6. Choose VPN Connections, and then create the VPN connection:

    1. Choose Create VPN Connection.

    2. From Virtual Private Gateway, choose your virtual private gateway.

    3. From Customer Gateway ID, choose your existing customer gateway.

    4. From Routing Options, choose Static. For Static IP Addresses, enter your Elastic IP address. For example, if your static IP address is, then your CIDR notation for the IP prefix is

    5. Choose Create VPN Connection.

    6. If successful, a VPN connection ID is displayed. Choose Close.

  7. Choose Use Static Routing.

  8. Enter the Elastic IP address of the OpenVPN Access VPN server. Choose the VPN connection, and make a note of the Tunnel 1 and Tunnel 2 IP addresses in the console. You need them later in this procedure.

  9. Choose Download Configuration.

  10. Use SSH to connect to your OpenVPN Access Server instance, and then open the /etc/ipsec.conf file:

    sudo /etc/ipsec.conf
  11. Edit the rightsubnet= value to point to your VPC CIDR mask.

  12. Under the VPC-CUST-GW1 and VPC-CUST-GW2 sections, add the Tunnel 1 and Tunnel 2 IP addresses and save the file.

  13. Open the /etc/ipsec.secrets file, and then enter the preshared keys from the VPC-1 configuration file that you downloaded earlier.

  14. To start the VPN connection, use the ipsec start command.

    You can see the status of your VPN connection entries in the Amazon VPC console.

Step 5: Configure VPC-2

Use the information in step 4 to configure VPC-2. Configure the routing tables in both VPCs to send traffic to the other VPC through the VPC EC2 instances.


You might need to configure multiple routing tables for your public and private subnets, depending on which subnets you want to route traffic between.

For more information about this example scenario and an alternative VPN implementation of it, see Connecting Multiple VPCs with EC2 Instances (SSL).

Step 6: Create a Test Run

You can create test runs that use the VPCE configuration described in step 1. For more information, see Create a Test Run or Create a Remote Access Session.