reggie's blog
Seamless Connectivity: Connecting your On-Premises Infrastructure to AWS Cloud using VPN

Seamless Connectivity: Connecting your On-Premises Infrastructure to AWS Cloud using VPN

Elinathan Olotu's photo
Elinathan Olotu
·

5 min read

Table of contents

In this article, I will demonstrate how to connect your on-premises infrastructure to the Amazon AWS cloud using BGP as the routing protocol. In the article, I am connecting only the Las Vegas site to my resources in Azure, while the other sites are connecting to my Las Vegas site to access the resources in Azure.

This method is called site-to-site VPN.

Prerequisites

I will be simulating a large company with multiple branches and resources in the Amazon AWS cloud, and I want to connect its on-premises infrastructure. To accomplish this, I will use GNS3 software to emulate on-premises infrastructures complete with a firewall, switch, and a few servers, as shown in the diagram below, while using an Ec2 instance in AWS.

You need to download the GNS3 software and have an AWS account to follow along.

Using a VPN allows the on-premises infrastructure to communicate securely with its resources in AWS.

In the diagram above, I will use BGP to connect dynamically to my EC2 instance in my VPC in the AWS cloud, which AWS calls site-to-site VPN communication.

Introduction

Two types of routing are allowed in AWS VPN connections. The first one is static, which means the network engineer manually configures the routes as new sites/branches come up. The second one is the BGP protocol, which offers robust live detection checks that assist in failover to the second VPN tunnel if and when the first tunnel goes down.

Step 1: Create an EC2 instance

I didn’t create a VPC in this blog since it is for lab purposes. I only created an EC2 instance using Amazon Linux; as you will see in the diagram below, I also assigned it to a particular subnet, in my case, subnet A.

As shown in the diagram above, the EC2 instance is up and running and ready for use.

Step 2: Create a customer gateway

The customer gateway in my case is providing the information about my Cisco ASA firewall configuration, and it is for the on-premises infrastructure.

As shown in the diagram above, the BGP Autonomous System Number (ASN) of 65200 and my public IP.

Step 3: Create a virtual private gateway

Here I specified a custom private Autonomous System Number (ASN) of 64513 for the Amazon side of the gateway, It is different from the one I specified for the customer gateway. Then I attached the VPC of my EC2 instance to it.

Step 4: Configure routing

To enable instances in your VPC to reach your customer gateway, I configured my route table, which is associated with the subnet of my EC2 instance, to include the routes used by my VPN connection and point them to my virtual private gateway by enabling route propagation.

For BGP-advertised routes from your customer gateway are propagated to the route table when the status of the VPN connection is UP.

In the diagrams below are the steps to enable route propagation.

Step 5: Create a VPN connection

For Customer Gateway, select Existing, then choose the Customer Gateway that you created earlier from the Customer Gateway ID in the diagram above.

After creating the VPN connection as shown in the diagram above, click on the download configuration.

As shown in the diagram above, since my device on-premises connecting to the cloud is a Cisco ASA 5500 firewall (ASAv), I downloaded the configuration for it.

The section highlighted above will be down till you have configured your Cisco ASA firewall accordingly and the BGP comes up, then the tunnel interface will come up.

I had to refresh multiple times, but BGP on the ASA came up fairly quickly.

The diagram above shows a sample of the configuration I copied to my firewall.

In the diagram, I copied the downloaded configuration in my ASA firewall.

In the diagram above, I verified the ikev1 isakmp is UP.

In the diagram above, the first tunnel and BG are already up and receiving the 172.31.0.0/16 route from AWS securely using IPsec.

In the diagram above, the AWS VPN is receiving the routes from my on-premises ASA firewall.

In the diagram below, 1 indicates the public address of the EC2, which we only need the internet to access, while 2 is the private, which we need the VPN for.

In the diagram below, the five routes have been received through route propagation.

In the diagram below, I configured the second tunnel for redundancy

Step 5: Verification

In the diagram above, you see the IPsec receiving encapsulating and decapsulating packets, indicating it is working.

Below is the diagram to show all the 4 branches are working, including the HQ.

Step 5: Clean up

Note: GNS3 is local on your laptop, server, or whatever, so you can afford to save it, but the resources in AWS are in Amazon AWS cloud, which incurs money; therefore, immediately after verification, please delete the resources starting from the site-to-site VPN, then virtual private gateway You have to detach first, then delete customer gateway, and come back to delete the virtual private gateway. AWS charges for VPN per hour.

If you like this blog, please subscribe, as there is more coming your way.

Cloud ComputingAWS Certified Solutions Architect AssociateCiscoSecurity#hagital consulting