In this section you’ll create the following resources in your in the network-prod AWS account:
After create these resources, in the next section, you’ll set up your customer on-premises side of the site-to-site VPN connection.
Your first step is to register the on-premises side of your site-to-site VPN connection as a customer gateway in your AWS environment.
Simulating On-Premises Customer Gateway: If you’re either experimenting with AWS Site-to-Site VPN connections or demonstrating how they work, you can easily simulate a customer on-premises environment and customer gateway. See Simulating Site-to-Site VPN Customer Gateways Using strongSwan for details on setting up an open source based VPN gateway in a separate VPC that simulates an on-premises environment.
Register your on-premises customer gateway device in AWS:
network-prod AWS accountManagement console associated with the AWSAdministratorAccess role.VPCCustomer GatewaysCreate Customer Gateway| Field | Recommendation | Notes |
|---|---|---|
Name |
infra-dc1-01 |
Accounting for the possibility of multiple customer gateway devices in each of multiple data centers. |
Routing |
Dynamic Routing |
|
BGP ASN |
6500 |
This is an example value. Consult your Network team for the proper value that is assigned to the customer gateway in your on-premises environment. |
IP Address |
Public IP Address of your on-premises customer gateway | |
Certificate ARN |
Leave empty | |
Device |
Leave empty |
Pre-shared Key and Certificate Options: These example set up instructions use the pre-shared key option to authenticate your Site-to-Site VPN tunnel endpoints. If you don’t want to use pre-shared keys, you can use a private certificate from AWS Certificate Manager Private Certificate Authority to authenticate your VPN endpoints. See Site-to-Site VPN tunnel authentication options.
Transit GatewaysCreate Transit Gateway| Field | Recommendation | Notes |
|---|---|---|
Name tag |
infra-main | You’ll be able to use a single transit gateway for both on-premises integration and VPC-to-VPC routing if necessary. |
Description |
||
Amazon side ASN |
Consult your Network team | One consideration is to use a unique private ASN per transit gateway to provide more flexible routing options. |
DNS support |
checked | |
VPN ECMP support |
checked | Enables you to use multiple VPN connections to aggregate VPN throughput. |
Default route table association |
Unchecked | Uncheck this option so that you can have greater control over routing between your VPCs. |
Default route table propagation |
Unchecked | Since we’re not using the transit gateway’s default route table, uncheck this option. |
Auto accept shared attachments |
Unchecked |
Create Transit GatewayDefault Table Association and Propagation: In this guide a single transit gateway is configured to enable your VPCs to reuse a common site-to-site VPN connection with your on-premises environment. However, by default, we don’t want to allow your production, test, and team development VPCs to connect to each other. In this scenario, you’ll want to avoid use of the transit gateway’s default route table. Instead, this guide leads you through the set up of two transit gateway route tables so that you have greater control over conectivity and routing between your VPCs. Refer to the following VPC guides in regards to isolated VPCs and shared services. See Isolated VPCs and Isolated VPCs with shared services.
Transit Gateway AttachmentsCreate Transit Gateway Attachment| Field | Recommendation |
|---|---|
Transit Gateway ID |
Select your transit gateway |
Attachment Type |
VPN |
Customer Gateway |
Existing |
Customer Gateway ID |
Select value from the list that matches the ID of the Customer Gateway you just created. |
Routing options |
Dynamic (requires BGP) |
Enable acceleration |
Leave unchecked |
Tunnel Options |
Leave unchecked |
Create attachment.Name cell of the newly created attachment and assign a name to the attachment. For example, infra-dc1-01, the same name as your customer gateway resource.As a result of the VPN attachment being provisioned, you will notice in the Site-to-Site VPN Connections area of the console that a new connection resource has been created. If you review the Tunnel Details of the connection, it will show both tunnels in the DOWN state because you have not yet configured the on-premises side of the connection.
Before you configure the on-premises side of the site-to-site VPN connection, assign a name to the site-to-site VPN connection:
Site-to-Site VPN ConnectionsName cell of the newly created site-to-site VPN connection and assign a name to it. For example, infra-dc1-01, the same name as your customer gateway resource.