By using AWS re:Post, you agree to the Terms of Use

Advice on creating VPC for EC2 to use IPSec connection


I am currently working on the integration of 2 platforms which need to communicate to each other via https requests. However one of these platforms' endpoints is only accessible via a VPN into their own network. I therefore want to use AWS to establish an intermediary app that will receive https communications from platform 1, and send it to platform 2, which is the one behind the VPN.

To this end, I have been looking at documentation on AWS, and it looks like the best solution is to create a VPC on which I'd create a Site-to-Site VPN Connection using IPSec. Then I would create a new EC2 instance on this VPC which I will use to forward requests from platform 1 to platform 2.

The questions I have are as follows:

  1. Once the IPSec Site to site connection is established, will my EC2 instance (deployed to the same VPC that hosts the Site-to-Site connection) immediately be able to communicate with platform 2 which is behind their VPN based solely on the fact that it is on the same VPC, or will there be further routing setup required to allow to communicate via the tunnel established?

  2. The VPN we wish to connect to has a process through which they must whitelist any given entities they connect with. A) They ask for an IPSec Gateway IP; I have looked at the documentation at , and assume this is referring to the IP of what is in the document called the Virtual Private Gateway. I have created a VPG in my VPC but I cannot see an IP address associated with it. Is this something that only appears once the VPG is associated with site to site connection (and is no longer in a state of detached)? B) They require the IP addresses of the applications they will be interacting with, which in this case I assume will be my EC2 instance. However they require that subnet /29 or higher is required. How can I enforce that subnet on the EC2 public IPs? When creating a VPC I have the option of specifying the IPv4 CIDR block, however I cannot specify a netmask that is not between /16 and /28.

I'm looking for advice on the above so I can make sure that the solution I wish to undertake with the VPC is not flawed, and that I am on the right track. Any guidance is appreciated.

1 Answer
  1. You will need to update the route table on both ends of the connection to direct traffic over the VPN for appropriate IP ranges. See this doc for more detail:
  2. You will be given two static IPs for your S2S VPN connection when you create it. You are correct - the AWS side of the connection is referred to as the Virtual Private Gateway (VPGW). However, the VPGW is just a logical construct that represents the VPN's entry point into your VPC. The static IPs for the VPN gateway are not assigned until you create a a S2S VPN Connection. Once you create it, you will have two IPs to provide to your network team, which they can then use to configure their devices. AWS provides automatically generated configuration files for many popular devices (available after creation of the connection).

I'm not as clear on the requirement from your network team for a /29, but you are correct that the smallest subnet CIDR is /28. The network team may need to relax that requirement for this connection.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions