By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I access the internet using Site-to-Site VPN in my on-premises network?

3 minute read
0

I want to connect my on-premises network to the internet using AWS Site-to-Site VPN and the AWS Transit Gateway.

Short description

AWS Site-to-Site VPN allows secured connectivity between AWS resources and the on-premises network such as a data center or a branch office.

AWS Site-to-Site VPN provides two tunnels per connection, using the virtual private gateway or the AWS Transit Gateway. The virtual private gateway provides connectivity to a single Amazon Virtual Private Cloud (Amazon VPC) in a Region. The transit gateway provides connectivity to multiple Amazon VPCs in a region as well as to the internet.

For more information on how AWS Site-to-Site VPN works, see What is AWS Site-to-Site VPN?

Resolution

Establish the Site-to-Site VPN connection through a transit gateway to get centralized internet access from your on-premises network. This centralized setup uses AWS Network Translation Service (NAT gateway) to connect to the internet.

Follow these steps to gain internet access from your on-premises network:

1.    Create a transit gateway.

2.    Create a Site-to-Site VPN using a transit gateway.

3.    Attach your Amazon VPC to a transit gateway in your Region.

4.    Create a public NAT gateway in a public subnet in the same Amazon VPC.

5.    Create a default-route 0.0.0.0/0 in the VPC’s subnet routing table associated with transit gateway. This route points to the NAT gateway that you created earlier.

Destination  Target
0.0.0.0/0    nat-12345678901234567

6.    Create a route for the on-premises CIDR in the public subnet routing table you used earlier. This route points to the transit gateway.

Destination  Target
10.0.0.0/16  tgw-12345678909876543
0.0.0.0/0    igw-12345678901234567

7.    Create a default route 0.0.0.0/0 in the transit gateway routing table associated with VPN attachment. Then, point it to the Amazon VPC attachment:

CIDR        Attachment ID                  Resource ID        Resource type       Route type        Route state    Prefix list ID
0.0.0.0     tgw-attach-98765432109876      vpc-987654321      VPC                 Static            Active         -

8.    Create a route (Static route or propagate) for the on-premises CIDR in the transit gateway routing table associated with the Amazon VPC attachment. Then, point it to the VPN attachment:

CIDR          Attachment ID               Resource ID         Resource type      Route type       Route state     Prefix list ID
10.0.0.0/16   tgw-attach-1234567890123    vpn-1234567897      VPN                Static           Active          -

Note: The Site-to-site VPN encryption domain must allow traffic between the on-premises CIDR and any (0.0.0.0) destination, a policy-based VPN.

Related information

Creating a transit gateway VPN attachment

Transit gateway route tables

Topics
Networking & Content Delivery
Tags
AWS Virtual Private Network (VPN)
Language
English
AWS OFFICIAL
AWS OFFICIALUpdated a year ago
No comments

Relevant content