Skip to main content

IaaS

Tutorial: Connect AWS to CloudConnexa with IPsec using VPG

Abstract

This tutorial shows how to configure an IPsec connection to your AWS VPC. Once configured, site-to-site IPsec tunnel(s) connects your AWS VPC to the configured CloudConnexa Region. On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the AWS VPC.

What is AWS Site-to-Site VPN?

By default, instances you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection and configuring routing to pass traffic through the connection. Although VPN connection is a general term, in this documentation, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.

This tutorial shows how to configure an AWS Site-to-Site VPN connection between your AWS VPC and a CloudConnexa Region.

Note

IPsec connectivity is in Beta.

The AWS configuration involves:

  • Creating a customer gateway: The customer gateway is an AWS resource that provides information to AWS about the physical device or software application on your side of the Site-to-Site VPN connection (i.e., CloudConnexa Region).

  • Creating a virtual private gateway: A virtual private gateway is the VPN endpoint on the Amazon side of your Site-to-Site VPN connection that can be attached to a single VPC.

    Caution

    An IPsec VPN connection to your VPC using the Virtual Private Gateway (VPG) only allows access to resources inside a VPC. Use the Transit Gateway configurationUse this Transit Gateway configuration if you have configured public resources as Applications and IP services to be reachable via this VPC. Refer to Tutorial: Connect AWS VPC to CloudConnexa with IPsec using Transit Gateway.

  • Creating a VPN connection: An encrypted link where data can pass from the customer network (i.e., CloudConnexa) to or from AWS. Each VPN connection includes two VPN tunnels, which you can simultaneously use for high availability.

  • Downloading the VPN Configuration File: The configuration file is an example of VPN settings. It also specifies pre-shared keys for authentication.

On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the AWS VPC.

  1. Add a Network using the Network Configuration Wizard to represent your AWS VPC and select the IPsec Tunneling Protocol option.

  2. In the Connector configuration step, select AWS from the Platform to Connect drop-down menu. Refer to CloudConnexa Connectors and About Network Connectors.

    Instructions will appear on how to configure IPsec connectivity with CloudConnexa.

  3. Click Next.

    You will see three steps:

    1. AWS Configuration Details: Use these values when configuring the AWS tunnel.

    2. Setup CloudConnexa Tunnel: Complete the CloudConnexa tunnel setup manually or automatically using the configuration file generated by AWS.

    3. Verify Connectivity: After configuring the tunnel on both sides, click “Test Connection” to check that CloudConnexa can establish a connection to the remote network

  4. (AWS) Create a Customer Gateway in AWS to represent the IPsec endpoint of the CloudConnexa Region. Refer to AWS Documentation.

    Note

    You can also create the customer gateway while configuring the VPN connection.

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Customer gateways.

    3. Choose Create customer gateway.

    4. (Optional) For Name tag, enter a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.

    5. For BGP ASN, enter a Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your customer gateway.

      Note

      The IPsec VPN is going to use static routing. Therefore, the BGP ASN does not matter here. You can enter any number here.

    6. For IP address, enter the IP address displayed as Remote Gateway IP Address on the CloudConnexa Administration Portal's Connector Configuration page as shown in AWS Configuration Details .

    7. (Optional, use only if you want to use certificate authentication instead of pre-shared keys) For Certificate ARN, choose the private certificate's Amazon Resource Name. For information about creating a private certificate, see Creating and managing a private CA in the AWS Private Certificate Authority User Guide.

    8. (Optional) For Device, enter a name for the customer gateway device associated with this customer gateway.

    9. Choose Create customer gateway.

  5. (AWS) To establish an IPsec VPN connection between your VPC and CloudConnexa, you must create a target gateway on the AWS side of the connection. The target gateway will be a virtual private gateway. To create a virtual private gateway in AWS and attach it to your VPC, follow these steps:

    1. In the navigation pane, choose Virtual private gateways.

    2. Choose Create virtual private gateway.

    3. (Optional) For Name tag, enter a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.

    4. For Autonomous System Number (ASN), keep the default selection, Amazon default ASN, to use the default Amazon ASN.

    5. Choose Create virtual private gateway.

    6. Select the virtual private gateway you created, then choose Actions, Attach to VPC.

    7. For Available VPCs, choose your VPC and then choose Attach to VPC.

  6. (AWS Optional) If you want instances in your AWS VPC to reach other networks connected to CloudConnexa (i.e, site-to-site connectivity between your VPC and other private networks connected to CloudConnexa), enable route propagation for your route table to propagate Site-to-Site VPN routes automatically. This will configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway when the status of the VPN connection is UP. Follow the steps below:

    1. In the navigation pane, choose Route tables.

    2. Select the route table that's associated with the subnet.

    3. On the Route propagation tab, choose Edit route propagation. Select the virtual private gateway that you created in the previous procedure, and then choose Save.

  7. (AWS) Now that both the customer gateway (representing CloudConnexa IPsec endpoint) and virtual private gateway (representing the AWS VPC IPsec endpoint) is configured and created, you are ready to create the VPN connection by following the steps below:

    1. In the navigation pane, choose Site-to-Site VPN connections.

    2. Choose Create VPN connection.

    3. (Optional) For Name tag, enter a name for your VPN connection. Doing so creates a tag with a key of Name and the value that you specify.

    4. For Target gateway type, choose Virtual private gateway. Then, choose the virtual private gateway that you created earlier.

    5. For Customer gateway, select Existing, then choose the customer gateway that you created earlier from Customer gateway ID.

    6. Select Static as the routing option.

    7. For Static IP Prefixes, copy and paste the Static IP Prefixes displayed on the CloudConnexa Administration Portal's Connector Configuration page as shown in AWS Configuration Details .

      Note

      The Static IP Prefixes include the Routes of all CloudConnexa Networks configured so far. If you add new Networks or Routes and want site-to-site networking with your VPC, you must update the Static IP Prefixes.

    8. Choose Create VPN connection. It might take a few minutes to create the VPN connection.

  8. (AWS) Download the VPN connection configuration file needed to configure CloudConnexa's IPsec connection by following the steps below:

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Site-to-Site VPN connections.

    3. Select your VPN connection and choose Download configuration.

    4. Choose Generic for the customer gateway device.

    5. Choose Download.

    Note

    To properly load the download configuration screen from the AWS Management Console, you must ensure that your IAM role or user has permission for the following Amazon EC2 APIs: GetVpnConnectionDeviceTypes and GetVpnConnectionDeviceSampleConfiguration.

  9. Now that you have the configuration file from AWS, upload it to configure the IPsec tunnels to CloudConnexa.

    To use the file to configure CloudConnexa automatically, Click Upload Generic Configuration File and select the file.

    Note

    AWS creates two parallel tunnels by default for redundancy and high availability. Two CloudConnexa Connectors, one for each IPsec tunnel, will be created .

  10. Click Test Connection 1 and Test Connection 2 to check connectivity for both the IPsec tunnels.

  11. Continue with the network wizard instructions.

Tutorial: Connect AWS VPC to CloudConnexa with IPsec using Transit Gateway

Abstract

This tutorial shows how to configure an IPsec connection to your AWS VPC using the Transit Gateway. Once configured, site-to-site IPsec tunnel(s) connects your AWS VPC to the configured CloudConnexa Region. On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the AWS VPC.

What is AWS Site-to-Site VPN?

By default, instances you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection and configuring routing to pass traffic through the connection. Although VPN connection is a general term, in this documentation, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.

This tutorial shows how to configure an AWS Site-to-Site VPN connection using a Transit Gateway between your AWS VPC and a CloudConnexa Region.

An IPsec VPN connection to your VPC using the Virtual Private Gateway (VPG) only allows access to resources inside a VPC. Refer to Tutorial: Connect AWS to CloudConnexa with IPsec using VPG. Use this Transit Gateway configuration if you have configured public resources as Applications and IP services to be reachable via this VPC. The virtual private gateway provides connectivity to a single Amazon Virtual Private Cloud (Amazon VPC) in a Region. The transit gateway provides connectivity to multiple Amazon VPCs in a region as well as to the internet.

Note

IPsec connectivity is in Beta.

This configuration guide is based on the AWS knowledge center article: How do I access the internet using Site-to-Site VPN in my on-premises network?

For this configuration, the steps are explained using an example VPC (10.0.0.0/16) with two subnets: a public subnet (10.0.0.0/20) and a private subnet (10.0.16.0/20).

VPC_view.png
subnet_publicandprivate.png
  1. Create a Transit Gateway.

    transit_gateway.png
  2. Create a Site-to-Site VPN using the transit gateway. Use Tutorial: Connect AWS to CloudConnexa with IPsec using VPG as appropriate.

    transit-vpn-connection.png
  3. Attach VPC to transit gateway.

    vpc_attach_transit.png
  4. Create a NAT Gateway in the VPC's public subnet (10.0.0.0/20).

    nat_gateway.png
  5. Add the below routes to the VPC's private subnet's route table:

    1. 0.0.0.0/0 (default route, points to the NAT gateway)

    2. 100.96.0.0/11 (WPC subnet, points to the transit gateway)

    3. 100.80.0.0/12 (Domain routing subnet, points to the transit gateway)

    vpc_private_route.png
  6. Add the below routes to the VPC's public subnet's route table:

    1. 100.96.0.0/11 (WPC subnet, points to the transit gateway)

    2. 100.80.0.0/12 (Domain routing subnet, points to the transit gateway)

    vpc_public_route.png
  7. Add the below routes to the transit gateway's route table:

    1. 0.0.0.0/0 (default route, points to the VPC resource)

    2. 100.96.0.0/11 (WPC subnet, points to the VPN resource)

    3. 100.80.0.0/12 (Domain routing subnet, points to the VPN resource)

    transitgw_route.png

Tutorial: Assign DNS servers using DHCP for AWS VPC

Abstract

This tutorial shows how to configure a DHCP option set on your AWS VPC to set the DNS servers for all the resources in your VPC.

This tutorial shows how to configure a DHCP option set on your AWS VPC to set the DNS servers for all the resources in your VPC. Using the DNS server associated with the Connector's tunnel IP address subnet lets your VPC resources access Applications on the WPC using Application Domain-Based Routing.

  1. Create a DHCP option set and configure the Domain name server as the IP address that is one before the tunnel IP address of the Connector. For example, if the tunnel IP address of the Connector is 100.96.1.18, then the DNS server IP address is 100.96.1.17.

    aws_dhcp_options.png
  2. Assign DHCP option set to your VPC.

Tutorial: Find the AWS IPsec tunnel's outside IP address

Abstract

Follow these steps to find the AWS IPsec tunnel's public IP address (Outside IP Address).

To find the AWS IPsec tunnel's public IP address (Outside IP Address), follow the steps below:

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Click Site-to-Site VPN connections.

  3. Click the hyperlinked Name of the desired VPN connection.

  4. Click the Tunnel details tab.

    AWS_outside_IP_address_of_IPsec_tunnel.png
  5. The Outside IP address will be listed in the Tunnel state section.

Tutorial: Connect Your AWS VPC to CloudConnexa by Deploying a Connector

Abstract

This tutorial shows you the steps to take to deploy a Connector on your AWS VPC. Once deployed, the Connector attempts to establish an outbound OpenVPN tunnel to the configured CloudConnexa Region. On a successful connection, the AWS VPC can be accessed by your CloudConnexa Users.

Launch Connector on AWS

To configure a Network that represents your AWS Virtual Private Cloud (VPC) and install an AWS instance with a Connector that uses AWS CloudFormation, follow these steps:

  1. Sign in to the CloudConnexa Administration portal at https://cloud.openvpn.com

  2. Navigate to Networks and click Networks.

    Select the Scenario(s) that apply to your use case.

  3. Provide a Network Name and enter an optional Description.

  4. Provide a Connector name, select a Region, and click Next.

  5. Select an AWS Region.

  6. Click Launch ad log into AWS.

  7. On the Quick create stack web page, specify the stack details: Stack name, KeyName, SubnetId, VpcId , and then click Next.

    Note

    Use the existing VPC and IP subnet.

  8. Click the I acknowledge that AWS CloudFormation might create IAM resources checkbox to allow CloudFormation to create RouteManagerRole IAM::Role resources. This role configures routes in the VPC Route table to use the Connector. Click Create stack.

  9. Monitor the stack creation as it goes from CREATE_IN_PROGRESS state to CREATE_COMPLETE.

  10. On completion, open the Resources tab to view the created resources. Check that the RouteManagerRole was created along with an InstancSecurityGroup, InstanceProfile, and the EC2Instance.

  11. Click on the Physical ID of the EC2 instance to check its details.

    Note

    The EC2 instance uses Ubuntu. If you want to connect to it with SSH, use ubuntu as the username.

  12. The Connector EC2 automatically connects to the Region and the Network will show up as Online on the Status page of CloudConnexa Admin portal.

A new EC2 instance Security Group is automatically created after the Network Connector deployment through CloudFormation. This Security Group contains only one Inbound Rule to allow SSH connections (Protocol: TCP; Port: 22; Source: 0.0.0.0/0).

Modify existing Security Groups

If you are using Security Groups to protect any instances that need their traffic to be routed through the Connector instance, you need to add the Security Group of the Connector instance to their inbound rules.

This screenshot shows the inbound rules of sg-0d7ffe09b9076d0dd – launch-wizard-1 Security Group are being edited to add the last rule, which accepts all incoming traffic coming from the Security Group sg-0210e0cbe1ce14ee7 that is associated with the Connector instance.

Modify existing Security Groups

Optional: Check and add routes to the VPC Route Table associated with the subnet

Check that a route exists in the route table for the WPC Subnet IP address range configured in Network Settings of CloudConnexa. The default WPC IPv4 subnet address range for CloudConnexa is 100.96.0.0/11. If a route to destination 100.96.0.0/11 using the Connector instance as a target is absent, add it. If other CloudConnexa Networks need to be reached from the VPC, add a route with those Network subnets as the destination and the Connector instance as the target.

The screenshot below shows how the route table should look with an entry for the CloudConnexa WPC IP address subnet (100.96.0.0/11) and an entry for subnet 192.168.0.0/28 which is another Network (for example, office Network) that is reachable via CloudConnexa. Both entries have target as the instance running the Connector.

Note: If you allow CloudFormation to create RouteManagerRole IAM::Role resources, this role will configure routes in the VPC Route table to use the Connector automatically and update the route table as new Networks are added to the WPC.

Check and add routes to the VPC Route Table associated with the subnet

Tutorial: Connect Your Azure VNet to CloudConnexa by Deploying a Connector

Abstract

This tutorial shows you the steps to take to deploy a Connector on your Azure VNet. Once deployed, the Connector attempts to establish an outbound OpenVPN tunnel to the configured CloudConnexa Region. On a successful connection, the Azure VNet can be accessed by your CloudConnexa Users.

Launch Connector On Azure

You can deploy a Connector in the Microsoft Azure environment during the Network creation process. You can choose to either launch a template directly in Azure, or download a template and launch it manually.

62e9c0624b256.png

Steps: Launch a template directly on Azure

  1. Click Launch On Azure.

    • You are redirected to your Azure environment, where a virtual machine (VM) is created automatically.

  2. Define the parameters on the Azure VM, noting that the fields marked with an asterisk are mandatory.

    62e9c0657037e.png

    Parameter

    Value

    Subscription

    A logical container used to provision resources in Azure. It holds the details of all your resources such as VMs, databases, and more.

    Resource Group

    A container that holds related resources for an Azure solution. The resource group includes those resources that you want to manage as a group.

    Region

    The region value propagates from the resource group.

    Disk Type

    The type of storage to be used for your VM disks.

    Admin Username

    The Administrator username for the VM.

    Authentication Type

    The type of authentication to use on the VM. SSH key is strongly recommended.

    Admin Password Or Key

    The SSH key or password for the VM.

    Dns Label Prefix

    The unique DNS label prefix for the public IP that is used to access the VM.

    Vm Size

    The size of the VM.

    Virtual Network Name

    The name of the existing virtual Network (VNet). You can find the VNet name on the Virtual Networks page.

    Subnet Name

    The name of the existing subnet in the VNet you want to use. You can find the subnet name on the Subnets blade of the VNet. This subnet value must be the same as the subnet of the Network on the CloudConnexa Administration portal.

    Network Security Group Name

    The name of the Network security group.

  3. Click Next: Review + create.

    62e9c0675a14e.png
  4. When validation passes, click Create.

    62e9c0694069d.png

The Connector deployment is complete. You can navigate to your resource group to find your VM.

Steps: Launch Connector manually from template

  1. In the CloudConnexa Administration portal, click Download to save the JSON Azure template to your local computer.

    62e9c06bdd7e0.png
  2. Access your Azure portal and click Create a resource.

    62e9c06d1d6aa.png
  3. Search for Template deployment (deploy using custom templates) and click Create.

  4. Click Build your own template in the editor.

    62e9c06ea7c98.png
  5. Click Load File.

    62e9c07083ab6.png
  6. Load the template file from your local computer and click Save.

    62e9c071c9061.png
  7. Follow the steps 2-4 shown in the Steps: Launch a template directly on Azure section to complete the configuration.

Tutorial: Connect Your GCP VPC to CloudConnexa by Deploying a Connector

Abstract

This tutorial shows you the steps to take to deploy a Connector on your GCP VPC. Once deployed, the Connector attempts to establish an outbound OpenVPN tunnel to the configured CloudConnexa Region. On a successful connection, the GCP VPC can be accessed by your CloudConnexa Users.

Deploy a Connector on GCP

You can deploy a Connector in the Google Cloud Platform (GCP) environment during the Network creation process. You must create a Linux virtual machine (VM) on GCP on which you install the Network Connector.

62e9c0c615763.png

Steps: Install a Linux VM

  1. Navigate to GCP and access Compute Engine > Virtual Machines > VM Instances.

    62e9c0c7d6393.png
  2. Click Create Instance.

    62e9c0c9b6c24.png
  3. Enter the VM parameters.

    62e9c0cb2805c.png
    62e9c0cd16b41.png
    62e9c0cea4dc3.png
    62e9c0d03bc36.png

    Parameter

    Definition

    Name

    The name you assign to the VM.

    Region

    A specific geographical location where your VM is run.

    Zone

    Determines what computing resources are available, and where your data is stored and used.

    Machine family

    The types of VMs for common workloads, optimized for cost and flexibility.

    Series

    The CPU platform series.

    Machine type

    The VM vCPU and memory type.

    CPU platform

    The microarchitecture of your VM instance.

    Container

    Deploy a container to this VM instance by using a container-optimized OS image.

    Boot disk

    Each instance requires a disk to boot from.

    SSH Keys

    Allow access to this instance via SSH.

    Hostname

    The VM instance hostname.

    Network

    The Network determines what Network traffic the instance can access.

    Subnetwork

    Assigns an IPv4 address to the instance from the subnetwork range.

    This subnetwork must be the same as the Network Subnet in the CloudConnexa Administration portal.

    Primary internal IP

    For ephemeral, restarting an instance won't change its internal IP, but deleting and recreating an instance will.

    External IP

    An external IP address associated with this instance. Select an unused static IP address or choose Ephemeral to use an IP from a shared ephemeral IP address pool. Selecting None results in the instance having no external internet access.

    IP forwarding

    IP forwarding must be enabled.

    IP forwarding allows the instance to help route packets.

  4. Click Create.

  5. Click the Select Linux Distribution dropdown and select the distribution that you want to install the Connector on.

    create linux vm.png
  6. Copy the commands shown for your terminal.

  7. Connect to your GCP VM through SSH and paste the commands.

    • Select Yes for each prompt.

    • Once the installation completes, a setup token prompt displays.

  8. In the CloudConnexa Administration portal, click Generate Token and click to copy the token.

  9. Access your Linux terminal and paste the token.

    • The utility imports the Connector Profile and connects to CloudConnexa.