AWS: How To Setup A Site-to-Site VPN (Start to Finish) 2024

TechNgo

21 Feb 202417:32

Summary

TLDRIn this speedrun tutorial, Techno demonstrates how to set up a site-to-site VPN on AWS without the need for on-premises equipment. The video covers creating VPCs, EC2 instances, and a StrongSwan instance to mimic an on-premises router. It guides through the process of configuring a VPN connection, adjusting route tables for traffic forwarding, and testing connectivity with ICMP pings between AWS and the simulated on-premises network, providing a practical approach to cloud-based network extension.

Takeaways

🚀 This is a speedrun tutorial for setting up a site-to-site VPN using AWS, with a focus on quick implementation rather than detailed explanations.
🌐 The tutorial involves setting up two VPCs and EC2 instances, with one VPC representing the on-premises site and the other the AWS site.
🔐 A StrongSwan EC2 instance is used as the router/firewall for the on-premises site, enabling the connection to AWS.
🛠️ The tutorial does not cover the creation of the EC2 instances and VPCs in detail but assumes they are already set up.
📋 The process includes creating a customer gateway, virtual private gateway, and site-to-site VPN connection within AWS.
📝 Static routes are configured to ensure traffic is directed correctly between the on-premises and AWS sites.
⚙️ The tutorial includes configuring StrongSwan on the EC2 instance to establish the VPN connection and handle traffic.
🔄 Troubleshooting tips are provided for common errors, such as issues with starting the IPsec service.
🖧 The final steps involve verifying the connection by pinging between the AWS and on-premises instances.
👍 The video concludes with a successful ping test, confirming the site-to-site VPN setup is working correctly.

Q & A

What is the purpose of this video tutorial?
-The video tutorial aims to demonstrate how to create a site-to-site VPN using AWS in a speedrun format, covering all necessary steps quickly without extensive explanations.
Why does the creator use a VPC as an 'on-prem' device in this demo?
-The creator uses a VPC as an 'on-prem' device because they do not have an actual on-premises device available for testing. This setup simulates a real-world scenario where an on-premises network connects to AWS through a VPN.
What role does the 'strongSwan' EC2 instance play in this setup?
-The 'strongSwan' EC2 instance acts as a router or firewall in the on-premises network, establishing a connection with AWS and serving as the customer gateway for the VPN.
Why does the creator rename VPC 2 to 'on-prem'?
-The creator renames VPC 2 to 'on-prem' to avoid confusion and clearly differentiate between the AWS VPC and the simulated on-premises network.
Why is Amazon Linux 2 used instead of Amazon Linux 3 for the 'strongSwan' instance?
-Amazon Linux 2 is used because Amazon Linux 3 does not support strongSwan, which is required for this demonstration.
What is the purpose of creating a Customer Gateway in AWS?
-The Customer Gateway in AWS identifies the public IP address of the on-premises network (simulated by the strongSwan EC2 instance) to establish the VPN connection between AWS and the on-premises network.
What does it mean when the VPN tunnel status is 'up'?
-When the VPN tunnel status is 'up,' it indicates that the site-to-site VPN connection between the AWS VPC and the on-premises network has been successfully established and is actively routing traffic.
Why is it important to stop the source/destination check on the strongSwan EC2 instance?
-Stopping the source/destination check ensures that the strongSwan EC2 instance can forward traffic between different networks, which is necessary for routing traffic through the VPN.
What is the significance of modifying the route tables in this setup?
-Modifying the route tables ensures that traffic is correctly routed between the AWS VPC and the on-premises network through the VPN, enabling communication between the two networks.
What troubleshooting step does the creator take when the IPsec service fails to start?
-The creator reviews the configuration files for potential typos, re-applies the system control commands, and checks the configurations step-by-step to resolve the issue, which ultimately allows the IPsec service to start successfully.