To configure a Network representing your AWS Virtual Private Cloud (VPC) and installing an AWS instance with Connector running on it using AWS CloudFormation, follow the steps below:
- Navigate to Networks and click on the + icon on the top-right to add a new Network
- Provide a Network name and fill-in the CIDR ranges of the subnets in your AWS VPC
- Provide a Connector name, select a VPN Region, and click on the create button
- Click on the download icon next to the Connector to reveal various options
- Select Launch Connector on AWS from the options list to initiate the workflow with the following steps:
- Select an AWS Region from the drop-down
- Click on the Launch button
- Login to AWS
- On the Quick create stack webpage, specify the stack details such as the Stack name, KeyName, SubnetId, VpcId and click on the Next button
- Click on the I acknowledge that AWS CloudFormation might create IAM resources checkbox to allow CloudFormation to create a RouteManagerRole IAM::Role resources. This role will configure routes in the VPC Route table to use the Connector. Click on the Create stack button
- Monitor the stack creation as it goes from CREATE_IN_PROGRESS state to CREATE_COMPLETE
- On completion, click on the Resources tab to see the resources created. Check that the RouteManagerRole was created along with an InstancSecurityGroup, InstanceProfile, and the EC2Instance.
- Click on the Physical ID of the EC2 instance to check its details
- The Connector EC2 will automatically connect to the VPN Region and the Network will show up as online on the Status page of OpenVPN Cloud Admin portal.
A new EC2 instance with its Security Group will be automatically created after Network Connector deployment via CloudFormation. This Security Group contains only one Inbound Rule to allow SSH connections (Protocol: TCP; Port: 22; Source: 0.0.0.0/0).
Next Step: Modify existing Security Groups
If you are using Security Groups to protect any instances that need their traffic to be routed through the Connector instance, you need to add the Security Group of the Connector instance to their inbound rules.
Please see the screenshot below in which the inbound rules of sg-0d7ffe09b9076d0dd – launch-wizard-1 Security Group are being edited to add the last rule which will accept all incoming traffic coming from the Security Group sg-0210e0cbe1ce14ee7 that is associated with the Connector instance.
OPTIONAL: Check and add routes to the VPC Route Table associated with the subnet
Check that a route exists in the route table for the VPN Subnet IP address range configured in Network Settings of OpenVPN Cloud. The default VPN IPv4 subnet address range for OpenVPN Cloud is 100.96.0.0/11. If a route to destination 100.96.0.0/11 using the Connector instance as a target is absent, add it. If other OpenVPN Cloud Networks need to be reached from the VPC, add a route with that Network subnet as the destination and the Connector instance as the target.
The screenshot below shows how the route table should look with an entry for the OpenVPN Cloud VPN IP address subnet (100.96.0.0/11) and an entry for subnet 192.168.0.0/28 which is another Network (for example, office network) that is reachable via OpenVPN Cloud. Both entries have target as the instance running the Connector.
NOTE: If you had allowed CloudFormation to create a RouteManagerRole IAM::Role resources. This role will configure routes in the VPC Route table to use the Connector automatically and update the route table as new Networks are added to the VPN.