AWS Site-to-Site VPN

A large number of businesses and organisations have workloads on-premises and in the cloud. In this Hybrid approach there are times that users in your corporate office need to be able to access services hosted on AWS and many more use cases (like extending Active Directory to AWS).

By default, instances that you launch into an Amazon VPC can’t communicate with your On-premises network. You can enable access to your remote network (and the opposite) from your VPC by creating an AWS Site-to-Site VPN connection. That way you can securely access your on-premises environment from AWS environment and vice versa.

Although there are more ways to achieve that, the Site-to-Site VPN connection is the much and faster to implement, plus is the most cost effective way.

Below is a diagram of a AWS Site-to-Site VPN connection with an On-premises network

Let’s have a look in the components and the security used:

  • Virtual Private Gateway (VGW): is a logical gateway object, which is a target of one or more Route Tables.
  • Customer Gateway (CGW): is a logical configuration on AWS, which represents the configurations of the physical on-premises router where VPN is connected to
  • VPN connection: A secure connection between your on-premises equipment and your VPCs.
  • VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS.
  • IPsec: This type of VPN uses the Internet Protocol Security (IPsec) protocol to establish a secure connection between your on-premises network and your VPC. IPsec is a widely-used, industry-standard protocol that provides strong encryption and authentication.

You can use a PresharedKey or certificates, during the deployment, to authenticate your Site-to-Site VPN tunnel endpoints and the pre-shared key is the default authentication option.

One of the key steps in configuring Site-to-Site VPN is choosing the routing protocol to use. AWS supports two routing protocols: Border Gateway Protocol (BGP) and static routing.

BGP is a dynamic routing protocol that automatically updates routing information and adapts to changes in the network. It’s typically used in large, complex networks and is more suited to environments with a high degree of network churn. BGP also allows for automatic failover, which can be useful in case of link failure.

Static routing, on the other hand, uses manually-configured routes, rather than dynamically learned routes. It’s a simpler, more straightforward protocol that’s well-suited to small or stable networks. Static routing is easy to set up and manage

To configure Site-to-Site VPN with BGP, you will need to create a Virtual Private Gateway (VGW) and attach it to your VPC. Next, you will need to create a Customer Gateway (CGW) on your on-premises network and configure it with the appropriate settings. Then, you will need to create a VPN connection between the VGW and the CGW and configure BGP on both ends.

To configure Site-to-Site VPN with static routing, you will also need to create a Virtual Private Gateway (VGW) and attach it to your VPC. Next, you will need to create a Customer Gateway (CGW) on your on-premises network and configure it with the appropriate settings. Then, you will need to create a VPN connection between the VGW and the CGW, but this time you will configure static routes on both ends.

There is also the option the option of using a Transit Gateway (TGW) instead of a Virtual Private Gateway and we will discuss that option in another post.

Routing Propagation

In order to implement dynamic routing, you need to implement the Route Propagation at the VPC router level. In addition to that, it is required to have the BGP support in the networks (at the physical router level) in order to have the router propagation feature.

With BGP, configured on both the on-premise and the AWS sides using Autonomous System Number (ASN), Network routing information is exchanged to both sides.

The following Cloudformation template can be used to deploy a site-to-site VPN, with some configurable options (Like BGP or Static routing). This is for demonstration purposes, to quickly deploy a VPN and you can adapt it as per your requirements

AWSTemplateFormatVersion: '2010-09-09'
Description: >-
  Cloudformation template to create a Site-to-Site VPN on AWS
      - Label:
          default: CGW configuration
          - BgpAsn
          - CGWIPAddress
      - Label:
          default: VPG configuration
          - PrivateRouteTable    
      - Label:
          default: VPN configuration
          - StaticRoutesOnly
          - PreSharedKey
      - Label:
          default: Tags
          - pTagName
        default: CGW Type
        default: BGP ASN (Use Default value)
        default: Use for Static Routing
        default: Type the PreSharedKey
    Default: '65000'
    Description: Enter the BGP ASN
    Type: Number
    MinValue: '1' 
    MaxValue: '65534'
      - "true"
      - "false"
    Default: "false"
    Description: Set to "true" for devices that don't support BGP
    Type: String
    Description: Enter the IP for CGW
    Type: String
    Description: Enter the PreShared Key
    Type: String
    NoEcho: "true"
    Description: The Private Route Table id, in your VPC
    Type: String
    Type: String
    Description: Enter the Product Name
    Type: AWS::EC2::CustomerGateway
        Type: ipsec.1
        BgpAsn: !Ref BgpAsn
        IpAddress: ! Ref CGWIPAddress
          - Key: Name
            Value: !Sub ${pTagName}-CGW

    Type: AWS::EC2::VPNGateway
        Type: ipsec.1
          - Key: Name
            Value: !Sub ${pTagName}-VPG

   Type: AWS::EC2::VPNGatewayRoutePropagation
        - !Ref PrivateRouteTable
       VpnGatewayId: !Ref VPNGateway

    Type: AWS::EC2::VPNConnection
        Type: ipsec.1
        StaticRoutesOnly: !Ref StaticRoutesOnly
        PreSharedKey: !Ref PreSharedKey
          !Ref CustomerGateway
         !Ref VPNGateway
          - Key: Name
            Value: !Sub ${pTagName}-VPN



No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *