Skip to main content

Tutorial: Connect AWS to CloudConnexa with IPsec using VPG

Abstract

This tutorial shows how to configure an IPsec connection to your AWS VPC. Once configured, site-to-site IPsec tunnel(s) connects your AWS VPC to the configured CloudConnexa Region. On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the AWS VPC.

What is AWS Site-to-Site VPN?

By default, instances you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection and configuring routing to pass traffic through the connection. Although VPN connection is a general term, in this documentation, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.

This tutorial shows how to configure an AWS Site-to-Site VPN connection between your AWS VPC and a CloudConnexa Region.

The AWS configuration involves:

  • Creating a customer gateway: The customer gateway is an AWS resource that provides information to AWS about the physical device or software application on your side of the Site-to-Site VPN connection (i.e., CloudConnexa Region).

  • Creating a virtual private gateway: A virtual private gateway is the VPN endpoint on the Amazon side of your Site-to-Site VPN connection that can be attached to a single VPC.

    Caution

    An IPsec VPN connection to your VPC using the Virtual Private Gateway (VPG) only allows access to resources inside a VPC. Use the Transit Gateway configurationUse this Transit Gateway configuration if you have configured public resources as Applications and IP services to be reachable via this VPC. Refer to Tutorial: Connect AWS VPC to CloudConnexa with IPsec using Transit Gateway.

  • Creating a VPN connection: An encrypted link where data can pass from the customer network (i.e., CloudConnexa) to or from AWS. Each VPN connection includes two VPN tunnels, which you can simultaneously use for high availability.

  • Downloading the VPN Configuration File: The configuration file is an example of VPN settings. It also specifies pre-shared keys for authentication.

On a successful connection, your CloudConnexa users and other networks connected to any of CloudConnexa's Regions can access the AWS VPC.

  1. Add a Network using the Network Configuration Wizard to represent your AWS VPC and select the IPsec Tunneling Protocol option.

  2. In the Connector configuration step, select AWS from the Platform to Connect drop-down menu. Refer to CloudConnexa Connectors and About Network Connectors.

    Instructions will appear on how to configure IPsec connectivity with CloudConnexa.

  3. Click Next.

    You will see three steps:

    1. AWS Configuration Details: Use these values when configuring the AWS tunnel.

    2. Setup CloudConnexa Tunnel: Complete the CloudConnexa tunnel setup manually or automatically using the configuration file generated by AWS.

    3. Verify Connectivity: After configuring the tunnel on both sides, click “Test Connection” to check that CloudConnexa can establish a connection to the remote network

  4. (AWS) Create a Customer Gateway in AWS to represent the IPsec endpoint of the CloudConnexa Region. Refer to AWS Documentation.

    Note

    You can also create the customer gateway while configuring the VPN connection.

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Customer gateways.

    3. Choose Create customer gateway.

    4. (Optional) For Name tag, enter a name for your customer gateway. Doing so creates a tag with a key of Name and the value that you specify.

    5. For BGP ASN, enter a Border Gateway Protocol (BGP) Autonomous System Number (ASN) for your customer gateway.

      Note

      The IPsec VPN is going to use static routing. Therefore, the BGP ASN does not matter here. You can enter any number here.

    6. For IP address, enter the IP address displayed as Remote Gateway IP Address on the CloudConnexa Administration Portal's Connector Configuration page as shown in AWS Configuration Details .

    7. (Optional, use only if you want to use certificate authentication instead of pre-shared keys) For Certificate ARN, choose the private certificate's Amazon Resource Name. For information about creating a private certificate, see Creating and managing a private CA in the AWS Private Certificate Authority User Guide.

    8. (Optional) For Device, enter a name for the customer gateway device associated with this customer gateway.

    9. Choose Create customer gateway.

  5. (AWS) To establish an IPsec VPN connection between your VPC and CloudConnexa, you must create a target gateway on the AWS side of the connection. The target gateway will be a virtual private gateway. To create a virtual private gateway in AWS and attach it to your VPC, follow these steps:

    1. In the navigation pane, choose Virtual private gateways.

    2. Choose Create virtual private gateway.

    3. (Optional) For Name tag, enter a name for your virtual private gateway. Doing so creates a tag with a key of Name and the value that you specify.

    4. For Autonomous System Number (ASN), keep the default selection, Amazon default ASN, to use the default Amazon ASN.

    5. Choose Create virtual private gateway.

    6. Select the virtual private gateway you created, then choose Actions, Attach to VPC.

    7. For Available VPCs, choose your VPC and then choose Attach to VPC.

  6. (AWS Optional) If you want instances in your AWS VPC to reach other networks connected to CloudConnexa (i.e, site-to-site connectivity between your VPC and other private networks connected to CloudConnexa), enable route propagation for your route table to propagate Site-to-Site VPN routes automatically. This will configure your route table to include the routes used by your VPN connection and point them to your virtual private gateway when the status of the VPN connection is UP. Follow the steps below:

    1. In the navigation pane, choose Route tables.

    2. Select the route table that's associated with the subnet.

    3. On the Route propagation tab, choose Edit route propagation. Select the virtual private gateway that you created in the previous procedure, and then choose Save.

  7. (AWS) Now that both the customer gateway (representing CloudConnexa IPsec endpoint) and virtual private gateway (representing the AWS VPC IPsec endpoint) is configured and created, you are ready to create the VPN connection by following the steps below:

    1. In the navigation pane, choose Site-to-Site VPN connections.

    2. Choose Create VPN connection.

    3. (Optional) For Name tag, enter a name for your VPN connection. Doing so creates a tag with a key of Name and the value that you specify.

    4. For Target gateway type, choose Virtual private gateway. Then, choose the virtual private gateway that you created earlier.

    5. For Customer gateway, select Existing, then choose the customer gateway that you created earlier from Customer gateway ID.

    6. Select Static as the routing option.

    7. For Static IP Prefixes, copy and paste the Static IP Prefixes displayed on the CloudConnexa Administration Portal's Connector Configuration page as shown in AWS Configuration Details .

      Note

      The Static IP Prefixes include the Routes of all CloudConnexa Networks configured so far. If you add new Networks or Routes and want site-to-site networking with your VPC, you must update the Static IP Prefixes.

    8. Choose Create VPN connection. It might take a few minutes to create the VPN connection.

  8. (AWS) Download the VPN connection configuration file needed to configure CloudConnexa's IPsec connection by following the steps below:

    1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

    2. In the navigation pane, choose Site-to-Site VPN connections.

    3. Select your VPN connection and choose Download configuration.

    4. Choose Generic for the customer gateway device.

    5. Choose Download.

    Note

    To properly load the download configuration screen from the AWS Management Console, you must ensure that your IAM role or user has permission for the following Amazon EC2 APIs: GetVpnConnectionDeviceTypes and GetVpnConnectionDeviceSampleConfiguration.

  9. Now that you have the configuration file from AWS, upload it to configure the IPsec tunnels to CloudConnexa.

    To use the file to configure CloudConnexa automatically, Click Upload Generic Configuration File and select the file.

    Note

    AWS creates two parallel tunnels by default for redundancy and high availability. Two CloudConnexa Connectors, one for each IPsec tunnel, will be created .

  10. Click Test Connection 1 and Test Connection 2 to check connectivity for both the IPsec tunnels.

  11. Continue with the network wizard instructions.