Saturday, July 16, 2022

AWS-VPN Connection

 By Default, VPC launched in AWS can't communicate with your own VPN.VPN site-to-site connection helps you to enable the communication between AWS VPC and your own premise VPN.

Below are the important terms which we need to know about the site-to-site VPN perspective. 

VPN Connection:- A secure connection between your own premise equipment and your AWS VPC.

VPN Tunnel:- An encrypted link where data can pass from your network to or from AWS VPC. Each VPN connection includes 2 VPN tunnels that can be used for high availability.

Customer Gateway:- An AWS resource that provides information to AWS about your customer gateway device.

Customer Gateway Device:- A physical device or a software application on the customer side.


I am creating VPC in North Virginia Region and Singapore Region.

1. Create a VPC in North Virginia Region with the following configurations

    VPC CIDR : -

    Public Subnet:-

2.  Create a VPC in Singapore Region with the following configurations

    VPC CIDR : -

    Public Subnet:-

3. Create a public EC2 instance in the Singapore region within the same VPC and subnet.

4. Configure below in North Virginia Region.

    VPN---> VPNGateway ---> Create VPN Gateway ( AWS VPN Gateway)

    Attach to AWS VPC

5. Create a Customer Gateway (CGW-1) and in the IP address copy the IP address of the Singapore region's EC2 instance public IP.

6. Select Site-to-site VPN connection in N Virginia Region and Click on Create VPN VPN Connection

     Select the VPGateway and CGW-1

     Routing Options--> Static and provide the CIDR range of Singapore VPC (

    Create the VPN Connection

7. Select the RouteTable of N Virginia Region and in the Route Propagation tab select the VPN Gateway and Enable it.

8. Select VPN site-site connection and Download the Configuration with Generic Vendor.

9. Select EC2 instance of the Singapore region and connect it.

Run below commands on this instance

1. Commands for Installation of Openswan i. Change to root user: $ sudo su ii. Install openswan: $ yum install openswan -y iii. In /etc/ipsec.conf uncomment following line if not already uncommented: include /etc/ipsec.d/*.conf iv. Update /etc/sysctl.conf to have following net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0 v. Restart network service: $ service network restart 2. Command for /etc/ipsec.d/aws-vpn.conf conn Tunnel1 authby=secret auto=start left=%defaultroute leftid=Customer end Gateway VPN public IP right=AWS Virtual private gateway ID- public IP type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet= rightsubnet= dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer 3. Contents for /etc/ipsec.d/aws-vpn.secrets customer_public_ip aws_vgw_public_ip: PSK "shared secret" 4. Commands to enable/start ipsec service $ chkconfig ipsec on $ service ipsec start $ service ipsec status


Post a Comment