===== AWS VPC VGW to VPC VGW Site to Site VPN ===== {{tag>AWS VPN}} First off, **DO NOT DO THIS!** This design uses only AWS VPC Virtual Private Gateway VPNs for establishing connectivity. There are much better, and more affordable, ways of establishing connectivity between two VPCs such as VPC peering, Transit Gateways, and Transit VPC. This was a test to see how AWS VPC networking has evolved from when I first started using AWS in August 2016 to its current state as of September 2020. When I first started with AWS it was not possible to establish a VPN between two VPCs using only AWS native services. At minimum you had to run an EC2 instance based firewall / router to be one side of the VPN. {{ :images:svg:aws_vpc_to_vpc_site_to_site_vpn.svg?1000 | AWS VPC to VPC Site to Site VPN }} [[ https://nerdydrunk.info/_media/images:svg:aws_vpc_to_vpc_site_to_site_vpn.svg | Download diagram ]] The following features from AWS make this type of setup possible; * AWS VPN can now initiate establishing the VPN (this was not possible until [[ https://aws.amazon.com/about-aws/whats-new/2020/08/aws-site-to-site-vpn-now-supports-internet-key-exchange-initiation/ | August 2020]]) * The Customer Gateway on a VPN tunnel can be modified (similar method to modifying DHCP Option Set) ([[ https://aws.amazon.com/about-aws/whats-new/2019/04/migrate-your-aws-site-to-site-vpn-connections-from-a-virtual-private-gateway-to-an-aws-transit-gateway/ | April 2019 ]] or [[ https://aws.amazon.com/about-aws/whats-new/2019/08/aws-site-to-site-vpn-adds-configurability-security-algorithms-timer-settings-used-for-vpn-tunnels/ | August 2019]] not fully sure) To do this I had to create the VPN from VPC A to VPC B with a temporary Customer Gateway public IP so I could get the public tunnel IPs for the VPN. Then I was able to create the VPN from VPC B to VPC A and use the advanced settings to configure the VPN to start the connection. Once I was able to get the tunnel IPs for the VPN from VPC B to VPC A I was then able to replace the Customer Gateway on the first VPN and successfully pass traffic, after I remembered to add the necessary routes. Prerequisites * Two VPCs are already created * VPCs CIDRs do not overlap Rundown - Create temporary Customer Gateway - Create VPN from VPC A to VPC B with temporary Customer Gateway - Obtain public IP for tunnel 1 from VPN A to B and create Customer Gateway - Start creation of VPN from VPC B to VPC B with VPN A to B Customer Gateway - Use advanced setting to set Startup Action as "start" - Complete creation of VPN B to A - Obtain public IP for tunnel 1 from VPN B to A and create Customer Gateway - Replace Customer Gateway on VPN A to B with VPN B to A Customer Gateway - Remove temporary Customer Gateway - Verify that routes are in place in VPC A and VPC B to use the new VPN - Verify that security groups allow inbound traffic from across the VPN - Test connectivity ^ VPC ^ CIDR ^ Tunnel 1 Outside ^ Tunnel 1 Inside ^ Tunnel 2 Outside ^ Tunnel 2 Inside ^ | VPC A | | | | | | | VPC B | | | | | | ^ VPN ^ Local CIDR ^ Remote CIDR ^ Customer Gateway Address ^ Startup Action ^ DPD Timeout Action ^ | VPC A to VPC B | | | (VPC B Tun 1) | | | | VPC B to VPC A | | | (VPC A Tun 1) | *start* | *restart* |