Nerdy Drunk

Drunk on technology

User Tools

Site Tools

You are here: start » aws » vpc-to-vpc-vpn

Sidebar

Topics

Topic Search


Home Lab
About Me


Twitter @taingalls


Subject Matter Expert Specialty Advanced Networking Specialty Security Specialty Data Analytics Specialty Machine Learning Specialty Database Specialty SAP on AWS Specialty Solutions Architect Professional DevOps Engineer Professional SysOps Administrator Associate Solutions Architect Associate Developer Associate Cloud Practitioner

Mastodon twit.social/@taingalls
aws:vpc-to-vpc-vpn

AWS VPC VGW to VPC VGW Site to Site VPN

,

First off, DO NOT DO THIS!

This design uses only AWS VPC Virtual Private Gateway VPNs for establishing connectivity. There are much better, and more affordable, ways of establishing connectivity between two VPCs such as VPC peering, Transit Gateways, and Transit VPC. This was a test to see how AWS VPC networking has evolved from when I first started using AWS in August 2016 to its current state as of September 2020. When I first started with AWS it was not possible to establish a VPN between two VPCs using only AWS native services. At minimum you had to run an EC2 instance based firewall / router to be one side of the VPN.


Download diagram

The following features from AWS make this type of setup possible;

  • AWS VPN can now initiate establishing the VPN (this was not possible until August 2020)
  • The Customer Gateway on a VPN tunnel can be modified (similar method to modifying DHCP Option Set) ( April 2019 or August 2019 not fully sure)

To do this I had to create the VPN from VPC A to VPC B with a temporary Customer Gateway public IP so I could get the public tunnel IPs for the VPN. Then I was able to create the VPN from VPC B to VPC A and use the advanced settings to configure the VPN to start the connection. Once I was able to get the tunnel IPs for the VPN from VPC B to VPC A I was then able to replace the Customer Gateway on the first VPN and successfully pass traffic, after I remembered to add the necessary routes.

Prerequisites

  • Two VPCs are already created
  • VPCs CIDRs do not overlap

Rundown

  1. Create temporary Customer Gateway
  2. Create VPN from VPC A to VPC B with temporary Customer Gateway
  3. Obtain public IP for tunnel 1 from VPN A to B and create Customer Gateway
  4. Start creation of VPN from VPC B to VPC B with VPN A to B Customer Gateway
  5. Use advanced setting to set Startup Action as “start”
  6. Complete creation of VPN B to A
  7. Obtain public IP for tunnel 1 from VPN B to A and create Customer Gateway
  8. Replace Customer Gateway on VPN A to B with VPN B to A Customer Gateway
  9. Remove temporary Customer Gateway
  10. Verify that routes are in place in VPC A and VPC B to use the new VPN
  11. Verify that security groups allow inbound traffic from across the VPN
  12. Test connectivity
VPC CIDR Tunnel 1 Outside Tunnel 1 Inside Tunnel 2 Outside Tunnel 2 Inside
VPC A 10.0.0.0/16 35.168.214.210 169.254.4.4/30 35.174.30.48 169.254.8.8/30
VPC B 10.1.0.0/16 52.206.195.54 169.254.4.4/30 54.152.154.10 169.254.8.8/30
VPN Local CIDR Remote CIDR Customer Gateway Address Startup Action DPD Timeout Action
VPC A to VPC B 10.0.0.0/16 10.1.0.0/16 52.206.195.54 (VPC B Tun 1) <default> <default>
VPC B to VPC A 10.1.0.0/16 10.0.0.0/16 35.168.214.210 (VPC A Tun 1) *start* *restart*
aws/vpc-to-vpc-vpn.txt · Last modified: 2022/07/21 10:41 by 127.0.0.1

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki