By following the recipe in this section, you can extend your on-premise data center into the cloud by connecting on-premise network to VPC using VPN. Internet Protocol Security (IPSec) VPN connections are supported by AWS. You can create both statically routed and dynamically routed VPN connections in a VPC. Virtual private gateway works on the AWS side of the VPN connection and customer gateway (a physical or a software appliance) works on your side of the VPN connection. If you already have an OpenVPN Access Server setup on premises and would like to extend connectivity of your OpenVPN connection to the Amazon Cloud, you can do so easily without purchasing additional hardware. Each VPC connection on the AWS side has two tunnels for redundancy, if one tunnel is taken down for maintenance purposes, your customer gateways can use the second tunnel. Each tunnel has its own unique virtual private gateway public IP address. To handle failures of customer gateways, you can create a second VPN connection using a second customer gateway. After creating a successful VPN connection you have to update your route tables to direct traffic to your on-premise network and update the security groups of the instances and network ACLs of your subnets.
Note
The list of VPN devices that are known to work with Amazon VPC are available at http://aws.amazon.com/vpc/faqs/#C9.
In this section, we present the commands for connecting your on-premise network to the VPC using VPN. The steps to accomplish this include creating a customer gateway, a virtual private gateway (and attaching it to your VPC), and static routes for your VPN connection.
- Create a customer gateway with the
ipsec.1type. You have to provide the Internet-routable IP address for the customer gateway's external interface. This IP address must be static.$ aws ec2 create-customer-gateway --type ipsec.1 --public-ip 123.252.223.114 --bgp-asn 65000
- Create a virtual private gateway with the
ipsec.1type.$ aws ec2 create-vpn-gateway --type ipsec.1
- Attach the virtual private gateway (
vgw-a74f34f5) to VPC (vpc-0214e967).$ aws ec2 attach-vpn-gateway --vpn-gateway-id vgw-a74f34f5 --vpc-id vpc-0214e967
- Create a VPN connection with static routing.
The following command creates the VPN connection with static routing between the customer gateway (
cgw-762b5124) and virtual private gateway (vgw-a74f34f5). The response includes information that you need to give to your network administrator to configure your customer gateway.$ aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id cgw-762b5124 --vpn-gateway-id vgw-a74f34f5 --options "{"StaticRoutesOnly":true}"
- Create static routes for the VPN connection (
vpn-d74d3685). The static route allows traffic to be routed from the virtual private gateway to the VPN customer gateway. You have to prove the CIDR block associated with the local subnet of the customer network.$ aws ec2 create-vpn-connection-route --vpn-connection-id vpn-d74d3685 --destination-cidr-block 172.30.0.0/16
First, we create a customer gateway that has information about our VPN device. For doing that, we provided the Internet-routable public IP address of our VPN device. Note that the IP address can't be behind your NAT instance, and it must be static. For dynamic routing, you will need to specify the gateway's Border Gateway Protocol (BGP) and Autonomous System Number (ASN); this can be either a public or private ASN (such as those in the 64512–65534 range).
The device on the AWS side of our VPN connection is the virtual private gateway. The virtual private gateway represents the endpoint of our VPN connection. We create a virtual private gateway in our net step. Note that ipsec.1 is the only supported connection type for this virtual private gateway. Then, we attach the virtual private gateway to our VPC.
In the next step, we create a VPN connection between our virtual private gateway and our customer gateway. We specify the option for static routing, only.
In the final step, we create a static route associated with our VPN connection between the virtual private gateway and the VPN customer gateway. We specify all IP prefixes of our on-premise network in static routing to communicate with instances in your VPC. Any networks not specified here will not be able to communicate with your Amazon instances. For static routing, the static IP prefixes that you specify for your VPN configuration are propagated to the route table after you've created the VPN connection.
After creating your VPN connection, you must test the end-to-end connectivity of your instances. You would typically launch an instance, configure your security group to enable inbound ICMP, and then use ping to test the connection.
It is recommended to set up a second VPN connection for redundancy. This connection can help maintain traffic flows in cases of customer gateway failures and during maintenance on your customer gateway.