Setting Up a Site-to-Site VPN Between AWS Mumbai and Singapore Regions
AWS Site-to-Site VPN enables seamless, secure connectivity between your on-premises environment (or customer-end resources) and AWS. In this guide, we'll configure a Site-to-Site VPN between two VPCs: one in Mumbai (representing AWS) and another in Singapore (representing the customer-end).
By default, instances that we launch into an Amazon VPC can't communicate with our own (corporate or home network) network. To enable the communication, we have to establish a Site-to-Site VPN connection.
VPN Connection: A secure connection between our on-premises equipment and our VPCs.
VPN Tunnel: An encrypted link where data can pass from the customer network to or from AWS. Each VPN connection includes two VPN tunnels, which we can simultaneously use for high availability.
Customer Gateway: An AWS resource that provides information to AWS about our customer gateway device.
Customer Gateway Device: A physical or software application on the customer's side.
Steps to Set Up the Site-to-Site VPN
Step 1: Create Two VPCs
Mumbai Region (AWS Side)
Open the VPC Console and switch to the Mumbai region.
Click Create VPC and configure:
CIDR Block: 10.0.0.0/16
Name Tag: Mumbai-VPC
Add a public subnet: 10.0.1.0/24.
Attach an internet gateway and update the route table for internet access.
Singapore Region (Customer End)
Switch to the Singapore region.
Create another VPC:
CIDR Block: 192.168.0.0/16
Name Tag: Singapore-VPC
Add a public subnet: 192.168.1.0/24.
Attach an internet gateway and update the route table for internet access.
Step 2: Launch EC2 Instances in Both Regions
Mumbai Region EC2 (AWS Side)
Launch an Amazon Linux EC2 instance in Mumbai-VPC.
Instance Type: t2.micro
Subnet: 10.0.1.0/24
Security Group:
Allow SSH (TCP:22) for remote access.
Allow ICMP (for ping testing).
Download the key pair for SSH access.
Singapore Region EC2 (Customer Side)
Launch an Amazon Linux EC2 instance in Singapore-VPC.
Instance Type: t2.micro
Subnet: 192.168.1.0/24
Security Group:
- Same as above: SSH and ICMP rules.
Step 3: Create a Virtual Private Gateway (Mumbai Region)
Switch to the Mumbai region.
In the VPC Console, go to VPN Connections > Virtual Private Gateways.
Click Create Virtual Private Gateway:
Name Tag: Mumbai-VGW.
ASN: Leave as default or use a custom ASN.
Attach the Virtual Private Gateway to the Mumbai-VPC:
- Go to Actions > Attach to VPC and select Mumbai-VPC.
Step 4: Create a Customer Gateway (Mumbai Region)
Stay in the Mumbai region and go to Customer Gateways in the VPC Console.
Click Create Customer Gateway:
Name Tag: Singapore-CGW.
Routing Type: Static.
Enter the public IP of the Singapore EC2 instance.
Click Create Customer Gateway.
Step 5: Create a Site-to-Site VPN Connection
In the Mumbai region, go to VPN Connections.
Click Create VPN Connection:
Name Tag: Mumbai-SiteToSite-VPN.
Target Gateway: Select Mumbai-VGW.
Customer Gateway: Select Singapore-CGW.
Routing Options: Enter the customer-end subnet CIDR (192.168.0.0/16) for static routing.
Click Create VPN Connection and wait for it to be created.
Select the VPN connection and click Download Configuration:
Choose your router platform or generic vendor.
Save the configuration file for later use.
Step 6: Configure Route Tables (Mumbai Region)
In the Mumbai region, go to Route Tables under the VPC Console.
Select the route table associated with the Mumbai-VPC public subnet.
Enable Route Propagation:
Go to the Route Propagation tab.
Add the Mumbai-VGW.
Step 7:Setup on machine of customer end ( Singapore Region )
Configuring Both Tunnels for AWS Site-to-Site VPN Using Openswan on ec2 on singapore region
Switch to the root user:
sudo suInstall Openswan:
yum install openswan -yUpdate the configuration file:
Open/etc/ipsec.confand ensure the following line is uncommented (if not already):include /etc/ipsec.d/*.confEnable IP forwarding:
Update/etc/sysctl.confwith the following values:net.ipv4.ip_forward = 1 net.ipv4.conf.all.accept_redirects = 0 net.ipv4.conf.all.send_redirects = 0Apply changes by restarting the network service:
service network restart
Step 2: Create Tunnel Configuration
You need to create a separate configuration for each tunnel under /etc/ipsec.d/.
For Tunnel 1:
Create a file named/etc/ipsec.d/aws-vpn-tunnel1.confwith the following contents:Tunnel1 authby=secret auto=start left=%defaultroute leftid=<Customer Gateway Public IP> right=<AWS VGW Tunnel1 Public IP> type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet=<Customer VPC CIDR> rightsubnet=<AWS VPC CIDR> dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peerFor Tunnel 2:
Similarly, create/etc/ipsec.d/aws-vpn-tunnel2.conf:bashCopy codeconn Tunnel2 authby=secret auto=start left=%defaultroute leftid=<Customer Gateway Public IP> right=<AWS VGW Tunnel2 Public IP> type=tunnel ikelifetime=8h keylife=1h phase2alg=aes128-sha1;modp1024 ike=aes128-sha1;modp1024 keyingtries=%forever keyexchange=ike leftsubnet=<Customer VPC CIDR> rightsubnet=<AWS VPC CIDR> dpddelay=10 dpdtimeout=30 dpdaction=restart_by_peer
Step 3: Configure Shared Secrets
Open
/etc/ipsec.d/aws-vpn.secretsand add shared secrets for both tunnels:<Customer Gateway Public IP> <AWS Tunnel1 Public IP>: PSK "shared_secret_for_tunnel1" <Customer Gateway Public IP> <AWS Tunnel2 Public IP>: PSK "shared_secret_for_tunnel2"Ensure the shared secret matches the one provided in the AWS VPN configuration file.
Step 4: Enable and Start the IPsec Service
Enable the IPsec service:
chkconfig ipsec onStart the IPsec service:
service ipsec startCheck the status of the service:
service ipsec status
Test connectivity between the instances:
From the Singapore EC2 instance, ping the private IP of the Mumbai EC2 instance.
From the Mumbai EC2 instance, ping the private IP of the Singapore EC2 instance.