AWS Site-to-Site VPN extends your data center or branch office to the cloud. The VPN uses encrypted tunnels to protect communications over the Internet, supporting connections to Customer Gateway and Transit Gateway.

1. VPN Components

• Virtual Private Gateway (VGW): The virtual private gateway is the VPN hub on the Amazon side of the Site-to-Site VPN connection;
• Customer Gateway (CGW): The customer gateway refers to the physical device or software application on the customer side of the Site-to-Site VPN connection.

To create an AWS connection, you must create a customer gateway in the Site-to-Site VPN to provide AWS with information about the customer gateway device.

• Transit Gateway: You can also modify the target gateway of the AWS Site-to-Site VPN connection from a virtual private gateway to a transit gateway. A transit gateway is a transit hub that you can use to interconnect Virtual Private Clouds (VPCs) and on-premises networks.

To set up a VPN, first define both ends of the connection. In AWS, this is done through the Virtual Private Gateway (VGW), and in the corporate data center, through the Customer Gateway (CGW). The CGW is a firewall or router that supports IPSec and ideally BGP as well.

On the AWS side, the VGW will provide two managed termination endpoints and associate them with the gateway. The endpoints are located in two availability zones and use public IP addresses from the AWS public address space.

2. Configuration Steps

Enable access to remote networks in the VPC:

• Create a private gateway
• Create a custom route table
• Update security group rules
• Establish AWS Site-to-Site VPN connection

The CGW always initiates the connection; this cannot be initiated from the VGW. If the CGW is configured to listen for incoming connections, the tunnel will never come up.

3. An Example

This experiment establishes a VPN connection between VPCs in two Regions. VGW VPC CIDR: 10.2.0.0/16; CGW VPC CIDR: 10.1.0.0/16.

1. Create VGW: After creation, attach to VPC;

2. Configure CGW: Choose between static routing and dynamic routing. The IP address specifies an Internet-routable IP address for the gateway's external interface; this address must be static and can be behind a device performing Network Address Translation (NAT). The CGW can be hardware or software; here we use an instance as the CGW;

3. Create VPN connection: Configure the VPN connection on the VGW:

• Static routing, select CGW private network segment IP 10.1.0.0/16 for the connection;
• VGW gets two outside IPs (tunnel_1 & tunnel_2), which will be used to configure the peer VPN in step 5;
• Download the configuration file and record the pre-shared keys for both tunnels;
• Update route table router propagation;

4. Configure SSH connection: Use the .ppk file to connect to the CGW instance via EIP;

5. Configure CGW IPSec service:

Configure the ipsec.conf file, update tunnel_1 & tunnel_2 IP addresses;

Configure the ipsec.secrets file, update tunnel_1 & tunnel_2 IP addresses and pre-shared keys

6. Test connection: Restart the ipsec service, ping VGW 10.2.0.100