Connecting an AWS VPC to your VPN — From the Cloud to the Colo
This article will outline the process for connecting an AWS Virtual Private Cloud (VPC) to a local network. It will explain how to create an Internet Protocol Security (IPsec) VPN tunnel between the two networks. To proceed through this tutorial, you will need to understand how to create EC2 instances if you do not already have instances running in a VPC.
I have broken this process down into seven steps:
- Create a Customer Gateway (cgw) pointing to your
<firewall_ip> - Create a Virtual Private Gateway (vpg) and attach it to the VPC of your choice. Tip: If your instances are running in a VPC that you do not wish to connect to your network, you will have recreate those instances in the VPC you wish to connect. That process is explained here.
- Create a Virtual Private Network (vpn) connection. Name it, assign it to the VPG and CGW you created, choose Static routing options and assign the IP ranges it will need access to on the VPN.
- Create a Route Table and assign it to the VPC you are connecting to the VPN. Add the routes for the IP ranges you will need to access on the network and select the CGW you created as its target.
- Return to the VPN Connections tab and click Download Configuration. From the vendor list select Vendor ->
WatchGuard, Inc., Platform ->XTM, Fireboxand Software ->Fireware OS 11.12.2+ (WebUI)Tip: This configuration is specific to your use case and firewall. The configuration download will guide you step by step through the process. - Log into
<firewall_ip>:<port>and follow the instructions outlined in the Download Configuration file explicitly. It will include all of the AWS information you need to create the VPN tunnel. - Test the connection.
The Nitty Gritty:
Step 1: Creating the Customer Gateway
What Is a Customer Gateway?
An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.
To create the customer gateway, navigate to the VPC Dashboard on the AWS console and click on the link for Customer Gateway at the bottom of the left hand column. Click Create Customer Gateway and enter a name that will help you identify which network the gateway will be connecting to. In the IP Address field, supply the public facing IP of the firewall you will be connecting to and then click create.
Step 2: Creating the Virtual Private Gateway
Virtual Private Gateway
A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection.
The process involved here is about the same as Step 1 with one addition. Click Create Virtual Private Gateway name it something helpful, supply it with the default ASN setting and click create once more. Return to the Virtual Private Gateway dashboard then select the newly created VPG. Click Actions -> Attach to VPC and select the AWS VPC the instances you wish to connect are located within.
Step 3: Creating the Virtual Private Network Connection
AWS Managed VPN
You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover.
The VPN connection process is where we tie together the Customer Gateway and the Virtual Private Gateway we created in the previous steps. Click on VPN Connection and name the VPN Connection something helpful. Next, select the VPG you created in the previous step from the first drop down, the CGW you created in the first step from the second drop down and choose whether you would like to provide dynamic or static routing form the tunnel. Selecting Static will allow you to open only the IP range(s) on your network you would like the VPN tunnel to have access to.
You can read more about VPN routing options here.
Step 4: Creating the Route Table
Route Tables and VPN Route Priority
Route tables determine where network traffic is directed. In your route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.
Click on Route Tables in the left hand column, create a route table and select the correct VPC. If your VPC is going to need access to the outside internet, you will need to create an Internet Gateway and attach it to the VPC you are creating the VPN tunnel for. In the image of the route table configuration below, you can see we have the IP range of the local VPC in the first position with the target set to local (local being our VPC), the second row includes a wide open IP range and we need to select the IGW we just created as the target. Click on the text field in the Target column and the IGW should populate. Next, add the IP ranges you want the VPN tunnel to access on the local network and point those IP ranges to the VPG that was created in the previous step.
Step 5 & 6: Configure the Firewall
This next step is more difficult to tutorialize, but thankfully AWS does a wonderful job of providing a detailed step-by-step breakdown of what you will need to configure on your supported firewall. To get started, click on VPN Connections at the bottom of the left column. Select the VPN connection we have just created and at the top of the screen, click on Download Configuration. Within the modal that appears there are going to be three drops downs: Vendor, Platform, and Software. Each vendor has a different firewall configuration panel. If you are unsure about the information requested, find a way to validate your selections then click Download. I found the OS version information for my firewall after logging into the firewall, clicking system and then clicking Upgrade OS.
Tip: Follow the configuration instructions closely. They contain all of the relevant IPs for the configuration we just set up, with one exception.. (WatchGuard Configuration Shown Below)
When you are modifying the Static Route Configuration on your Firewall, you will need to replace the IP in step 3.b (shown below) with the IP range supplied by your VPC. In our example, it would be 172.31.0.0/16, the same IP range that was generated when we created the route table in step 4.
! ------------------------------------------------------------------
! #3: Static Route Configuration
!
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix 10.0.0.0/16 is provided below:
!
Go to VPN-->BOVPN Virtual Interfaces-->Select vpn-<id> -->Click EDITVPN Routes-->Click ADD:
a. Choose Type: Network IPv4
b. Route To: 10.0.0.0/16
c. Metric: 1
Click OK
Step 7: Checking and Testing Tunnel Status
From the VPN Connections console, click on the Tunnel Details tab and take check the Status column of the table. If you see two green UP indicators in the column, AWS has a connection to your firewall. To test the connection you can SSH into one of your instances and ping a machine that exists on your local network. I would also recommend logging into one of your local machines and pinging the instances in your cloud. Keep in mind that you will also need to configure the security group(s) for the instances in the VPC to accept traffic on whatever ports or IP ranges they will be communicating with.
A couple of gotcha’s:
Bringing multiple regions into your VPN can complicate things quite a bit. For one, the default IP range for a VPC created in a region is the same, 172.31.0.0. This complicates matters when you want to connect multiple VPCs to the same VPN as your firewall will complain when you attempt to add the same IP range to two different tunnels. Unfortunately there is no way to modify the CIDR of an existing VPC or change the VPC of an existing EC2 instances. In some cases it may be necessary to create a VPC, spin up a new instance, snapshot the running instance, create a volume with it and attach it as the root directory.
Do you have local DNS? If so, you are going to need to set up a BIND slave in the AWS VPC and configure the DHCP Options Sets of the VPC to point to the BIND slave(s). Configuring a BIND slave isn’t overly complicated, but it will require a configuration change on the BIND master as well. The BIND servers will communicate with one another and when a change is made to the master BIND server the slave server will be notified and updated. By default, your VPC DHCP Options Set will point to the default AmazonProvidedDNS so the alternative to setting up a BIND slave is to add the DNS records to your default records set. For more information on AWS DHCP Options Sets take a look at the documentation.
That should do it.
If everything went off without a hitch and I didn’t forget some crucial step in my write up, your AWS VPC should now be communicating with your local network. If you discovered an error or inaccuracy in the instructions, or simply need some clarification on the process, please comment below and I will do my best to correct the error or help you out.
Don’t forget to check out my other AWS articles linked below:
