Video: Configure and IPsec connection to your AWS VPC using Transit Gateway

In this video, we're looking at how to connect your AWS resources to CloudConnexa with IPSec using Transit Gateway. But before we start, let's talk about the AWS networking components. We have the virtual private gateway, VPG, and the transit gateway. Virtual Private Gateway, or VPG serves as an entry point for IPSec VPN connections to your Amazon virtual private cloud. It provides connectivity to a single VPC within a specific AWS region. When you use an IPSec VPN connection via the VPG, it allows access only to resources inside that associated VPC. So it's ideal for scenarios where you need secure communication between your on-prem network and a specific VPC. Now, another component of AWS networking is the transit gateway. The transit gateway is designed for more complex networking needs. It provides connectivity to multiple VPCs within the same AWS region. In conclusion, if you're dealing with a single VPC and need a straightforward VPN connection, use the VPG. If your network spans multiple VPCs and requires more advanced features, consider the transit gateway.

We already have a video that we go over the steps on how to configure IPSec using VPG. In this one, we're just gonna concentrate on how to connect our VPC to CloudConnexa with IPSec using Transit Gateway. As you can see, I'm logged into the admin portal for CloudConnexa. So in order to connect my AWS VPC to CloudConnexa, I need to expand networks, go to networks again, and click on 'add a network' here. It's gonna be a site to site. So I'm just gonna choose the site to site, scenario and click on continue. We're gonna give it a name, so we're gonna call it netIPSec. And then for the connector tunneling protocol, it's gonna be the IPSec. And then here, if you want to give a name, again, I'm gonna just call it the IPSec connector. The region, it's gonna be in Los Angeles, so I'm just gonna leave it as Los Angeles, and then click on Next. So we can see the information about our network configuration. Here, we're gonna use the IPsec tunneling protocol. We can see the region, we can see the name of our connector and the CloudConnexa public IP address. So a platform to connect. You can click on the dropdown. We're talking about AWS VPC again, so we're gonna choose AWS here. Now, there are some instructions here on how to configure your IPSec tunnel, and how to create a virtual private gateway in AWS. But again, we're talking about transit gateway, so I'm just gonna click on and next on this part. From now on, we're gonna switch to our AWS console. So we can see, our VPC is already being configured here. If you look at the resource map, we can see we got two subnets here, one private and one public subnets. So the next thing that we need to do, we need to create our transit gateway. So on, AWS console, if you go to Transit Gateway, we can click on Create Transit Gateway here. The name tag, we need to give it the name so I'm just gonna call it OVN Lab. If there is any description, we can add it here. For the ASN number or Autonomous system number, we're just gonna leave it as as blank. For the default, we're gonna leave the DNS support checked. You can select this option if you need the VPC to obviously resolve your DNS host names, uh, to private, uh, addresses, uh, when cured for V-P-N-E-C-M-P support, uh, you can select this option if you need, uh, equal cost multi-path or ECMP running support between your VPN tunnels. If connections advertise the same CIDR or the traffic is distributed equally between all of them, default, uh, route Table Association, you can select this option to automatically associate transit gateway attachments with the default route table for the transit gateway. And then, uh, one before last is default route table propagation. Uh, this option is being selected, uh, when you wanna automatically propagate transit gateway attachments to the default route table for the transit gateway, basically. And then the last one here, as you can see, multicast support, uh, obviously to use the transit gateway as a router for multicast traffic. Then you can select this option.

The next section configure, uh, cross account sharing options. If you select this, then, um, attachments are, uh, automatically accepted. Otherwise, you must accept or reject attachment requests. So in this section, transit Gateway, CIDR blocks, um, you can specify one or more IPV four or IPV six, uh, C-I-D-C-I-D-R blocks, uh, for your transit gateway. And then the last part, uh, tags optional. If you want to add any tags, you can add 'em here. Once you're done with everything else, click on Create New Transit Gateway. And as we can see here, the, uh, transit gateway is being, uh, created. This status shows pending. This may take a few minutes. Okay, now we can see our, uh, transit gateway is, uh, created and it's available here. Now the next step is, uh, to create a site to site VPN, using the transit Gateway. In order to do so, again, on our, uh, uh, AWS console, we're gonna go to site to site VPN connections here, and we want to create a new connection. So we're gonna click on create a VPN connection. So for the name here, we're just gonna give it, uh, name. Uh, so let's go ahead, uh, call it, uh, P six tg. Uh, for the Target Gateway type, uh, this is gonna be a transit gateway, so I'm just gonna select that. And then from dropdown, I'm just gonna choose the transit gateway we just created a minute ago for Customer Gateway. If you have an existing customer gateway, you can choose existing and then choose it down here. I have to create a new one. And the very first field after that is to specify the IP address of your customer gateway. This is where we need to go back to our cloud connection portal and, uh, copy this IP address, remote gateway IP address. And then we're gonna bring it back here and paste it here for the certificate. A RN and B-G-P-A-S-N. I'm just gonna leave them as default. And then, for the routing options, I'm gonna choose a static, uh, tunnel. Inside IP version is IP V four. Um, the rest of the stuff is optional. Uh, if you need to make any changes, you go ahead and do that. Otherwise, you go ahead, click on create VPN Connection. As you can see, the uh, site to site is being created right now. The state is pending. This is gonna take a few minutes. I'll come back when it's done.

Okay, our site to site is ready now. Uh, the state shows available. The next thing we need to attach our VPC to transit gateway. So on our AWS uh, console, we go to Transit Gateway Attachments. Here, we're gonna click on, uh, create Transit Gateway Attachment For the name, uh, we're just gonna give her the name here. So again, I'm just gonna, uh, put a quick note name here. And, uh, transit Gateway id. Uh, this is the transit gateway we created, uh, minute ago attachment type. It's gonna be, uh, VPC again, uh, we can choose here. Uh, if you wanna have DNS support IB, IPV six support, uh, appliance mode support, uh, you select any of these, uh, as needed. Then VPC id, we're gonna choose our VPC id. Um, and then for the subnet, uh, you can choose, uh, uh, uh, one subnet for each availability zone, uh, to be used by the, uh, transit gateway to route traffic. Uh, I just have one here. And then the last part is the, uh, tags. Again, optional. If you want to add any tags, you can add them here. I'm just gonna go ahead, click on, create a Transit Gateway attachment. So you can see here that it's being created. The state is pending. Again, this is gonna take a few minutes. I'll come back when it's done. Okay, it's done. You can see the state is available.

Now. The next part is, uh, create and Not Gateway in VPCs, uh, our VPCs Public Subnet. So if you remember early on, I showed that we had two subnets for our, uh, VPC. I just renamed this subnet so we can, uh, distinguish which one of 'em. So let me refresh this page and look here. So here we go. We have one public and one private. So we're gonna create the Nat Gateway and the, uh, VPCs, uh, public, uh, subnet. Now, in order to do so, so we're gonna go to, uh, Nat Gateways on our AWS console again. And then, uh, we're gonna click on, uh, create a Not Gateway. So here, we're gonna give it a name. Uh, so let me go ahead. Uh, just, here we go. Then we're gonna select the subnet. Again, this is our, uh, public subnet. So I'm just gonna choose this one. So, connectivity type is gonna be public. And then for the elastic, uh, IP allocation id, uh, we need to choose, uh, one or allocate one. So I'm just gonna, uh, choose one here. And the, uh, rest of the information are optional, so we can, uh, we can change 'em as needed. Then when you're done, click on create net Gateway. And here we go. We can see that it is created. Okay, this is done. We can see the state is available.

Now we need to add, uh, uh, some routes to our, uh, VPC private subnet and, uh, public subnet. So let's go back to our, uh, VPC here. And if you remember, we had two subnets, uh, public and private. So let's go to, let's go first to our public, uh, subnet. And, uh, we're gonna look at the route table here. Uh, uh, click on that and select the routes in. We're gonna add a couple of, uh, routes here. So this is our public subnet. Uh, we're gonna go back to our cloud connecta. There are two, uh, static IP prefix, as you can see here. So we're gonna add these two, uh, to our, uh, public, uh, subnet, uh, routes. And we we're gonna point them to our transit gateway, the one that we just, uh, created. So we're gonna click on that, go to transit gateway, and we're gonna choose the transit gateway. Do the same thing for the other range. Here we go. And, uh, again, same transit gateway. And when we're done, we'll click on save changes. So this is done. Now, let's go back to route tables. We need to do, uh, some, uh, we need to add some routes to our private, uh, submit as well. So, again, I'm gonna go to routes here, edit routes. And the very first thing we're gonna do for, uh, the private, uh, subnet, we're gonna add, uh, all zeros to our not gateway, the one we just created. Then we're gonna do the same thing. We're gonna get, uh, these, uh, two ip, uh, subnets, and we're gonna point them to the transit gateway that we created early, earlier. Uh, let's go ahead and grab the second one here. And, uh, we're gonna add that one here. Uh, so let's see. And same thing. It goes to points to the transit gateway, and we are done. So now we need to download the configuration file. So let's go back to our site to site VPN Connection and select the, uh, tunnel or site to site that we created a few minutes ago. Click on Download configuration, uh, for the vendor. We're gonna click on the dropdown and choose generic. The rest of the stuff is, uh, okay, we can leave it as default and click on download. Once this is downloaded, uh, we hit back to our cloud connection. Now if you scroll down to the second, uh, part, it says, set up cloud connects a tunnel, and we can see we have an option of uploading generic configuration file. So I'm just go ahead and, uh, upload the file that I just downloaded. And here we go. The file has been, uh, uploaded. Uh, all the information is visible here, uh, for the tunnels, we can click on test connections to test each connection. And we can see our, uh, number one is connected. Let's try second one as well. The second one is connected as well. So we'll go ahead, click on next. So this is where we're gonna finish our, uh, configuring our routings. Uh, we did configure, uh, route tables in our VPC subnets, uh, in previous step. What is one last thing that we need to do in our, uh, um, AWS console? So let me head back to the AWS console here.

Now, the last step is adding, uh, some routes to our transit gateway, uh, route table. So let's go to our transit gateways, and this is the one we created a few minutes ago. So let's go to, uh, route Table. And here we're gonna add a few things. So click on the study routes. Uh, the very first thing we're gonna do, we need to get, uh, our WPC subnet again, if we go to Cloud Connect, so we can see the WPC subnet here. We're gonna copy this, come back here, add it. And, uh, the attachment that we're gonna, uh, use, it's gonna be the, uh, VPN. So we're gonna choose our VPN uh, resource. Click on create static route. Uh, we need to add another one here. So let's go back to routes again. So we're gonna go ahead and add, uh, now we need to add our domain routing subnet. So we go back here, uh, to Cloud Connect. So get the domain routing subnet, come back here. Is that, and this one is gonna be pointing to our VPN resource as well. So click on create Static Routes. And then the last one, uh, we're gonna go ahead and, uh, use, uh, zeros. Uh, and this one is gonna point to our, uh, VPC uh, resource. So we're gonna choose the VPC here and click on create study routes. So as we can see, the routes have been created, and this was the last step that we needed to do. So we're gonna go back to our Cloud Connect saw. Click on next. So this is where we can add an application just for the purpose of this, uh, demo. I'm just gonna add an application that we have here. CRM. It's using http and https. Um, and the address is a CRM dot ovn Lab local click on add application. So this has been added. Click on next, um, routes. If you need to add any routes, you can do that here. Or IP Services. You can add it here. Click on Next Access Group if you need to configure any access groups. Uh, here you can do this. This is an optional, uh, uh, steps. Uh, you can create new access groups, or you can do that later on and click on finish. So as you can see, my uh, connection status is online, the name of, uh, my Network, uh, the Internet Access Split Tunnel is on right now. Internet Gateway is off. And the Tunnel Link protocol we use as IPSec.

So in this video, we saw how we can connect our A-W-S-V-P-C to Cloud connector with IPSec using Transit Gateway. Just a quick note here again, that you can connect your A-W-S-V-P-C to Cloud Excel with IPSec using either the transit gateway or virtual private gateway. Virtual Private Gateway provides connectivity to a single Amazon VPC within a specific AWS region. Uh, rather than Transit Gateway provides connectivity to multiple Amazon VPCs within the same AWS region.