Questions tagged with AWS Virtual Private Network (VPN)

Content language: English

Sort by most recent

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Site to Site VPN setup - Tunnel Status is Down

Hi There: I'm NOT able set up the Site to Site VPN, the Tunnel status is Always down. Any kind suggestion on this? Below is the steps what I have done to simulate On-Premise to AWS. Thanks. **I guess the Step4 might be the key reason? I'm trying to setup Static Routing**, but looks like we are ONLY allowed to create dynamic one? since the BGP ASN is required to be set? Months ago, the Custom Gateway front page is NOT like that, no BGP ASN required, but with selection: Static or Dynamic. **Attention here**: I'm trying to use **Static** Routing, NOT Dynamic. 1 - Created Two VPCs in one region naming VPC-AWS(10.100.0.0/16) and VPC-OnPremise(10.200.0.0/16) 2 - Created OnPremise-Public-Subnet(10.200.1.0/24, and auto assign public ip), Attached the subnet to Newly created Route(OnPremise-Public-Route), which added entry to IGW; Created AWS-Private-Subnet(10.100.1.0/24) 3 - Created Two Instances: OnPremise-Instance under OnPremise-Public-Subnet(automatically generated public ip - for example: 1.2.3.4), confirmed this instance can reach to anywhere; Created AWS-Instance under AWS-Private-Subnet (with Security Group allowed for all traffic: 0.0.0.0/0) 4 - Created Customer Gateway, with configuration below: 0) Name: CGW-OnPremise 1) BGP ASN: 65000 (I got confused this part, since monthes ago, there's no this section, but with ONLY to choose static or dynamic, and I was able to set up the site to site vpn connection without any problem that time, NOT sure whether this means we are ONLY allowed to setup Dynamic Routing? since I think BGP here means Dynamic routing - BUT I wants to setup Static one - Since so far I'm NOT familiar with Dynamic routing) 2) IP addressInfo: the public-ip of OnPremise-Instance above Above are the all configuration. 5 - Create VGW 0) Name: VGW-AWS 1) Autonomous System Number: Amazon default ASN 2) Attach it to VPC-AWS Above are the all configuration 6 - Create Site-to-Site VPN Connections 0) Name: S2S-VPN-Connection 1) Target gateway type: Virtual private gateway -> VGW-AWS 2) Customer gateway: Existing -> CGW-OnPremise 3) Routing options: Static -> (10.100.0.0/16, 10.200.0.0/16) Above are the all configurations for the configuration 7 - Go to the route table for AWS-Private-Subnet, Edit the Route Propogation to YES. 8 - Download the configuration from S2S-VPN-Connection(select OpenSwan), then Go to OnPremise-Instance, install OpenSwan, and configured properly, pasted one of the key part below: conn Tunnel1 authby=secret auto=start left=%defaultroute leftid=54.189.187.140 right=52.41.212.35 type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet=10.200.0.0/16 rightsubnet=10.100.0.0/16 dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer 9 - Then run: systemctl start ipsec And systemctl status ipsec, No errors, all look good. 10 - I think all set now, but I am NOT able to ping through the AWS-Instance(AWS side) from OnPremise-Instance(OnPremise side)
2
answers
0
votes
108
views
asked 5 months ago
3
answers
0
votes
254
views
asked 5 months ago

EC2s Development and Production Environments, Isolation, VPN, API GW, Private and Public Endpoints with RDS and Data Sanitization

Hi Everyone, I have the following idea for an infrastructure architecture in AWS but I believe that I need some help with clarifying several issues which I believe, the best answers to will come from here. I am thinking about the following layout: In production: 1. an EC2 with Apache that provides service portal for web users 2. an RDS for the sake of the portal 3. another EC2 with Apache and business-logic php application as CRM 4. the same RDS will be used by the CRM application as well In development: The same layout, with 1 EC2 for web client services, 1 EC2 for the sake of developing the CRM and an RDS for the data I thought about using two different VPCs for the sake of this deployment. I need data replication with sanitization from the production RDS to the development RDS (thinking either by SQL procedures or other method, didn't think about that yet, but I know I need it to be like that since I have no desire to enable my developers to work with real client data). Both the production and development CRM EC2s are exposing Web APIs Both the production and development service portals are exposing Web APIs Both the production and development CRM and service portal are web accessible For the development environment I want to enable access (Web and Web APIs) only through VPN, hence, I want my developers to connect with VPN clients to the development VPC with VPN and work against both EC2s on-top of that connection. I also want them to be able to test all APIs and thinking about setting an API Gateway on that private endpoint. For the production environment, I want to enable access (Web and Web APIs) to the CRM EC2 through VPN, hence, I want my business units to connect with their VPN clients to a production VPN gateway, and work against the CRM on-top of that connection. I don't want to expose my CRM to the world. For the production environment, I want to enable everyone on the internet (actually, not everyone, I want to Geo-Block access to the service portal, hence, I do believe I need Amazon CDN services enabled for that cause) to access the service portal, still, I want to enable an API Gateway for the Web APIs that are exposed by this service portal EC2. I've been reading about Amazon API gateway (and API Gateway Cache) and it's resource policy and VPC endpoints with their own security groups and Amazon Route 53 resolver for the sake of VPN connections. I also been reading lots about Amazon virtual private gateway and a private and public endpoints, but, I still can't figure-out with element comes to play where and how the interactions should be design for those elements. I believe I also need Amazon KMS for the keys, certificates and passwords, but, I'm still trying to figure out the right approach for the above, so, I'm leaving the KMS part for the end. of course I'm thinking about security at the top of my concerns, so, I do believe all connectivity's should be harden in-between the elements, is only using ACLs is the right way to go!? I would really appreciate the help
1
answers
0
votes
52
views
asked 5 months ago