Advice on creating VPC for EC2 to use IPSec connection
I am currently working on the integration of 2 platforms which need to communicate to each other via https requests. However one of these platforms' endpoints is only accessible via a VPN into their own network. I therefore want to use AWS to establish an intermediary app that will receive https communications from platform 1, and send it to platform 2, which is the one behind the VPN.
To this end, I have been looking at documentation on AWS, and it looks like the best solution is to create a VPC on which I'd create a Site-to-Site VPN Connection using IPSec. Then I would create a new EC2 instance on this VPC which I will use to forward requests from platform 1 to platform 2.
The questions I have are as follows:
1) Once the IPSec Site to site connection is established, will my EC2 instance (deployed to the same VPC that hosts the Site-to-Site connection) immediately be able to communicate with platform 2 which is behind their VPN based solely on the fact that it is on the same VPC, or will there be further routing setup required to allow to communicate via the tunnel established?
2) The VPN we wish to connect to has a process through which they must whitelist any given entities they connect with. A) They ask for an IPSec Gateway IP; I have looked at the documentation at https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html , and assume this is referring to the IP of what is in the document called the Virtual Private Gateway. I have created a VPG in my VPC but I cannot see an IP address associated with it. Is this something that only appears once the VPG is associated with site to site connection (and is no longer in a state of detached)? B) They require the IP addresses of the applications they will be interacting with, which in this case I assume will be my EC2 instance. However they require that subnet /29 or higher is required. How can I enforce that subnet on the EC2 public IPs? When creating a VPC I have the option of specifying the IPv4 CIDR block, however I cannot specify a netmask that is not between /16 and /28.
I'm looking for advice on the above so I can make sure that the solution I wish to undertake with the VPC is not flawed, and that I am on the right track. Any guidance is appreciated.
- You will need to update the route table on both ends of the connection to direct traffic over the VPN for appropriate IP ranges. See this doc for more detail: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html
- You will be given two static IPs for your S2S VPN connection when you create it. You are correct - the AWS side of the connection is referred to as the Virtual Private Gateway (VPGW). However, the VPGW is just a logical construct that represents the VPN's entry point into your VPC. The static IPs for the VPN gateway are not assigned until you create a a S2S VPN Connection. Once you create it, you will have two IPs to provide to your network team, which they can then use to configure their devices. AWS provides automatically generated configuration files for many popular devices (available after creation of the connection).
I'm not as clear on the requirement from your network team for a /29, but you are correct that the smallest subnet CIDR is /28. The network team may need to relax that requirement for this connection.
Why does ELB need one public IP address for each public subnet?asked 3 years ago
Advice on creating VPC for EC2 to use IPSec connectionasked 2 months ago
Advice on setting up a platform to host PHP app + MySQL databases + subdomainsasked 3 months ago
Route all traffic from on-premise network to AWS VPC via IPSec site-to-siteasked 3 years ago
EC2 Networking Setup - Servers Cannot Communicateasked 3 years ago
EC2 https connection to AutoScaling groupasked a year ago
What happens after the Availability end date of Retired Platform?asked 3 years ago
Vpc to Vpc routingasked 4 months ago
VPC to VPC connectivityAccepted AnswerMODERATORasked 2 years ago
Setting minor version of elastic beanstalk node.js platformAccepted Answerasked 5 months ago