AWS – Creating a Virtual Private Network (VPN)

How to check for updates on Windows Server 2019

A VPN allows you to create a secure tunnel for network traffic between your on-premises data center and your AWS account using the Internet Security Protocol (IpSec). AWS VPN functionality comes in several distinct flavors, as follows:

  • A managed VPN service to enable clients to connect to your AWS VPC and on-premises environments. Users connect to the VPN using a client based on the OpenVPN standard.
  • CloudHub, which an AWS service that allows you to create a secure network route between remote office locations.
  • Site-to-Site VPN, which is a secure connection between your data center and your VPC.

In this recipe, we will show you how to set up a VPN connection between your data center and your VPC. The benefit of creating a link like this is that all the data transfers between the two sites are sent through a secure IPSec tunnel, instead of traveling over the public internet. This kind of locked down communication is often an absolute requirement for complying with industry-specific rules and regulations.

How to do it…

Follow these steps to create a virtual private gateway and a customer gateway:

  1. Log in to your AWS account, go to the VPC dashboard, and select Virtual Private Gateways. Click Create Virtual Private Gateway:

Create Virtual Private Gateway screen
  1. Give the VPG a Name tag and leave  ASN in its default state. Click Create Virtual Private Gateway.
  2. Go back to the left-hand menu and select  Site-to-Site VPN Connections. Click  Create VPN Connection:

Create VPN Connection screen
  1. Give the VPN a Name tag and select the VPG from the drop-down menu.
  2. Select New from the Customer Gateway radio buttons and specify the IP address of your customer gateway device.
  3. If you have a BGP ASN, enter it here; otherwise, use the default private Autonomous System Number (ASN).
  4. Click Create VPN Connection. Once it becomes available, you will be able to download the configuration needed for the device in your data center:

Downloading the device configuration
  1. Go to Route Tables under the VPC menu. Select the Route Propagation tab and configure your route table to allow propagation from the Virtual Private Gateway (VPG):

Route propagation

You now have a secure network route from your data center into your AWS VPC.

How it works…

The VPN connection from your data center into your AWS account uses IPSec to create secure tunnels using the latest generation encryption to ensure the secrecy of your communications traffic.

You can create as many as five VPGs per region, and as many as 50 customer gateways. Each of the VPGs can support up to 10 IPSec connections.

The customer gateway is a virtual representation of the hardware device in your data center that implements the client side of the VPN connection. AWS provides the configuration information you need to set up your device when you set up the Site-to-Site VPN in the console.

There’s more…

A VPG is highly available, with endpoints in two separate AZs so that you can failover from the primary tunnel to the secondary in the case of a temporary outage. You can also configure CloudWatch metrics and alarms to keep you informed about the health of your VPN connection.

You might be wondering about a few of the terms you encountered in this recipe, such as BGP and ASN. We will cover these in the following subsections.


The BGP is the standard protocol that’s used between internet systems to enable routing and determine reachability between autonomous systems. BGP operates over TCP on port 179, directly connecting edge routers that are controlled by large enterprises and service providers. The route tables maintained by these edge routers are what enable traffic on the internet to find an alternate route to the destination in case a segment of the network is unavailable.


Autonomous System Numbers are closely related to BGP. Each of the autonomous systems that make up the global network that constitutes the internet has a unique identifier, that is, the ASN. Edge routers are configured manually with a combination of the ASN and IP address of peer routers. In many of the recipes in this book, we use the default private ASN (usually 65,000), but if your organization has a public ASN, you will want to make sure you configure your VPN using that number.

Comments are closed.