AWS Site-to-Site VPN
User Guide

The AWS Documentation website is getting a new look!
Try it now and let us know what you think. Switch to the new look >>

You can return to the original look by selecting English in the language selector above.

Getting Started

Use the following procedures to manually set up the AWS Site-to-Site VPN connection. Alternatively, you can let the VPC creation wizard take care of many of these steps for you. For more information about using the VPC creation wizard to set up the virtual private gateway, see Scenario 3: VPC with Public and Private Subnets and AWS Site-to-Site VPN Access or Scenario 4: VPC with a Private Subnet Only and AWS Site-to-Site VPN Access in the Amazon VPC User Guide.

To set up a Site-to-Site VPN connection, complete the following steps:

These procedures assume that you have a VPC with one or more subnets.

Create a Customer Gateway

A customer gateway provides information to AWS about your customer gateway device or software application. For more information, see Customer Gateway.

If you plan to use a private certificate to authenticate your VPN, create a private certificate from a subordinate CA using AWS Certificate Manager Private Certificate Authority. For information about creating a private certificate, see Creating and Managing a Private CA in the AWS Certificate Manager Private Certificate Authority User Guide.

Note

You must specify either an IP address, or an Amazon Resource Name of the private certificate.

To create a customer gateway using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Customer Gateways, and then Create Customer Gateway.

  3. Complete the following and then choose Create Customer Gateway:

    • (Optional) For Name, enter a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.

    • For Routing, select the routing type.

    • For dynamic routing, for BGP ASN, enter the Border Gateway Protocol (BGP) Autonomous System Number (ASN).

    • (Optional) For IP Address, type the static, internet-routable IP address for your customer gateway device. If your customer gateway is behind a NAT device that's enabled for NAT-T, use the public IP address of the NAT device.

      Note

      This is optional when you use a private certificate for VPN connections to a virtual private gateway (VGW).

    • (Optional) If you want to use a private certificate, for Certificate ARN, choose the Amazon Resource Name of the private certificate.

To create a customer gateway using the command line or API

Create a Virtual Private Gateway

When you create a virtual private gateway, you can optionally specify the private Autonomous System Number (ASN) for the Amazon side of the gateway. The ASN must be different from the BGP ASN specified for the customer gateway.

After you create a virtual private gateway, you must attach it to your VPC.

To create a virtual private gateway and attach it to your VPC

  1. In the navigation pane, choose Virtual Private Gateways, Create Virtual Private Gateway.

  2. (Optional) Enter a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.

  3. For ASN, leave the default selection to use the default Amazon ASN. Otherwise, choose Custom ASN and enter a value. For a 16-bit ASN, the value must be in the 64512 to 65534 range. For a 32-bit ASN, the value must be in the 4200000000 to 4294967294 range.

  4. Choose Create Virtual Private Gateway.

  5. Select the virtual private gateway that you created, and then choose Actions, Attach to VPC.

  6. Select your VPC from the list and choose Yes, Attach.

To create a virtual private gateway using the command line or API

To attach a virtual private gateway to a VPC using the command line or API

Enable Route Propagation in Your Route Table

To enable instances in your VPC to reach your customer gateway, you must configure your route table to include the routes used by your Site-to-Site VPN connection and point them to your virtual private gateway. You can enable route propagation for your route table to automatically propagate those routes to the table for you.

For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the route table when the status of the Site-to-Site VPN connection is UP. Similarly, for dynamic routing, the BGP-advertised routes from your customer gateway are propagated to the route table when the status of the Site-to-Site VPN connection is UP.

Note

If your connection is interrupted, any propagated routes in your route table are not automatically removed. You may have to disable route propagation to remove the propagated routes; for example, if you want traffic to fail over to a static route.

To enable route propagation using the console

  1. In the navigation pane, choose Route Tables, and then select the route table that's associated with the subnet. By default, this is the main route table for the VPC.

  2. On the Route Propagation tab in the details pane, choose Edit, select the virtual private gateway that you created in the previous procedure, and then choose Save.

Note

For static routing, if you do not enable route propagation, you must manually enter the static routes used by your Site-to-Site VPN connection. To do this, select your route table, choose Routes, Edit. For Destination, add the static route used by your Site-to-Site VPN connection. For Target, select the virtual private gateway ID, and choose Save.

To disable route propagation using the console

  1. In the navigation pane, choose Route Tables, and then select the route table that's associated with the subnet.

  2. Choose Route Propagation, Edit. Clear the Propagate check box for the virtual private gateway, and choose Save.

To enable route propagation using the command line or API

To disable route propagation using the command line or API

Update Your Security Group

To allow access to instances in your VPC from your network, you must update your security group rules to enable inbound SSH, RDP, and ICMP access.

To add rules to your security group to enable inbound SSH, RDP and ICMP access

  1. In the navigation pane, choose Security Groups, and then select the default security group for the VPC.

  2. On the Inbound tab in the details pane, add rules that allow inbound SSH, RDP, and ICMP access from your network, and then choose Save. For more information about adding inbound rules, see Adding, Removing, and Updating Rules in the Amazon VPC User Guide.

For more information about working with security groups using the AWS CLI, see Security Groups for Your VPC in the Amazon VPC User Guide.

Create a Site-to-Site VPN Connection and Configure the Customer Gateway Device

After you create the Site-to-Site VPN connection, download the configuration information and use it to configure the customer gateway device or software application.

To create a Site-to-Site VPN connection and configure the customer gateway

  1. In the navigation pane, choose Site-to-Site VPN Connections, Create VPN Connection.

  2. Complete the following information, and then choose Create VPN Connection:

    • (Optional) For Name tag, enter a name for your Site-to-Site VPN connection. Doing so creates a tag with a key of Name and the value that you specify.

    • Select the virtual private gateway that you created earlier.

    • Select the customer gateway that you created earlier.

    • Select one of the routing options based on whether your VPN router supports Border Gateway Protocol (BGP):

      • If your VPN router supports BGP, choose Dynamic (requires BGP).

      • If your VPN router does not support BGP, choose Static. For Static IP Prefixes, specify each IP prefix for the private network of your Site-to-Site VPN connection.

    • Under Tunnel Options, you can optionally specify the following information for each tunnel:

      • A size /30 CIDR block from the 169.254.0.0/16 range for the inside tunnel IP addresses.

      • The IKE pre-shared key (PSK). The following versions are supported: IKEv1 or IKEv2.

      • Advanced tunnel information, which includes the encryption algorithms for phases 1 and 2 of the IKE negotiations, the integrity algorithms for phases 1 and 2 of the IKE negotiations, the Diffie-Hellman groups for phases 1 and 2 of the IKE negotiations, the IKE version, the phase 1 and 2 lifetimes, the rekey margin time, the rekey fuzz, the replay window size, and the dead peer detection interval.

      For more information about these options, see Site-to-Site VPN Tunnel Options for Your Site-to-Site VPN Connection.

    It may take a few minutes to create the Site-to-Site VPN connection. When it's ready, select the connection and choose Download Configuration.

  3. In the Download Configuration dialog box, select the vendor, platform, and software that corresponds to your customer gateway device or software, and then choose Yes, Download.

To create a Site-to-Site VPN connection using the command line or API

Configure the Customer Gateway Device

Give the configuration file that you downloaded to your network administrator, along with this guide: Amazon VPC Network Administrator Guide. The network administrator configures the customer gateway device with the settings that match the customer gateway. After the network administrator configures the customer gateway device, the Site-to-Site VPN connection is operational.

Editing Static Routes for a Site-to-Site VPN Connection

For static routing, you can add, modify, or remove the static routes for your VPN configuration.

To add, modify, or remove a static route

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Site-to-Site VPN Connections.

  3. Choose Static Routes, Edit.

  4. Modify your existing static IP prefixes, or choose Remove to delete them. Choose Add Another Rule to add a new IP prefix to your configuration. When you are done, choose Save.

Note

If you have not enabled route propagation for your route table, you must manually update the routes in your route table to reflect the updated static IP prefixes in your Site-to-Site VPN connection. For more information, see Enable Route Propagation in Your Route Table.

To add a static route using the command line or API

To delete a static route using the command line or API