You can connect an existing data center to Amazon VPC using either hardware or software VPN connections, which will make Amazon VPC an extension of the data center. Amazon VPC offers two ways to connect a corporate network to a VPC: VPG and CGW.
The VPN tunnel is established after traffic is generated from the customer’s side of the VPN connection.
You must specify the type of routing that you plan to use when you create a VPN connection. If the CGW supports Border Gateway Protocol (BGP), then configure the VPN connection for dynamic routing. Otherwise, configure the connections for static routing. If you will be using static routing, you must enter the routes for your network that should be communicated to the VPG. Routes will be
propagated to the Amazon VPC to allow your resources to route network traffic back to the corporate network through the VGW and across the VPN tunnel.
Amazon VPC also supports multiple CGWs, each having a VPN connection to a single VPG (many-to-one design). In order to support this topology, the CGW IP addresses must be unique within the region. Amazon VPC will provide the information needed by the network administrator to configure the CGW and establish the VPN connection with the VPG. The VPN connection consists of two Internet Protocol Security (IPSec) tunnels for higher availability to the Amazon VPC.
Following are the important points to understand about VPG, CGW, and VPN:
Let’s build a lab together then we have a better understanding about VPN Site-to-site.
In this lab, assume that we have Main office and Branch office lies on 2 VPCs belonging to 2 different AZs to make network difference from 2 sites. On each VPC, we create 2 EC2 to allow SSH from outside, but not able to connect and ping each other using the Private IP address of each EC2. What we need to do is configure the VPN so that Private IP addresses can ping each other using Site-to-Site VPN.
At the beginning, two EC2 Private IP addresses will not be able to ping each other.
Create Security Group for EC2 in Main Office
Create Security Group for EC2 in Branch Office
Create EC2 in Main Office network
Create EC2 in Branch Office network
Create Virtual Private Gateway at Main Office
Create & configure Customer Gateway at Main Office
Creat & configure Site-to-Site connection at Main Office
Enable propagate for Route table of VPC-Main-ASG:
On EC2-Bra-ASG do followings:
sudo su yum install openswan -y
net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0
conn Tunnel1 authby=secret auto=start left=%defaultroute leftid=220.127.116.11 right=18.104.22.168 type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet=10.2.0.0/16 rightsubnet=10.1.0.0/16 dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer
leftid: IP Public Address of Branch office. right: IP Public Address of AWS VPN Tunnel leftsubnet: CIDR from Branch site rightsubnet: CIDR from Main site
22.214.171.124 126.96.36.199: PSK "vYiouHnJ1Q2itTl9NCy8zSuOOWciVmz2"
service network restart chkconfig ipsec on service ipsec start service ipsec status