TABLE OF CONTENT

1. Introduction

A site-to-site VPN connection is usually done between two remote networks: a cloud provider and an on-premises network. It helps secure private communication between the remote resources or connects multiple resources in different office locations. IP sec connections work with the help of key exchange, authentication, and encryption providing enhanced security for data transfers.

This type of connection is permanent, which means it is generally a long-lived connection. However, other network connections like remote access VPN are temporarily used to connect to applications for a short time.

Some Benefits of IP-sec site to site VPNs are:

Connect to remote resources either on the cloud provider side or on-premise office locations
Helps to identify network drives
Enables to configure routing for enhanced security

Today I will explain in detail the step-by-step procedure to connect an AWS site-to-site VPN connection to any third-party firewall or network environment. These will consist of basic steps to connect almost any local on-premises network to AWS. In today’s example, I would work with the SOPHOS-XG firewall.

Let us go to the required steps for connecting AWS VPN to a third-party network environment:

2. Configuring AWS

Create A custom VPC in the AWS portal
Create a customer gateway

Provide a name for your customer gateway
In our demo, we are taking routing as static
Enter the Firewall’s public IP address of your on-premises in IP address
We are not choosing any certificate and devices; you can choose if there is the requirement
Create a Virtual private gateway and attach it with your VPC

Choose a name for the virtual private gateway
For ASN, choose Amazon default ASN

Attach the VPG with your AWS VPC
Create a Site-to-site VPN connection

Enter the name for the connection
Choose the virtual private gateway we created earlier
Choose the customer gateway we created earlier
Choose Routing as Static
Define static IP as of on-premises subnet where your resources are
Tunnel inside IP version: IPv4
Local IPv4: Same as your on-premises subnet
Remote IPv4: Your AWS subnet and create the VPN connection
Download the configuration file
Choose vendor and platform as generic if your network is not mentioned in the option

The configuration file is in text format, which you can use for the configuration at your on-premises firewall/environment.The text file contains information like:VPN connection ID, Virtual private-gateway ID, IKE version, Encryption algorithm type,DH group and pre-shared key for both IPsec tunnel 1 and 2 and much more

3. Configuring the Firewall

To configure at your on-premises, here we have used SOPHOS-XG firewall as our local environment
- Go to the admin page of your network environment
- Navigate to Configure> VPN
- Sophos -XG firewall uses an IPsec policy to create the VPN connection
- Configure the details in Phase-1 which are needed such as:
- Key-exchange
- Key-life
- DH-group
- Encryption and Authentication method
Here at Sophos-XG, you also need to configure a phase-2 with the same settings

You can find other information needed in the configuration file which we downloaded in the previous step
Add a VPN IP-sec tunnel in the network to connect to the AWS cloud environment
- Give a descriptive name of your Choice
- Connection type as a tunnel interface
- Select the policy which we created in the previous step
- Authentication type
- Pre-shared key
- Local ID: For Local ID, enter the public IP of the on-premises network
- Remote ID: Enter the VPC CIDR block of AWS custom VPC we created

4. Checking the connection status

Everything is done and fulfilled according to the basic configuration needed for your VPN tunnel. The connection status will be UP and Running, which will also reflect in the AWS site to site VPN connections page.

5. Summary

We have successfully configured a site-to-site VPN connection between AWS and an on-premises network. Your remote network can be anything from a private network environment to a paid firewall environment. AWS provides a generic configuration file that contains detailed information about your AWS side VPN. You can choose between vendors like Cisco, Fortinet, Palo Alto, Juniper, etc.

You can start using your up and running tunnel to transfer data, data migration, network drives sharing, and more. VPNs make the transfer secure, highly available, and reliable.

6. About CloudThat

We here at CloudThat are the official AWS (Amazon Web Services) Advanced Consulting Partner and Training partner and Microsoft gold partner, helping people develop knowledge on cloud and help their businesses aim for higher goals using best in industry cloud computing practices and expertise. We are on a mission to build a robust cloud computing ecosystem by disseminating knowledge on technological intricacies within the cloud space. Our blogs, webinars, case studies, and white papers enable all the stakeholders in the cloud computing sphere.

Feel free to drop a comment or any queries that you have regarding AWS services, cloud adoption, consulting and we will get back to you quickly. To get started, go through our Expert Advisory page and Managed Services Package that is CloudThat’s offerings.

7. Frequently Asked Questions

What is VPN connection in AWS?

AWS VPN establishes connectivity between various networks that includes on-premises networks, remote workplaces, client devices, and AWS global network. The AWS VPN consists of two main services: 1) AWS Client VPN and 2) AWS site-to-site VPN. AWS client VPN helps to manage remote access by connecting users with AWS or on-premises resources. AWS Site-to-Site VPN establishes encrypted tunnels between Amazon Virtual Private Clouds and end-user networks.

Is AWS VPN encrypted?

Yes, AWS VPN comes with additional encryption, integrity, and key exchange algorithms. The advanced algorithms ensure higher security and protect your data, assure higher performance for faster transfer rates, and help in meeting compliance requirements with ease.