Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar

Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.

How do I create a certificate-based VPN using AWS Site-to-Site VPN?

Lesedauer: 2 Minute

I want to build a certificate-based IP Security (IPSec) VPN using AWS Site-to-Site VPN. How can I do this?

Short description

AWS Site-to-Site VPN supports certificate-based authentication by integrating with AWS Certificate Manager Private Certificate Authority. Using digital certificates instead of pre-shared keys for IKE authentication, you can build IPSec tunnels with static or dynamic customer gateway IP addresses.

Resolution

Task 1: Create and install a root CA and a subordinate CA

The private certificate you'll create in task 2 must be issued by the subordinate CA. The subordinate CA must be in AWS Certificate Manager (ACM). If your CA is not in ACM, you can create a Certificate Signing Request (CSR) and import the signed subordinate CA into ACM.

Task 2: Create a private certificate to use as the identity certificate for your customer gateway****Note: You'll install this certificate in task 5.

Task 3: Create a customer gateway for your VPN connection

Open the Amazon Virtual Private Cloud (Amazon VPC) console.
Choose Customer Gateways, and then choose Create Customer Gateway.
For Name, specify a name for your customer gateway.
For Routing, select the routing type for your use case.
Leave the IP Address field empty if your customer gateway IP address is dynamic. If your customer gateway IP address is static, you can leave this field empty, or you can specify the IP address.
For Certificate ARN, choose the certificate ARN that you created in task 2.
(Optional) For Device, specify a device name.
Choose Create Customer Gateway.

Task 4: Configure the AWS Site-to-Site VPN connection with a virtual private gateway

Task 5: Copy the end entity certificate (the private certificate that you created in task 2), root CA certificate, and subordinate CA certificate to the customer gateway device

Note: The customer gateway presents the end entity certificate when requested by the AWS VPN endpoint for authentication. The customer gateway device must have all the certificates present (subordinate CA certificate and root CA certificate). If the customer gateway device doesn't have these certificates, VPN authentication fails when the AWS VPN endpoint presents its own certificate.

Related information

AWS Site-to-Site VPN now supports certificate authentication

Themen

Vernetzung & Bereitstellung von Inhalten

Relevanter Inhalt

Wie kann ich Probleme mit asymmetrischem Routing lösen, wenn ich ein VPN als Backup für Direct Connect in einem Transit-Gateway erstelle?
AWS OFFICIALAktualisiert vor einem Jahr
Wie lösche oder beende ich einen VPN-Client-Endpunkt oder Verbindung auf AWS Client VPN?
AWS OFFICIALAktualisiert vor 6 Monaten
Wie lade ich AWS-Site-to-Site-VPN-Beispielkonfigurationsdateien herunter?
AWS OFFICIALAktualisiert vor 8 Monaten
Wie berechne ich die Bandbreite und richte einen CloudWatch-Alarm für AWS-Direct-Connect-, AWS-Site-Site-VPN- oder Transit-Gateway-Verbindungen ein?
AWS OFFICIALAktualisiert vor 3 Monaten

How do I create a certificate-based VPN using AWS Site-to-Site VPN?

Short description

Resolution

Related information

Ähnliche Videos

Relevanter Inhalt