Getting started with AWS Site-to-Site VPN - AWS Site-to-Site VPN

Getting started with AWS Site-to-Site VPN

Use the following procedure to set up an AWS Site-to-Site VPN connection. During creation, you will specify a virtual private gateway, a transit gateway, or "Not associated" as the target gateway type. If you specify "Not associated", you can choose the target gateway type at a later time, or you can use it as a VPN attachment for AWS Cloud WAN. This tutorial helps you create a VPN connection using a virtual private gateway. It assumes that you have an existing VPC with one or more subnets.

To set up a VPN connection using a virtual private gateway, complete the following steps:

Related tasks

Prerequisites

You need the following information to set up and configure the components of a VPN connection.

Item Information
Customer gateway device The physical or software device on your side of the VPN connection. You need the vendor (for example, Cisco), platform (for example, ISR Series Routers), and software version (for example, IOS 12.4).
Customer gateway To create the customer gateway resource in AWS, you need the following information:
  • The internet-routable IP address for the device's external interface

  • The type of routing: static or dynamic

  • For dynamic routing, the Border Gateway Protocol (BGP) Autonomous System Number (ASN)

  • (Optional) Private certificate from AWS Private Certificate Authority to authenticate your VPN

For more information, see Customer gateway options.

(Optional) The ASN for the AWS side of the BGP session

You specify this when you create a virtual private gateway or transit gateway. If you do not specify a value, the default ASN applies. For more information, see Virtual private gateway.

VPN connection To create the VPN connection, you need the following information:

Step 1: Create a customer gateway

A customer gateway provides information to AWS about your customer gateway device or software application. For more information, see Customer gateway.

If you plan to use a private certificate to authenticate your VPN, create a private certificate from a subordinate CA using AWS Private Certificate Authority. For information about creating a private certificate, see Creating and managing a private CA in the AWS Private Certificate Authority User Guide.

Note

You must specify either an IP address, or the Amazon Resource Name of the private certificate.

To create a customer gateway using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Customer gateways.

  3. Choose Create customer gateway.

  4. (Optional) For Name tag, enter a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.

  5. For BGP ASN, enter a Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your customer gateway.

  6. (Optional) For IP address, enter the static, internet-routable IP address for your customer gateway device. If your customer gateway device is behind a NAT device that's enabled for NAT-T, use the public IP address of the NAT device.

  7. (Optional) If you want to use a private certificate, for Certificate ARN, choose the Amazon Resource Name of the private certificate.

  8. (Optional) For Device, enter a name for the customer gateway device associated with this customer gateway.

  9. Choose Create customer gateway.

To create a customer gateway using the command line or API

Step 2: Create a target gateway

To establish a VPN connection between your VPC and your on-premises network, you must create a target gateway on the AWS side of the connection. The target gateway can be a virtual private gateway or a transit gateway.

Create a virtual private gateway

When you create a virtual private gateway, you can specify a custom private Autonomous System Number (ASN) for the Amazon side of the gateway, or use the Amazon default ASN. This ASN must be different from the ASN that you specified for the customer gateway.

After you create a virtual private gateway, you must attach it to your VPC.

To create a virtual private gateway and attach it to your VPC
  1. In the navigation pane, choose Virtual private gateways.

  2. Choose Create virtual private gateway.

  3. (Optional) For Name tag, enter a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.

  4. For Autonomous System Number (ASN), keep the default selection, Amazon default ASN, to use the default Amazon ASN. Otherwise, choose Custom ASN and enter a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range. For a 32-bit ASN, the value must be in the 4200000000 to 4294967294 range.

  5. Choose Create virtual private gateway.

  6. Select the virtual private gateway you created, then choose Actions, Attach to VPC.

  7. For Available VPCs, choose your VPC and then choose Attach to VPC.

To create a virtual private gateway using the command line or API
To attach a virtual private gateway to a VPC using the command line or API

Create a transit gateway

For more information about creating a transit gateway, see Transit gateways in Amazon VPC Transit Gateways.

Step 3: Configure routing

To enable instances in your VPC to reach your customer gateway, you must configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway or transit gateway.

(Virtual private gateway) Enable route propagation in your route table

You can enable route propagation for your route table to automatically propagate Site-to-Site VPN routes.

For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the route table when the status of the VPN connection is UP. Similarly, for dynamic routing, the BGP-advertised routes from your customer gateway are propagated to the route table when the status of the VPN connection is UP.

Note

If your connection is interrupted but the VPN connection remains UP, any propagated routes that are in your route table are not automatically removed. Keep this in mind if, for example, you want traffic to fail over to a static route. In that case, you might have to disable route propagation to remove the propagated routes.

To enable route propagation using the console
  1. In the navigation pane, choose Route tables.

  2. Select the route table that's associated with the subnet.

  3. On the Route propagation tab, choose Edit route propagation. Select the virtual private gateway that you created in the previous procedure, and then choose Save.

Note

If you do not enable route propagation, you must manually enter the static routes used by your VPN connection. To do this, select your route table, choose Routes, Edit. For Destination, add the static route used by your Site-to-Site VPN connection. For Target, select the virtual private gateway ID, and choose Save.

To disable route propagation using the console
  1. In the navigation pane, choose Route tables.

  2. Select the route table that's associated with the subnet.

  3. On the Route propagation tab, choose Edit route propagation. Clear the Propagate check box for the virtual private gateway.

  4. Choose Save.

To enable route propagation using the command line or API
To disable route propagation using the command line or API

(Transit gateway) Add a route to your route table

If you enabled route table propagation for your transit gateway, the routes for the VPN attachment are propagated to the transit gateway route table. For more information, see Routing in Amazon VPC Transit Gateways.

If you attach a VPC to your transit gateway and you want to enable resources in the VPC to reach your customer gateway, you must add a route to your subnet route table to point to the transit gateway.

To add a route to a VPC route table
  1. On the navigation pane, choose Route tables.

  2. Choose the route table that is associated with your VPC.

  3. On the Routes tab, choose Edit routes.

  4. Choose Add route.

  5. For Destination, enter the destination IP address range. For Target, choose the transit gateway.

  6. Choose Save changes.

Step 4: Update your security group

To allow access to instances in your VPC from your network, you must update your security group rules to enable inbound SSH, RDP, and ICMP access.

To add rules to your security group to enable access
  1. In the navigation pane, choose Security groups.

  2. Select the default security group for the VPC.

  3. On the Inbound rules tab, choose Edit inbound rules.

  4. Add rules that allow inbound SSH, RDP, and ICMP access from your network, and then choose Save rules. For more information, see Work with security group rules in the Amazon VPC User Guide.

Step 5: Create a VPN connection

Create the VPN connection using the customer gateway in combination with the virtual private gateway or transit gateway that you created earlier.

To create a VPN connection
  1. In the navigation pane, choose Site-to-Site VPN connections.

  2. Choose Create VPN connection.

  3. (Optional) For Name tag, enter a name for your VPN connection. Doing so creates a tag with a key of Name and the value that you specify.

  4. For Target gateway type, choose either Virtual private gateway or Transit gateway. Then, choose the virtual private gateway or transit gateway that you created earlier.

  5. For Customer gateway, select Existing, then choose the customer gateway that you created earlier from Customer gateway ID.

  6. Select one of the routing options based on whether your customer gateway device supports Border Gateway Protocol (BGP):

    • If your customer gateway device supports BGP, choose Dynamic (requires BGP).

    • If your customer gateway device does not support BGP, choose Static. For Static IP Prefixes, specify each IP prefix for the private network of your VPN connection.

  7. If your target gateway type is transit gateway, for Tunnel inside IP version, specify whether the VPN tunnels support IPv4 or IPv6 traffic. IPv6 traffic is only supported for VPN connections on a transit gateway.

  8. If you specified IPv4 for Tunnel inside IP version, you can optionally specify the IPv4 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default is 0.0.0.0/0.

    If you specified IPv6 for Tunnel inside IP version, you can optionally specify the IPv6 CIDR ranges for the customer gateway and AWS sides that are allowed to communicate over the VPN tunnels. The default for both ranges is ::/0.

  9. For Outside IP address type, keep the default option, PublicIpv4.

  10. (Optional) For Tunnel options, you can specify the following information for each tunnel:

    • A size /30 IPv4 CIDR block from the 169.254.0.0/16 range for the inside tunnel IPv4 addresses.

    • If you specified IPv6 for Tunnel inside IP version, a /126 IPv6 CIDR block from the fd00::/8 range for the inside tunnel IPv6 addresses.

    • The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.

    • To edit the advanced options for your tunnel, choose Edit tunnel options. For more information, see VPN tunnel options.

  11. Choose Create VPN connection. It might take a few minutes to create the VPN connection.

To create a VPN connection using the command line or API

Step 6: Download the configuration file

After you create the VPN connection, you can download a sample configuration file to use for configuring the customer gateway device.

Important

The configuration file is an example only and might not match your intended VPN connection settings entirely. It specifies the minimum requirements for a VPN connection of AES128, SHA1, and Diffie-Hellman group 2 in most AWS Regions, and AES128, SHA2, and Diffie-Hellman group 14 in the AWS GovCloud Regions. It also specifies pre-shared keys for authentication. You must modify the example configuration file to take advantage of additional security algorithms, Diffie-Hellman groups, private certificates, and IPv6 traffic.

We have introduced IKEv2 support in the configuration files for many popular customer gateway devices and will continue to add additional files over time. For a list of configuration files with IKEv2 support, see Your customer gateway device.

Permissions

To properly load the download configuration screen from the AWS Management Console, you must ensure that your IAM role or user has permission for the following Amazon EC2 APIs: GetVpnConnectionDeviceTypes and GetVpnConnectionDeviceSampleConfiguration.

To download the configuration file using the console
  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Site-to-Site VPN connections.

  3. Select your VPN connection and choose Download configuration.

  4. Select the Vendor, Platform, Software, and IKE version that correspond to your customer gateway device. If your device is not listed, choose Generic.

  5. Choose Download.

To download a sample configuration file using the command line or API

Step 7: Configure the customer gateway device

Use the sample configuration file to configure your customer gateway device. The customer gateway device is the physical or software appliance on your side of the VPN connection. For more information, see Your customer gateway device.