Dynamic Hardware VPN to VPC

- aws networking

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

A dynamic hardware VPN is the preferred connectivity option to an AWS VPC when time is of the essence and costs need to be kept low. The customer manages hardware at their and end and connects to two AWS VPN endpoints. Dynamic is the best way to ensure both sides of the VPN connection know about one another.

Steps to create a Hardware VPN with dynamic routing:

  1. Create a virtual private gateway in your AWS account and attach it to your VPC
  2. Crete a custom gateway object. This is the AWS representation of the router/firewall on your side
  3. Create the VPN connection
  4. Configure your kit
  5. Enable route propagation

We’ll go through all five steps using the AWS CLI, the AWS API and the Web UI. The following network is used in the examples:

dynamic-hw-vpn

But first, some notes about BGP route propogation. There are three ways to influence routing with BGP and AWS: weight, local preference, and AS path prending. Weight and local preference influence which path traffic FROM your data center TO AWS takes. AS prepending influences which path traffic takes from AWS to your data center. This is achieved by a router prepending its own AS into the AS Path it advertises to the VGW, making one path look like it has to pass through more autonomous systems than another. Weight and local preference are set by an administrator, highest wins.

How to create a Hardware VPN via the AWS CLI

Create the VGW

$ aws ec2 create-vpn-gateway --type ipsec.1

Output:

{
    "VpnGateway": {
        "State": "available",
        "Type": "ipsec.1",
        "VpnGatewayId": "vgw-9a4cacf3",
        "VpcAttachments": []
    }
}

Create the CGW

$ aws ec2 create-customer-gateway --type ipsec.1 --public-ip 12.1.2.3 --bgp-asn 65534

Output:

{
"CustomerGateway": {
    "CustomerGatewayId": "cgw-0e11f167",
    "IpAddress": "12.1.2.3",
    "State": "available",
    "Type": "ipsec.1",
    }
}

Create the VPN connection

$ aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id cgw-0e11f167 --vpn-gateway-id vgw-9a4cacf3 

Output:

{
"VpnConnection": {
    "VpnConnectionId": "vpn-40f41529"
    "CustomerGatewayConfiguration": "...configuration information...",
    "State": "pending",
    "VpnGatewayId": "vgw-f211f09b",
    "CustomerGatewayId": "cgw-b4de3fdd",
}

Configure your kit

Examples on how to do this can be found here.

Enable route propagation

$ aws ec2 enable-vgw-route-propagation --route-table-id rtb-22574640 --gateway-id vgw-9a4cacf3

Output: no output

How to create a hardware VPN using the AWS API

Create the VGW

https://ec2.amazonaws.com/?Action=CreateVpnGateway&Type=ipsec.1&AUTHPARAMS

Response:

<CreateVpnGatewayResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
  <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
  <vpnGateway>
    <vpnGatewayId>vgw-8db04f81</vpnGatewayId>
    <state>pending</state>
    <type>ipsec.1</type>
    <availabilityZone>us-east-1a</availabilityZone>
    <attachments/>
    <tagSet/>
  </vpnGateway>
</CreateVpnGatewayResponse>

Create the CGW

https://ec2.amazonaws.com/?Action=CreateCustomerGateway
&Type=ipsec.1
&IpAddress=12.1.2.3
%BgpAsn=65534
&AUTHPARAMS

Output:

<CreateCustomerGatewayResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
   <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
   <customerGateway>        
      <customerGatewayId>cgw-b4dc3961</customerGatewayId>
      <state>pending</state>
      <type>ipsec.1</type>
      <ipAddress>12.1.2.3</ipAddress>
      <bgpAsn>65534</bgpAsn>
      <tagSet/>
   </customerGateway>
</CreateCustomerGatewayResponse>

Create the VPN connection

https://ec2.amazonaws.com/?Action=CreateVpnConnection
&Type=ipsec.1
&CustomerGatewayId=cgw-b4dc3961
&VpnGatewayId=vgw-8db04f81
&AUTHPARAMS

Output:

<CreateVpnConnectionResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
  <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
  <vpnConnection>
    <vpnConnectionId>vpn-44a8938f</vpnConnectionId>
    <state>pending</state>
    <customerGatewayConfiguration>
       ...Customer gateway configuration data in escaped XML format...
    </customerGatewayConfiguration>    
    <type>ipsec.1</type>
    <customerGatewayId>cgw-b4dc3961</customerGatewayId>
    <vpnGatewayId>vgw-8db04f81</vpnGatewayId>
    <tagSet/>
  </vpnConnection>
</CreateVpnConnectionResponse>

Configure your kit

Examples on how to do this can be found here.

Enable route propagation

https://ec2.amazonaws.com/?Action=EnableVgwRoutePropagation
&RouteTableID=rtb-c98a35a0
&GatewayId= vgw-d8e09e8a
&AUTHPARAMS

Output:

<EnableVgwRoutePropagation xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>4f35a1b2-c2c3-4093-b51f-abb9d7311990</requestId>
    <return>true</return>
</EnableVgwRoutePropagation>

How to create a hardware VPN using the AWS Management Console

Create the VGW

static-vgw

Create the CGW

dynamic-cgw

Create the VPN connection

dynamic-vpn-connection

Configure your kit

Examples on how to do this can be found here.

Enable route propagation

vpn-route-prop