Cloud computing has already proved its potential. Many organizations have shifted either their partial or complete infrastructure to cloud. AWS is certainly un-disputed champion of cloud domain. Many companies see a need, of connecting infrastructure hosted on premises to the extension in the AWS cloud. Site-to-Site VPN serves the need of organizations for connecting their on-premises infrastructure to the one hosted in AWS cloud.
For this demonstration purpose, I will be using the Meraki Security Appliance to initiate site-to-site IPSec VPN with VPC in AWS. I will also describe various resources that I need to setup the Site-to-Site VPN in this demonstration.
Resources needed for the Lab:
Virtual Private Gateway: Virtual Private Gateway or VPG is a logical VPN concentrator that is attached to a VPC and it is the point from where we can connect our Infrastructure in AWS to on-premises using a IPSec Site-to-Site VPN. VPG is distributed and redundant and hence we can establish two different tunnels in between the AWS cloud and on-prem.
Customer Gateway: It usually is a physical hardware such as a firewall, or sometimes it can be a software based appliance that we use on the edge of our on-premises infrastructure to connect to the internet. With a customer gateway, we describe the configuration, addressing and routing that we are using on the edge device on-premises.
Site-to-Site VPN Connection: By creating a VPN connection, we actually create a link in-between the Virtual Private Gateway and the Customer Gateway. AWS allows us to configure settings to sync with the Customer Gateway smoothly. We can also configure various encryption settings and Pre Shared Key as per our requirements. Once the connection profile is created, we can download the configuration template, which includes the Public IP of our VPG.
I already have a VPC in Virginia region. The VPC has a CIDR block of 10.133.0.0/16 which is not used in any of the branches of my organization. In short, you need to have a non-conflicting and non-overlapping CIDR block used in your VPC.
We have few subnets in the said VPC. What we are interested is the “FE-App-Srv” subnet that is hosting a few applications, that are consumed by users of my company. Since, these applications are crucial to the business, their security is important and hence, they are not hosted in a public subnet. Hence, IPSec Site-to-Site VPN is necessary for this purpose.
So, let’s start the configuration of site-to-site IPSec VPN. We will need to start the process by first navigating to the option of “Virtual Private Gateway” that can be located under Virtual Private Network (VPN) Section within the VPC Management Console and click on option “Create Virtual Private Gateway”.
Once I clicked on the “Create Virtual Private Gateway” button in the above image, I see the following wizard. I will configure the Name Tag and let the ASN set to default of Amazon Default ASN. If you have a BGP ASN number, you can continue with custom ASN and the routes on on-premises networks will be learned via BGP. We will be configuring static routing. So for now I am not configuring BGP.
Once my Virtual Private Gateway is created, it will be detached state. I will need to attach the Virtual Private Gateway to the said VPC by right clicking on it and clicking on the option “Attach to VPC”.
In the next step I need to create a new Customer Gateway. This is a logical identity of our on-premises VPN appliance in the AWS cloud. So in order to create it I have to navigate to the section Virtual Private Network (VPN)and select the option “Customer Gateways” where we can create a new Customer Gateway.
To create a Customer Gateway, I was first prompted to provide a Name Tag, I opted for Static Routing. You can even go for Dynamic Routing by providing BGP ASN. Finally, I entered the Public IP that was configured on the Meraki Security Appliance in my office.
Next I will need to create the tunnel by navigating to “Site-to-Site VPN Connections” option listed under Virtual Private Network (VPN).
So, while describing the connection, we need to correctly chose upon the Virtual Private Gateway and the Customer Gateway that we have created in the previous steps. In the routing section, am choosing static, as am not using BGP for this time. Since, I have opted to use static routing, I have to specify the network prefix that I have on-premises behind my Customer Gateway. There are further more options such as encryption, integrity algorithms to use, IKE version, Passphrase, etc. which am not changing and letting them to be on default. Finally, I will click on create VPN connection.
The connection created in the above stage, should display state as ‘pending’, as we haven’t yet configured the on-premises edge device (Customer Gateway).
In order to configure the edge, you have on-premises, AWS makes it very simple by providing the step-by-step instruction specific to the manufacturer and model of the device we are using on the edge. To download these instructions, I will click on download configuration button in the above image and choose upon the vendor and the model of my edge device. Please note, the Public IP used on Virtual Private Gateway can be found within the same instruction file. For this demonstration as mentioned earlier, am using Cisco Meraki, hence I am choosing the said device.
Now let’s move to Cisco Meraki to do the remaining configuration. So, in the section Security & SD-WAN, under configuration, is the Site-to-Site VPN option listed. I will click on this option.
I will scroll down to Non-Meraki VPN peers section and add a new peer.
I will give a name to the configuration, I named it AWS. I clicked on IPSec Policies and from the drop down menu of Choose a Preset, I select AWS and clicked on update. Next option required is Public IP that I should find in the configuration that I had downloaded after creating the VPN Connection in the above steps. I mentioned the Private Subnet that I want the on-prem users to communicate with in AWS VPC. Finally, I have to supply the Preshared Secret that I received in the configuration file downloaded earlier. Now I should click on Save Changes.
After waiting a while when I checked for the VPN Connection, the green dot next to my connection signifies that the connection is up.
In the routing table on Cisco Meraki, I can see that the last entry on the menu of the route towards the subnet in AWS VPC and is active.
Similarly, on navigating back to AWS, under Site-to-Site VPN Connection, we see that our connection to Cisco Meraki should be listed as its state is available. This process usually takes some time.
So finally, my IPSec Site-to-Site VPN Connection in-between AWS and on-Premises is configured properly. AWS also provides a technology to connect our remote access users to the resources in AWS using a Remote Access VPN. I will soon be back with a blog on the same. If you find this blog useful, please give your review in the comment section below. Also, let me know if you want me to write on a topic of your choice… Signing off, Aftab Shaikh.
Shaikh, Aftab | SevenMentor Pvt Ltd.
Call the Trainer and Book your free demo Class for AWS
© Copyright 2021 | Sevenmentor Pvt Ltd.