Site to Site VPN on AWS with On-Prem DC

-
I have knowledge and hands-on experience with PTCL and Alibaba cloud but for AWS till today it was just knowledge. Today we have created an IPSEC tunnel with AWS and our on-prem DC, Before starting the process i study some material which is shared by AWS and it was quite helpful to understand the flow.

Below mentioned are the steps which one need to take before creating the tunnel.

1)Decide which CIDR/Subnet you will use over the cloud so at AWS end you can create a VPC with same CIDR.
2)List down your public IP which will be use for the tunnel end point at on-prem DC.
3) Get a Public IP at AWS end which in AWS language we call it Elastic IP.
4) Decide you will use public IP or private IP subnet for VPN tunnel inner packet headers.

Steps which we follow for the deployment:
1)First step is to create a VPC in respective region at AWS and assign planned CIDR to it. You can further divide VPC into subnets with desire subnet mask. 
2)Create customer gateway, it will contain the information about on-prem DC device like its public IP, model and routing information.
3)Then we need to create target gateway at AWS end, we have two options for its Virtual private gateway and transit gateway features and pricing are different for both. In our case we are using VPG, In configuration we can configure ASN at AWS end and name of it. We also need to assign an elastic IP to VPG so it can act as tunnel end point at AWS end. We need attached this VPG with our VPC from where traffic will be generated, we have two options for routing either go with static routing or use propagation so which route we receive from IPSEC tunnel same should be forwarded towards VPC.   
4)When we are done with above two steps then we need to configure site to site VPN at AWS end.
   (a)we need to define our target gateway which we created type of VPG.
   (b) Routing options also need to be set along with network which will be protected over the tunnel            (remote and near end).
   (c)We can create a private IP P2P tunnel in between and we can also use same public IP, Two tunnels          will create at AWS end for each IPSEC tunnel.
    (d) Pre-shared key will also be set, Other phase1 and phase parameters can be downloaded and                     should be configure same at on-prem device.
      (e) We need to add static route in IPSEC tunnel for remote destination so that can be reach over the tunnel also enable the route propagation in VPC routing table so this route can be learned automatically.

Flow for Site-to-Site VPN Creation
Raja Shajeel Ahmad
Enterprise DC Engineer
Happy Learning
The limit is the sky.
3%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%221)Create%20a%20customer%20gateway%20at%20AWS%20console%20end%26lt%3Bbr%26gt%3B%22%20style%3D%22text%3Bhtml%3D1%3Balign%3Dcenter%3BverticalAlign%3Dmiddle%3Bresizable%3D0%3Bpoints%3D%5B%5D%3Bautosize%3D1%3BstrokeColor%3Dnone%3BfillColor%3Dnone%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%22545%22%20y%3D%2248%22%20width%3D%22286%22%20height%3D%2226%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3E%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%221)Create%20a%20customer%20gateway%20at%20AWS%20console%20end%26lt%3Bbr%26gt%3B%22%20style%3D%22text%3Bhtml%3D1%3Balign%3Dcenter%3BverticalAlign%3Dmiddle%3Bresizable%3D0%3Bpoints%3D%5B%5D%3Bautosize%3D1%3BstrokeColor%3Dnone%3BfillColor%3Dnone%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%22545%22%20y%3D%2248%22%20width%3D%22286%22%20height%3D%2226%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3E

Comments

Post a Comment

Popular posts from this blog

Flow with respect to Networks in AWS

-
Image
Flow with respect to Networks in AWS which need to be clear to expose any application on AWS and having some of services in on-premises. I will compare AWS services with on-prem technology, so it become ease to understand.                                                           Building Block of AWS Networking VPC: Consider it as a switch place in multiple Data center and all switches are connected with each other we can further have small subnets on it which can be part of all switches or only one depend upon the planning and requirements. Route Tables : Each subnet we create in VPC can have each route table or all subnets have one, Route table is used to control the routing of subnets and how traffic will be routed for any workload on the subnets. Route table can be attached to few other services of AWS as per requirements. NAT Gateway: I...
Read more

Important concepts in ACI Physical/Access polices Concepts

-
Image
I know Cisco ACI has been around for a long time. The first time I got into it was in 2021. It was not that hard to relate the legacy concepts with ACI but doing a job via CLI and doing it via GUI have a lot of differences. In this particular blog, I will discuss the key concepts without explaining the ACI core components like leaf switches, spine switches, and APIC. Cisco ACI is a policy-driven solution in which everything has an object assigned to it, and you need to connect all those dots to make your network work. In a legacy network, we have devices like bare metal servers, L2 switches, L3 switches, routers, and firewalls. We connect the networks using different protocols to make our network work, but sometimes there are physical requirements that need to be fulfilled to get the required topology. In Cisco ACI, we have all these kinds of devices, and they are connected to our fabric. However, in ACI, we have a term called "domains," which include four different types: Ph...
Read more

1 sec and Team work Story

-
Image
 I n the world of IT, a single second can be the difference between success and failure. Recently, I experienced this firsthand when a 1-second delay caused a critical application flow to shut down. Through intense troubleshooting, collaboration, and respect for diverse opinions, we identified and resolved the issue. This experience taught me the importance of: - Active listening among all stakeholders - Exploring all options and possibilities - Embracing the value of diverse perspectives - The power of collaboration and teamwork - The crucial role of TCP dumps in troubleshooting In IT, every problem requires a unique solution, and collaboration is key to finding it. Delay we Observe at Client end server end had no delay though Raja Shajeel Ahmad Enterprise DC Engineer Happy Learning The limit is the sky. #TeamWork#TCPDump#HappyLearning
Read more