AWS VPC VGW to VPC VGW Site to Site VPN

,

First off, DO NOT DO THIS!

This design uses only AWS VPC Virtual Private Gateway VPNs for establishing connectivity. There are much better, and more affordable, ways of establishing connectivity between two VPCs such as VPC peering, Transit Gateways, and Transit VPC. This was a test to see how AWS VPC networking has evolved from when I first started using AWS in August 2016 to its current state as of September 2020. When I first started with AWS it was not possible to establish a VPN between two VPCs using only AWS native services. At minimum you had to run an EC2 instance based firewall / router to be one side of the VPN.


Download diagram

The following features from AWS make this type of setup possible;

To do this I had to create the VPN from VPC A to VPC B with a temporary Customer Gateway public IP so I could get the public tunnel IPs for the VPN. Then I was able to create the VPN from VPC B to VPC A and use the advanced settings to configure the VPN to start the connection. Once I was able to get the tunnel IPs for the VPN from VPC B to VPC A I was then able to replace the Customer Gateway on the first VPN and successfully pass traffic, after I remembered to add the necessary routes.

Prerequisites

Rundown

  1. Create temporary Customer Gateway
  2. Create VPN from VPC A to VPC B with temporary Customer Gateway
  3. Obtain public IP for tunnel 1 from VPN A to B and create Customer Gateway
  4. Start creation of VPN from VPC B to VPC B with VPN A to B Customer Gateway
  5. Use advanced setting to set Startup Action as “start”
  6. Complete creation of VPN B to A
  7. Obtain public IP for tunnel 1 from VPN B to A and create Customer Gateway
  8. Replace Customer Gateway on VPN A to B with VPN B to A Customer Gateway
  9. Remove temporary Customer Gateway
  10. Verify that routes are in place in VPC A and VPC B to use the new VPN
  11. Verify that security groups allow inbound traffic from across the VPN
  12. Test connectivity
VPC CIDR Tunnel 1 Outside Tunnel 1 Inside Tunnel 2 Outside Tunnel 2 Inside
VPC A 10.0.0.0/16 35.168.214.210 169.254.4.4/30 35.174.30.48 169.254.8.8/30
VPC B 10.1.0.0/16 52.206.195.54 169.254.4.4/30 54.152.154.10 169.254.8.8/30
VPN Local CIDR Remote CIDR Customer Gateway Address Startup Action DPD Timeout Action
VPC A to VPC B 10.0.0.0/16 10.1.0.0/16 52.206.195.54 (VPC B Tun 1) <default> <default>
VPC B to VPC A 10.1.0.0/16 10.0.0.0/16 35.168.214.210 (VPC A Tun 1) *start* *restart*