Scribd
Upload
343 views3 pages

AWS Site-to-Site VPN Setup Guide

Uploaded by

Kuldeep Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
343 views3 pages

AWS Site-to-Site VPN Setup Guide

Uploaded by

Kuldeep Singh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

AWS Site-to-Site VPN

The following are the key concepts for Site-to-Site VPN:

● VPN connection: A secure connection between your on-premises equipment and your
VPCs.
● VPN tunnel: An encrypted link where data can pass from the customer network to or
from AWS. Each VPN connection includes two VPN tunnels which you can
simultaneously use for high availability.
● Customer gateway: An AWS resource which provides information to AWS about your
customer gateway device.
● Customer gateway device: A physical device or software application on your side of the
Site-toSite VPN connection.
● Target gateway: A generic term for the VPN endpoint on the Amazon side of the Site-to-
Site VPN connection.
● Virtual private gateway: A virtual private gateway is the VPN endpoint on the Amazon
side of your Site-to-Site VPN connection that can be attached to a single VPC.
● Transit gateway: A transit hub that can be used to interconnect multiple VPCs and on-
premises networks, and as a VPN endpoint for the Amazon side of the Site-to-Site VPN
connection

Following steps can be followed to setup highly secure site-to-site VPN connection between an
on-premises data center and AWS

Step 1 : Plan the VPN Configuration

● Assess Requirements:
● Determine the CIDR blocks for your on-premises and AWS networks to avoid
overlaps.
● Plan for high availability by using redundant VPN connections.

● Pre-requisites:
● Access to the AWS Management Console with permissions to manage VPCs,
VPN connections, and customer gateways.
● On-premises firewall/router that supports IPsec VPN (IKEv1 or IKEv2).

Step 2 : Set up the AWS side

● Check VPC details CIDR range , subnets and route tables assuming VPC is already
configured.

● Create a Customer Gateway:


a. In the VPC Dashboard, click Customer Gateways → Create Customer
Gateway.
b. Select:
i. Routing: Static or Dynamic (BGP).
ii. IP Address: Your on-premises gateway public IP.
iii. Device Name: Optional, but useful for documentation.

● Create a Virtual Private Gateway (VGW):


a. Go to Virtual Private Gateways → Create Virtual Private Gateway.
b. Attach it to your VPC.

● Create a Site-to-Site VPN Connection:


a. Go to Site-to-Site VPN Connections → Create VPN Connection.
b. Select the Virtual Private Gateway and Customer Gateway.
c. Choose:
i. Routing Option: Static or Dynamic.
ii. Static Routes: Add on-premises CIDR blocks if static routing is chosen.

● Download the Configuration:


a. Once created, download the VPN configuration specific to your on-premises
router/firewall.

Step 3 : Configuring on-premises device

1. Import AWS VPN Configuration:


● AWS provides configuration templates for most vendors (Cisco, Juniper, etc.).
● Import the template or manually configure the on-premises device

2. Enable Routing:
● For static routing, ensure that the routes to AWS are added in the routing table.
● For BGP, configure BGP peering with the VPN endpoint.

3. Set Up Firewall Rules:


● Allow VPN traffic .
● Permit traffic between AWS and on-premises subnets.

Step 4 : Configure Route propagation in AWS

1. Enable Route propagation in route table:


● Go to the VPC Dashboard → Route Tables.
● Select the route table associated with the subnets in your VPC.
● Click Edit Route Propagation and enable propagation for the Virtual Private
Gateway (VGW).

2. Verify Routes
● After enabling route propagation, ensure the on-premises CIDR blocks appear as
propagated routes in the route table.

Step 4 : Verify and Test Connectivity

1. Check Tunnel Status in AWS:


● Go to Site-to-Site VPN Connections → Check the status of the VPN
tunnels (UP/DOWN).
2. Ping Between Endpoints
● Verify connectivity by pinging resources between AWS and on-premises CIDR
ranges.
3. Route Testing:
● Use traceroute or similar tools to validate routing paths.

Step 5: Enhance Security

1. Enable Logging and Monitoring:


● Enable VPN Tunnel Logs in AWS.
● Use AWS CloudWatch to monitor tunnel metrics.
2. Restrict Traffic:
● Use Security Groups and Network ACLs to restrict AWS resources' access.
● Apply firewall rules on the on-premises side to allow only required traffic.
3. Enable Encryption at Rest and Transit:
● Ensure that data between AWS and on-premises systems is encrypted at both
ends.
4. Multi-Factor Authentication:
● Consider using MFA or additional layers of access security for sensitive systems

You might also like