Connecting an AWS VPC to your VPN — From the Cloud to the Colo

This article will outline the process for connecting an AWS Virtual Private Cloud (VPC) to a local network. It will explain how to create an Internet Protocol Security (IPsec) VPN tunnel between the two networks. To proceed through this tutorial, you will need to understand how to create EC2 instances if you do not already have instances running in a VPC.

Cultura Science/Jason Persoff Stormdoctor/Stone/Getty

I have broken this process down into seven steps:

  1. Create a Customer Gateway (cgw) pointing to your
  2. Create a Virtual Private Gateway (vpg) and attach it to the VPC of your choice. Tip: If your instances are running in a VPC that you do not wish to connect to your network, you will have recreate those instances in the VPC you wish to connect. That process is explained here.
  3. Create a Virtual Private Network (vpn) connection. Name it, assign it to the VPG and CGW you created, choose Static routing options and assign the IP ranges it will need access to on the VPN.
  4. Create a Route Table and assign it to the VPC you are connecting to the VPN. Add the routes for the IP ranges you will need to access on the network and select the CGW you created as its target.
  5. Return to the VPN Connections tab and click Download Configuration. From the vendor list select Vendor -> , Platform -> and Software -> Tip: This configuration is specific to your use case and firewall. The configuration download will guide you step by step through the process.
  6. Log into and follow the instructions outlined in the Download Configuration file explicitly. It will include all of the AWS information you need to create the VPN tunnel.
  7. Test the connection.

The Nitty Gritty:

Step 1: Creating the Customer Gateway

From the docs:

What Is a Customer Gateway?

An Amazon VPC VPN connection links your data center (or network) to your Amazon VPC virtual private cloud (VPC). A customer gateway is the anchor on your side of that connection. It can be a physical or software appliance. The anchor on the AWS side of the VPN connection is called a virtual private gateway.

To create the customer gateway, navigate to the VPC Dashboard on the AWS console and click on the link for at the bottom of the left hand column. Click and enter a name that will help you identify which network the gateway will be connecting to. In the field, supply the public facing IP of the firewall you will be connecting to and then click create.

Step 2: Creating the Virtual Private Gateway

From the docs:

Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach it to the VPC from which you want to create the VPN connection.

The process involved here is about the same as Step 1 with one addition. Click name it something helpful, supply it with the default ASN setting and click create once more. Return to the Virtual Private Gateway dashboard then select the newly created VPG. Click and select the AWS VPC the instances you wish to connect are located within.

Step 3: Creating the Virtual Private Network Connection

From the docs:

AWS Managed VPN

You can create an IPsec VPN connection between your VPC and your remote network. On the AWS side of the VPN connection, a virtual private gateway provides two VPN endpoints (tunnels) for automatic failover.

The VPN connection process is where we tie together the Customer Gateway and the Virtual Private Gateway we created in the previous steps. Click on and name the VPN Connection something helpful. Next, select the VPG you created in the previous step from the first drop down, the CGW you created in the first step from the second drop down and choose whether you would like to provide dynamic or static routing form the tunnel. Selecting will allow you to open only the IP range(s) on your network you would like the VPN tunnel to have access to.

You can read more about VPN routing options here.

Step 4: Creating the Route Table

From the docs:

Route Tables and VPN Route Priority

Route tables determine where network traffic is directed. In your route table, you must add a route for your remote network and specify the virtual private gateway as the target. This enables traffic from your VPC that’s destined for your remote network to route via the virtual private gateway and over one of the VPN tunnels. You can enable route propagation for your route table to automatically propagate your network routes to the table for you.

Click on in the left hand column, create a route table and select the correct VPC. If your VPC is going to need access to the outside internet, you will need to create an and attach it to the VPC you are creating the VPN tunnel for. In the image of the route table configuration below, you can see we have the IP range of the local VPC in the first position with the target set to (local being our VPC), the second row includes a wide open IP range and we need to select the IGW we just created as the target. Click on the text field in the column and the IGW should populate. Next, add the IP ranges you want the VPN tunnel to access on the local network and point those IP ranges to the VPG that was created in the previous step.

Step 5 & 6: Configure the Firewall

This next step is more difficult to tutorialize, but thankfully AWS does a wonderful job of providing a detailed step-by-step breakdown of what you will need to configure on your supported firewall. To get started, click on at the bottom of the left column. Select the VPN connection we have just created and at the top of the screen, click on . Within the modal that appears there are going to be three drops downs: , , and . Each vendor has a different firewall configuration panel. If you are unsure about the information requested, find a way to validate your selections then click . I found the OS version information for my firewall after logging into the firewall, clicking system and then clicking Upgrade OS.

Tip: Follow the configuration instructions closely. They contain all of the relevant IPs for the configuration we just set up, with one exception.. (WatchGuard Configuration Shown Below)

When you are modifying the Static Route Configuration on your Firewall, you will need to replace the IP in step 3.b (shown below) with the IP range supplied by your VPC. In our example, it would be , the same IP range that was generated when we created the route table in step 4.

! ------------------------------------------------------------------
! #3: Static Route Configuration
! Your Customer Gateway needs to set a static route for the prefix corresponding to your
! VPC to send traffic over the tunnel interface.
! An example for a VPC with the prefix is provided below:
Go to VPN-->BOVPN Virtual Interfaces-->Select vpn-<id> -->Click EDIT
VPN Routes-->Click ADD:
a. Choose Type: Network IPv4
b. Route To:
c. Metric: 1

Click OK

Step 7: Checking and Testing Tunnel Status

From the console, click on the tab and take check the column of the table. If you see two green indicators in the column, AWS has a connection to your firewall. To test the connection you can SSH into one of your instances and ping a machine that exists on your local network. I would also recommend logging into one of your local machines and pinging the instances in your cloud. Keep in mind that you will also need to configure the security group(s) for the instances in the VPC to accept traffic on whatever ports or IP ranges they will be communicating with.

A couple of gotcha’s:

Bringing multiple regions into your VPN can complicate things quite a bit. For one, the default IP range for a VPC created in a region is the same, . This complicates matters when you want to connect multiple VPCs to the same VPN as your firewall will complain when you attempt to add the same IP range to two different tunnels. Unfortunately there is no way to modify the CIDR of an existing VPC or change the VPC of an existing EC2 instances. In some cases it may be necessary to create a VPC, spin up a new instance, snapshot the running instance, create a volume with it and attach it as the root directory.

Do you have local DNS? If so, you are going to need to set up a BIND slave in the AWS VPC and configure the of the VPC to point to the BIND slave(s). Configuring a BIND slave isn’t overly complicated, but it will require a configuration change on the BIND master as well. The BIND servers will communicate with one another and when a change is made to the master BIND server the slave server will be notified and updated. By default, your VPC DHCP Options Set will point to the default so the alternative to setting up a BIND slave is to add the DNS records to your default records set. For more information on AWS DHCP Options Sets take a look at the documentation.

That should do it.

If everything went off without a hitch and I didn’t forget some crucial step in my write up, your AWS VPC should now be communicating with your local network. If you discovered an error or inaccuracy in the instructions, or simply need some clarification on the process, please comment below and I will do my best to correct the error or help you out.

Don’t forget to check out my other AWS articles linked below:

Build and Connect to an AWS MySQL RDS Database from your network

Spinning up an EC2 instance.

Medium, Lambda, and Me (or how I export Medium stories to my website)

Setting up your Identity and Access Management for AWS

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store