Test a Site-to-Site VPN connection - AWS Site-to-Site VPN

Test a Site-to-Site VPN connection

After you create the AWS Site-to-Site VPN connection and configure the customer gateway, you can launch an instance and test the connection by pinging the instance.

Before you begin, make sure of the following:

  • Use an AMI that responds to ping requests. We recommend that you use one of the Amazon Linux AMIs.

  • Configure any security group or network ACL in your VPC that filters traffic to the instance to allow inbound and outbound ICMP traffic. This enables the instance to receive ping requests.

  • If you are using instances running Windows Server, connect to the instance and enable inbound ICMPv4 on the Windows firewall in order to ping the instance.

  • (Static routing) Ensure that the customer gateway device has a static route to your VPC, and that your VPN connection has a static route so that traffic can get back to your customer gateway device.

  • (Dynamic routing) Ensure that the BGP status on your customer gateway device is established. It takes approximately 30 seconds for a BGP peering session to be established. Ensure that routes are advertised with BGP correctly and showing in the subnet route table, so that traffic can get back to your customer gateway. Make sure that both tunnels are configured with BGP routing.

  • Ensure that you have configured routing in your subnet route tables for the VPN connection.

To test connectivity
  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. On the dashboard, choose Launch instance.

  3. (Optional) For Name, enter a descriptive name for your instance.

  4. For Application and OS Images (Amazon Machine Image), choose Quick Start, and then choose the operating system for your instance.

  5. For Key pair name, choose an existing key pair or create a new one.

  6. For Network settings, choose Select existing security group, and then choose the security group that you configured.

  7. In the Summary panel, choose Launch instance.

  8. After the instance is running, get its private IP address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance's details.

  9. From a computer in your network that is behind the customer gateway device, use the ping command with the instance's private IP address.

    ping 10.0.0.4

    A successful response is similar to the following.

    Pinging 10.0.0.4 with 32 bytes of data: Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Reply from 10.0.0.4: bytes=32 time<1ms TTL=128 Ping statistics for 10.0.0.4: Packets: Sent = 3, Received = 3, Lost = 0 (0% loss), Approximate round trip times in milliseconds: Minimum = 0ms, Maximum = 0ms, Average = 0ms

    To test tunnel failover, you can temporarily disable one of the tunnels on your customer gateway device and then repeat this step. You can't disable a tunnel on the AWS side of the VPN connection.

  10. To test the connection from AWS to your on-premises network, you can use SSH or RDP to connect to your instance from your network. You can then run the ping command with the private IP address of another computer in your network, to verify that both sides of the connection can initiate and receive requests.

    For more information about how to connect to a Linux instance, see Connect to your Linux instance in the Amazon EC2 User Guide for Linux Instances. For more information about how to connect to a Windows instance, see Connect to your Windows instance in the Amazon EC2 User Guide for Windows Instances.