Static Hardware VPN to VPC

- aws networking

title: Static Hardware VPN to VPC date: 2016-12-29 tags: networking aws category: cloud Authors: Gary Ossewaarde

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

A static hardware VPN is the preferred connectivity option to an AWS VPC when time is of the essence and costs need to be kept low. The customer manages hardware at their and end and connects to two AWS VPN endpoints. While static routing is not the preferred option, it is often used when BGP is neither wanted not needed.

Steps to create a Hardware VPN with static routing:

  1. Create a virtual private gateway in your AWS account and attach it to your VPC
  2. Crete a custom gateway object. This is the AWS representation of the router/firewall on your side
  3. Create the VPN connection
  4. Configure your kit
  5. Create static routes as needed

We’ll go through all five steps using the AWS CLI, the AWS API and the Web UI. The following network is used in the examples:

static-hw-vpn

How to create a Hardware VPN via the AWS CLI

Create the VGW

$ aws ec2 create-vpn-gateway --type ipsec.1

Output:

{
    "VpnGateway": {
        "State": "available",
        "Type": "ipsec.1",
        "VpnGatewayId": "vgw-9a4cacf3",
        "VpcAttachments": []
    }
}

Create the CGW

Even though the ASN won’t be used for BGP, it is required to create the CGW.

$ aws ec2 create-customer-gateway --type ipsec.1 --public-ip 12.1.2.3 --bgp-asn 65534

Output:

{
"CustomerGateway": {
    "CustomerGatewayId": "cgw-0e11f167",
    "IpAddress": "12.1.2.3",
    "State": "available",
    "Type": "ipsec.1",
    }
}

Create the VPN connection

$ aws ec2 create-vpn-connection --type ipsec.1 --customer-gateway-id cgw-0e11f167 --vpn-gateway-id vgw-9a4cacf3 --options "{\"StaticRoutesOnly\":true}"

Output:

{
"VpnConnection": {
    "VpnConnectionId": "vpn-40f41529"
    "CustomerGatewayConfiguration": "...configuration information...",
    "State": "pending",
    "VpnGatewayId": "vgw-f211f09b",
    "CustomerGatewayId": "cgw-b4de3fdd",
    "Options": {
        "StaticRoutesOnly": true
    }
}

Configure your kit

Examples on how to do this can be found here.

Create static routes

$ aws ec2 create-vpn-connection-route --vpn-connection-id vpn-40f41529 --destination-cidr-block 11.12.0.0/16

Output: no output

How to create a hardware VPN using the AWS API

Create the VGW

https://ec2.amazonaws.com/?Action=CreateVpnGateway
&Type=ipsec.1
&AUTHPARAMS

Response:

<CreateVpnGatewayResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
  <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
  <vpnGateway>
    <vpnGatewayId>vgw-8db04f81</vpnGatewayId>
    <state>pending</state>
    <type>ipsec.1</type>
    <availabilityZone>us-east-1a</availabilityZone>
    <attachments/>
    <tagSet/>
  </vpnGateway>
</CreateVpnGatewayResponse>

Create the CGW

Even though the ASN won’t be used for BGP, it is required to create the CGW.

https://ec2.amazonaws.com/?Action=CreateCustomerGateway
&Type=ipsec.1
&IpAddress=12.1.2.3
%BgpAsn=65534
&AUTHPARAMS

Output:

<CreateCustomerGatewayResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
   <requestId>7a62c49f-347e-4fc4-9331-6e8eEXAMPLE</requestId>
   <customerGateway>        
      <customerGatewayId>cgw-b4dc3961</customerGatewayId>
      <state>pending</state>
      <type>ipsec.1</type>
      <ipAddress>12.1.2.3</ipAddress>
      <bgpAsn>65534</bgpAsn>
      <tagSet/>
   </customerGateway>
</CreateCustomerGatewayResponse>

Create the VPN connection

https://ec2.amazonaws.com/?Action=CreateVpnConnection
&Type=ipsec.1
&CustomerGatewayId=cgw-b4dc3961
&VpnGatewayId=vgw-8db04f81
&Options.StaticRoutesOnly=true
&AUTHPARAMS

Output:

<CreateVpnConnectionResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
  <requestId>5cc7891f-1f3b-4fc4-a626-bdea8f63ff5a</requestId>
  <vpnConnection>
    <vpnConnectionId>vpn-83ad48ea</vpnConnectionId>
    <state>pending</state>
    <customerGatewayConfiguration>
       ...Customer gateway configuration data in escaped XML format...
    </customerGatewayConfiguration>
    <customerGatewayId>cgw-63ae4b0a</customerGatewayId>
    <vpnGatewayId>vgw-4ea04527</vpnGatewayId>
    <options>
      <staticRoutesOnly>true</staticRoutesOnly>
    </options>
    <routes/>
  </vpnConnection>
</CreateVpnConnectionResponse>

Configure your kit

Examples on how to do this can be found here.

Create static routes

https://ec2.amazonaws.com/?Action=CreateVpnConnectionRoute
&DestinationCidrBlock=11.12.0.0%2F16
&VpnConnectionId=vpn-83ad48ea
&AUTHPARAMS

Output:

<CreateVpnConnectionRouteResponse xmlns="http://ec2.amazonaws.com/doc/2016-11-15/">
    <requestId>4f35a1b2-c2c3-4093-b51f-abb9d7311990</requestId>
    <return>true</return>
</CreateVpnConnectionRouteResponse>

How to create a hardware VPN using the AWS Management Console

Create the VGW

static-vgw-1

Create the CGW

static-cgw

Create the VPN connection

static-vpn-connection

Configure your kit

Examples on how to do this can be found here.

Create static routes

vpn-route-table