Questions tagged with AWS Virtual Private Network (VPN)
Content language: English
Sort by most recent
Important notice about your AWS Account regarding VPN connections
always received this email for the VPN issues , Hit was like the connection was dropped. We had setup 2 pair in each VPN Tunnel, is it still will drop? or this message is just a AWS notification email only? how to fix it ? " Your VPN Connection vpn-02cf818d35a89335d in the ap-southeast-1 Region had a momentary lapse of redundancy as one of two tunnel endpoints was replaced. Connectivity on the second tunnel was not affected during this time. Both tunnels are now operating normally. Replacements can occur for several reasons, including health, software upgrades, customer-initiated modifications, and when underlying hardware is retired. If you have configured your VPN Customer Gateway to use both tunnels, then your VPN Connection will have utilized the alternate tunnel during the replacement process. For more on tunnel endpoint replacements, please see our documentation . If you have not configured your VPN Customer Gateway to use both tunnels, then your VPN Connection may have been interrupted during the replacement. We encourage you to configure your router to use both tunnels. You can obtain the VPN Connection configuration recommendations for several types of VPN devices from the AWS Management Console . On the "Amazon VPC" tab, select "VPN Connections". Then highlight the VPN Connection and choose "Download Configuration"."
What are some of the strategies to handle Overlapping IP Ranges
What are some of the strategies to handle Overlapping IP Ranges for various integrations, within AWS as well as while planning hybrid connectivity with on-premises networks using VPN, DX etc. Note: This is a common question asked by AWS customers. Posting it to provide an answer that can benefit everyone.
AWS CLIENT VPN > Redshift private subnet DNS Resolution fails
Hello, I setup a AWS Client VPN, have some issues with DNS resolution for redshfit. there is no problems resolving to RDS which are in private subnet once im on VPN. Also i can connect directly to redshift if i use the private IP. But the problem i encountered is that Redshift DNS name doesnt resolve. the VPC does have the options enabled to resolve. Has any one encountered something similar?
EC2s Development and Production Environments, Isolation, VPN, API GW, Private and Public Endpoints with RDS and Data Sanitization
Hi Everyone, I have the following idea for an infrastructure architecture in AWS but I believe that I need some help with clarifying several issues which I believe, the best answers to will come from here. I am thinking about the following layout: In production: 1. an EC2 with Apache that provides service portal for web users 2. an RDS for the sake of the portal 3. another EC2 with Apache and business-logic php application as CRM 4. the same RDS will be used by the CRM application as well In development: The same layout, with 1 EC2 for web client services, 1 EC2 for the sake of developing the CRM and an RDS for the data I thought about using two different VPCs for the sake of this deployment. I need data replication with sanitization from the production RDS to the development RDS (thinking either by SQL procedures or other method, didn't think about that yet, but I know I need it to be like that since I have no desire to enable my developers to work with real client data). Both the production and development CRM EC2s are exposing Web APIs Both the production and development service portals are exposing Web APIs Both the production and development CRM and service portal are web accessible For the development environment I want to enable access (Web and Web APIs) only through VPN, hence, I want my developers to connect with VPN clients to the development VPC with VPN and work against both EC2s on-top of that connection. I also want them to be able to test all APIs and thinking about setting an API Gateway on that private endpoint. For the production environment, I want to enable access (Web and Web APIs) to the CRM EC2 through VPN, hence, I want my business units to connect with their VPN clients to a production VPN gateway, and work against the CRM on-top of that connection. I don't want to expose my CRM to the world. For the production environment, I want to enable everyone on the internet (actually, not everyone, I want to Geo-Block access to the service portal, hence, I do believe I need Amazon CDN services enabled for that cause) to access the service portal, still, I want to enable an API Gateway for the Web APIs that are exposed by this service portal EC2. I've been reading about Amazon API gateway (and API Gateway Cache) and it's resource policy and VPC endpoints with their own security groups and Amazon Route 53 resolver for the sake of VPN connections. I also been reading lots about Amazon virtual private gateway and a private and public endpoints, but, I still can't figure-out with element comes to play where and how the interactions should be design for those elements. I believe I also need Amazon KMS for the keys, certificates and passwords, but, I'm still trying to figure out the right approach for the above, so, I'm leaving the KMS part for the end. of course I'm thinking about security at the top of my concerns, so, I do believe all connectivity's should be harden in-between the elements, is only using ACLs is the right way to go!? I would really appreciate the help
AWS VPN with Private IP address
Good new with this release yesterday, https://aws.amazon.com/about-aws/whats-new/2022/06/aws-site-vpn-introduces-private-ip-security-privacy/ So wanted to confirm the steps to set this up. 1. Create DXG 2. Create Transit VIF - associate with DXG. https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-transit-vif The ASN can be private ASN, correct? 3. Create TGW 4. Create VPN attachement https://docs.aws.amazon.com/vpn/latest/s2svpn/create-tgw-vpn-attachment.html All ASN can be private. All need to be unique.
Routing internet traffic via VPC from remote Site-to-Site VPN Network
Is it possible to route internet traffic from a remote on-premise network, via an AWS site-to-site VPN into a VPC, and out through the VPC's Internet Gateway as a means of providing the remote network with Internet access? I'm using a StrongSwan customer gateway on the remote network, and a Transit Gateway into the VPC.
AWS Site-to-Site VPN authentication failing for Customer Gateway behind NAT device
We are creating an AWS Site-to-Site VPN connection between a client's on-premise network and our AWS VPC. The client receives an authentication error when attempting to establish a connection (using a pre-shared key). In order to debug this, we ran strongSwan on an EC2 instance to be able to inspect the logs and traffic. While doing this, we could see that they were attempting to connect from IP address 1 (e.g. 126.96.36.199) but using IP address 2 (e.g. 188.8.131.52) as an ID. When we setup strongSwan to authenticate against IP address 2 (e.g. 184.108.40.206), the connection was established successfully. We have since learned that IP address 1 (e.g. 220.127.116.11) is their NAT device, and IP address 2 (e.g. 18.104.22.168) is their customer gateway device. To my question: how can I setup the AWS Site-to-Site VPN connection and customer gateway so that they can be authenticated successfully? If I create the customer gateway with IP address 1 (e.g. 22.214.171.124, NAT device) they can connect but can't authenticate. If I create the customer gateway with IP address 2 (e.g. 126.96.36.199, customer gateway device) they can't connect at all.
AWS Site-to-Site VPN ping working, TCP not
I want to establish a site-to-site IPsec VPN connection between an AWS EKS-Kubernetes-Cluster and a server from a different provider using AWS Site-to-Site VPN. Pings get through the VPN, but TCP traffic does not. The server on the other end runs Ubuntu 20.04 and uses libreswan. The configuration file from AWS for the VPN for openswan has been altered in two ways (that I think should not matter): - `auth=esp` has been commented out as libreswan would not start otherwise (libreswan 3.29) - The VPN has been configured to use VTI. When sending a HTTP request from the AWS site: `tcpdump` on the libreswan-site shows SYN arriving and SYN-ACK being sent back while `tcpdump` on the EC2-instance (and in a pod as well) only registers SYN. All incoming traffic has been allowed in security groups and ACLs etc. I have set up SNAT as recommended [here](https://repost.aws/questions/QUqB4R9dc7TG6TBQe-H2IjiA/aws-site-to-site-vpn-ping-working-tcp-not-ec-2-networking-details) and have confirmed that SNAT works using `traceroute`. I think because of SNAT it should not matter anymore that EKS is used in this VPC for this issue.
Secured ISP to Lambda?
Hi, I was wanting to "securely" stream data from a rack i have in an ISP to my AWS Lambda instance. I was wondering what the best solution might be? I thought of something sort of vpn and perhaps kinesis to lambda but not sure how i would initiate that from the on premises rack and that was a shot in the dark. Would appreciate any input. Thank you.