Skip to main content

Tutorial: Connect AWS to CloudConnexa with IPsec using VPG

Abstract

Configure an AWS site-to-site VPN between your VPC and CloudConnexa using a Virtual Private Gateway (VPG), including connector setup, AWS configuration, and connectivity verification.

This tutorial walks you through connecting your AWS VPC to CloudConnexa using an IPsec tunnel with a Virtual Private Gateway.

You'll complete steps in both the AWS Console and the Cloud Connexa Administration Portal. To make this easier to follow, each step is labeled with an icon:

  • ☁️ AWS Console steps — performed in AWS

  • 🔐 CloudConnexa steps — performed in CloudConnexa

To complete this setup, you'll configure:

  • A Customer Gateway to represent the CloudConnexa endpoint.

  • A Virtual Private Gateway attached to your VPC.

  • A site-to-site VPN connection between AWS and CloudConnexa.

  • Tunnel configuration using an AWS-generated configuration file.

Once configured, users and networks connected to CloudConnexa can securely access resources in your AWS VPC.

When to use this setup

Use this configuration when you want to connect a single VPC to CloudConnexa via a virtual private gateway, which only provides access to resources within that VPC. If you need broader connectivity (for example, access to multiple VPCs or public resources), use a Transit Gateway instead. Refer to Tutorial: Connect AWS VPC to CloudConnexa with IPsec using Transit Gateway.

Before you begin

  • Ensure you have a CloudConnexa account and Cloud ID.

  • Ensure you have access to your AWS account and VPC.

  • Ensure your VPC is created and properly configured, including routing and subnets.

🔐 Step 1: Create a Network (CloudConnexa)

  2. Navigate to Networks → Networks.

  3. Click Add Network.

  4. Select at least one Network Scenario. Refer to these tutorials for details:

  5. Click Continue.

  6. For the Network Configuration, enter a name and description (optional).

  7. Select IPsec as the Connector Tunneling Protocol.

  8. For the Connector, enter a name and description (optional).

  9. Click Next.

🔐 Step 2: Select AWS as the platform (CloudConnexa)

In the Network Configuration Wizard, you'll begin configuring your AWS VPC.

2.1 Select the AWS platform

  1. In Platform to Connect, select AWS. Refer to CloudConnexa Connectors and About Network Connectors.

    Instructions will appear on how to configure IPsec connectivity with CloudConnexa.

  2. Review the step-by-step guide.

  3. Click Next.

2.2 Review AWS configuration details

CloudConnexa displays the values required for AWS configuration.

  1. Note the following values from AWS Configuration Details:

    • Target Gateway

    • Virtual Private Gateway / Transit Gateway

    • Customer Gateway

    • Remote Gateway IP Address

    • Certificate ARN

    • Routing Options

    • Static IP Prefixes

  2. You will use these values when configuring AWS resources.

☁️ Step 3: Configure AWS resources (AWS Console)

Set up the required AWS components to establish the IPsec tunnel.

3.1 Create a Customer Gateway

Create an AWS customer gateway as the IPsec endpoint for the CloudConnexa Region.

Note

You can also create the customer gateway while configuring the VPN connection.

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. Navigate to Customer gateways.

  3. Click Create customer gateway.

  4. Enter:

    • Name tag (optional): This creates a tag with a Name key and the value that you specify.

    • BGP ASN: Enter a Border Gateway Protocol Autonomous System Number (ASN) for your customer gateway.

      Note

      The IPsec VPN is going to use static routing. Therefore, the BGP ASN doesn't matter here. You can enter any number here.

    • IP address: Use the CloudConnexa Public IP Address displayed for your network connector configuration.

  5. (Optional) Configure certificate authentication if you'll be using certificate-based authentication. Refer to Creating and managing a private CA.

  6. (Optional) For Device, enter a name for the customer gateway device associated with this customer gateway.

  7. Click Create customer gateway.

3.2 Create a Virtual Private Gateway

To establish an IPsec VPN connection between your VPC and CloudConnexa, create an AWS target gateway. This target gateway will be a virtual private gateway.

  1. Navigate to Virtual private gateways.

  2. Click Create virtual private gateway.

  3. (Optional) Enter a name.

  4. Keep the default ASN.

  5. Click Create.

  6. Select the VPC, then click Actions → Attach to VPC.

  7. Select your VPC and confirm.

3.3 (Optional) Enable route propagation

Turn on route propagation on your AWS VPC route table if you want site-to-site connectivity between your VPC and other private networks connected to CloudConnexa.

  1. Navigate to Route tables.

  2. Select your route table associated with the subnet.

  3. On the Route propagation tab, click Edit route propagation.

  4. Select your new virtual private gateway.

  5. Save changes.

    Routes from your VPN connection are automatically added to the route table and directed to the virtual private gateway when the connection is active.

3.4 Create the VPN connection

  1. Navigate to Site-to-Site VPN connections.

  2. Click Create VPN connection.

  3. Configure:

    • Target gateway type: Select Virtual private gateway, and select the new virtual private gateway.

    • Customer gateway: Select the newly created customer gateway.

    • Routing options: Select Static.

  4. For Static IP Prefixes, copy and paste the Static IP Prefixes displayed on the CloudConnexa Administration Portal's Connector Configuration page, as shown in AWS Configuration Details.

    Note

    The Static IP Prefixes include the Routes of all CloudConnexa Networks configured so far. If you add new Networks or Routes and want site-to-site networking with your VPC, you must update the Static IP Prefixes.

  5. Click Create VPN connection.

3.5 Download the AWS configuration file

  1. Navigate to Site-to-Site VPN connections.

  2. Select your new VPN connection.

  3. Click Download configuration.

  4. Select Generic for the customer gateway device.

  5. Download the file.

    Important

    To properly load the download configuration screen from the AWS Management Console, ensure that your IAM role or user has permission for the following Amazon EC2 APIs: GetVpnConnectionDeviceTypes and GetVpnConnectionDeviceSampleConfiguration.

🔐 Step 4: Configure the Network Connector (CloudConnexa)

In this step, configure the IPsec tunnels on the CloudConnexa side using the AWS configuration.

CloudConnexa supports two tunnels for high availability. You can configure them manually or upload the AWS configuration file.

4.1 Configure CloudConnexa tunnel

  1. Return to the CloudConnexa network wizard configuration.

  2. Select the Authentication Method:

    • Shared Secret: Specify the pre-shared keys (PSK) in each tunnel configuration in the next step.

    • Certificate-based: Upload certificates to apply to all tunnel connectors, and enter the passphrase.

  3. If you select Shared Secret, you can proceed to option 1 and upload an AWS configuration file. For Certificate-based, proceed to option 2 to configure tunnels manually.

Option 1: Upload AWS configuration file (recommended)

  1. Click Upload Generic Configuration File.

  2. Select the configuration file downloaded from AWS.

    CloudConnexa automatically populates the tunnel settings.

Note

AWS creates two tunnels by default. CloudConnexa creates two corresponding Connectors.

Option 2: Configure tunnels manually

If you prefer, you can configure each tunnel manually using the values provided by AWS.

  1. Expand Tunnel 1.

  2. Enter the following:

    • Remote Site Public IPv4 Address: Enter the AWS tunnel endpoint IP address (from AWS configuration, Tunnel 1).

    • Pre-shared Key (PSK): Enter the pre-shared key provided by AWS.

      Important

      You must specify a pre-shared key for each tunnel configuration.

  3. (Optional) Configure advanced settings: Expand Advanced Configuration to customize IPsec parameters:

    • IKE Version: Select the version: IKEv1 or IKEv2.

      Tip

      If using IKEv2 and only GCM encryption algorithms (AES-128-GCM-16 and/or AES-256-GCM-16), the integrity algorithm and a DH group are optional in phase 2.

      For non-GCM encryption algorithms, an integrity algorithm and a DH group are required. The default values are applied automatically.

    • Phase 1 settings:

      Setting

      Description

      Encryption Algorithm

      Select one or more supported encryption algorithms.

      Integrity Algorithm

      Select a supported integrity algorithm.

      Diffie-Hellman Group

      Select a DH group supported by your device.

      Lifetime (sec)

      Enter a value between 901 and 86400.

    • Phase 2 settings:

      Setting

      Description

      Encryption Algorithm

      Select one or more supported encryption algorithms.

      Integrity Algorithm

      Select a supported integrity algorithm.

      Diffie-Hellman Group

      Select a DH group supported by your device.

      Lifetime (sec)

      Enter a value between 900 and 28800.

    • IKE rekey settings:

      Setting

      Description

      Rekey Margin Time (sec)

      Value between 60 and half of Phase 2 lifetime.

      Rekey Fuzz (%)

      Value between 0 and 100.

      Replay Window Size (packets)

      Value between 64 and 2048.

    • Connection behavior:

      Setting

      Description

      Startup Action

      Defines how the tunnel is initiated.

      CloudConnexa Connection Restoration

      Controls whether the tunnel automatically reconnects if interrupted:

      • Defaults to Yes when Startup Action = Start.

      • Automatically set to No when Startup Action = Attach and can't be changed.

      AWS-specific note

      When you set AWS connectors to Attach for the Startup Action, CloudConnexa doesn't initiate the tunnel.

  4. (Optional but recommended) Expand Tunnel 2 and repeat the same configuration steps using AWS Tunnel 2 values.

    Tip

    Using both tunnels provides high availability and failover.

4.2 Verify connectivity

  1. Click Test Connection 1.

    CloudConnexa attempts to establish a connection to your AWS network.

  2. Check the connection status:

    • Connected — The tunnel is successfully established.

    • Offline — The connection failed or hasn't been established yet.

      Tip

      If the connection status is Offline:

      • Click View Logs to review connection details.

      • Verify the following:

        • PSK or certificates match on both sides.

        • IPsec parameters (encryption, DH group, lifetimes) are aligned.

        • Firewall rules allow IPsec traffic.

        • The correct public IP address is configured.

  3. Click Test Connection 2 (if configured).

  4. Check the connection status:

    • Connected — The tunnel is successfully established.

    • Offline — The connection failed or hasn't been established yet.

      Tip

      If the connection status is Offline:

      • Click View Logs to review connection details.

      • Verify the following:

        • PSK or certificates match on both sides.

        • IPsec parameters (encryption, DH group, lifetimes) are aligned.

        • Firewall rules allow IPsec traffic.

        • The correct public IP address is configured.

CloudConnexa attempts to establish a connection to your AWS network.

🔐 Step 5: Complete the Setup (CloudConnexa)

  1. Click Finish to complete the Network configuration.

  2. Confirm that:

    • The Network is created.

    • The Connectors shows a Connected status.

In this section: