Deploy AWS VPC Architecture with Site-to-site VPN through Transit Gateway, between AWS StrongSwan
Introduction:
This guide will walk you through the process of setting up a site-to-site VPN between AWS and DigitalOcean.
When configuring a VPN, one end of the connection will be on your on-premises network or another cloud provider, and the other end will be on the AWS cloud. DigitalOcean simulate the on-prem sides, we’ll create two VPCs in AWS same regions — us-east-1 and creat VPC on DigitalOcean side . We will named AWS side “Site_A” and DigitalOcean side “ Site_B “
We’ll use strongSwan to emulate the customer gateway on the on-premises side. strongSwan is an open-source IPsec-based VPN solution used to establish secure site-to-site connections. Essentially, it ensures that data transmitted between these two points is private and secure.
References:
For further reading and deeper insights, feel free to check out the following resources:
Amazon Web Services Documentation:
How AWS Site-to-Site VPN works
Simulating Site-to-Site VPN Customer Gateways Using strongSwan
Happy learning!
1. VPCs
Now we should create 2 VPC on AWS Side and one VPC in DO site
Name: Site_A_1
CIDR block: 10.10.0.0/16
Name: Site_A_2
CIDR block: 10.100.0.0/16
Name: Site_B
CIDR block: 10.114.16.0/20
2. Subnetes
Now we should have one Private and Public subnet on each VPC
Name: Private-VPC_1
CIDR block: 10.10.0.0/20
Name:Private-VPC_2
CIDR block: 10.100.0.0/20
Name: Public-VPC_1
CIDR block: 10.10.16.0/20Name: Public-VPC_2
CIDR block: 10.100.16.0/20
3. Internet gateways
Crate 2 IGWs and attach to Site_A-1 , Site_A-2 VPC
4. NAT gateways
Create 2 Nat GWs on the public subnet
Name: VPC1_NAT_GW
Name: VPC2_NAT_GW
5. Routing Tabeles
5.1. Create 2 Routing Tables for private subnets and associate corresponding private subnets. Then add route to 0.0.0.0/0 to NAT GWs
Name: VPC2_VPN_RT
Name: VPC1_VPN_RT
5.2. Create 2 Routing Tables for public subnets and associate corresponding private subnets. Then add route to 0.0.0.0/0 to IGWs
6. Customer gateway
Now we create a Customer gateway. A customer gateway device is StrongSwan application on the DigitalOcean side of the Site-to-Site VPN connection.
Name: DO_CG
Note: “IP address” is Public IP of the droplet which is installed StrongSwan
6. Transit gateway
Now we create a Transit gateway.
7. Transit gateway attachment
7.1. Create 2 transit gateway attachments for each VPC
Name: VPC_1_attachmentVPC: Site_A_1Name: VPC_2_attachmentVPC: Site_A_2
7.1. Create transit gateway attachment for VPN
Customer gateway: DO_CG
Then AWS auto creates a VPN connection. But the tunnel is Down. Let’s go UP this tunnel. We should download the config to configure StrongSwan.
8. Edit routing
8.1. Add new static route Transit gateway route tables.
Note: CIDR is subnet of DO side
8.2. Add new static route Routing Tables of private subnet.
9. StrongSwan
Let’s configure StrongSwan on the DO site. You should follow steps in the config file that we downloaded in 7.1. Then the VPN tunnel looks UP
10. Check
Create 2 EC2 instances on each private subnet
Then connect one EC2 and ping Droplet another EC2
