Shared Service VPC
This Blog has been moved from Medium to blogs.tensult.com. All the latest content will be available there. Subscribe to our newsletter to stay updated.
In an Enterprise, there will be lots of services that are used for their internal purposes. DNS, Application servers, HTTP servers, patch server, AD, etc.. are the core services that are mainly used in their private networks. To know the risk behind this setup and why AWS approach, please go through “Connect VPCs to make Network of Networks in AWS”
Here on Shared Service VPC, you can configure the shared services in this Shared Service VPC. And make this VPC as Hub and other all network or VPCs acts as Spokes.
Here (Figure — 1), VPC A act as Shared Service VPC and VPC B and VPC C acts as Spoke VPCs. Here VPCs are connected through VPC peering connection. All the resources within the Shared Service VPC can accessible by the Spoke VPCs and also the spoke VPC can communicate with each other because they are connected through peering connection. To know more about VPC Peering Connection click here.
You can enable the communication between the on-premises DC / corporate office and the shared service VPC by using VPN technology (Figure — 2).
Here VPC A was connected with on-premises DC by using AWS managed VPN. Spoke VPCs and On-premises DC can access all the resources of the Shared Service VPC (VPC A), but the spoke VPCs can’t communicate with On-Premises DC and vice versa. VPN initiates the connection by using a virtual private gateway and customer gateway from VPC A to On-premises DC. AWS is providing direct connect and internet services to form a VPN connection. You can use Static or BGP routing protocols to form neighboring between on-premises DC and Shared Service VPC. VPN uses ISAKMP and IPSec configuration to make it a secure and encrypted connection. To more about VPN configuration click here.
VPC A and On-premises DC share their routing information by using routing protocols between them. hence they can communicate with each other. but VPC B and VPC C can’t communicate with on-premises DC because of they are not directly connected. Also peering connection doesn’t support any routing protocols to share the routing information. The main drawback of the VPC peering connection is that it doesn’t support transitive. This option is mainly used where the majority of the infrastructure is on AWS.
To overcome this situation you can use Transit VPC concept. To know about Transit VPC click here.
For VPC Peering Connection setup click here.
Setup: AWS Managed VPN Connection
After creating the VPC peering connection between VPCs, set up the VPN between VPC A and on-premises DC.
- For that, please contact the On-premises DC administrator and seek the endpoint IP of the DC. For Example, IP: 1.2.3.4
2. Create a Customer Gateway in AWS VPC console, using this IP provided by the DC administrator
3. Assign a name for the Customer Gateway and choose the routing protocol — Static or BGP.
For this document, I am using a static routing protocol. If you are using BGP, select Dynamic and enter the “AS-Number”. Specify the IP address of the On-premises DC in the IP Address column and click on Create Customer Gateway.
4. Next, we need to create a Virtual Private Gateway. For which, go to Virtual Private Gateway on the VPC console.
5. Enter the name of the Virtual Private Gateway and click on Create Virtual Private Gateway (VGW)
6. After creating the virtual private gateway you need to attach to the VPC A. For that select the created VGW on the virtual private gateway console and select “Attach VPC” from the “Action”.
follow the next figure
6. After completing the VPC attach, go to the VPN connection and give the values as per the below figure. If you are using BGP, select BGP otherwise select Static.
Here I am using Static
7. After completing the AWS managed VPN connection configuration, download the configuration file for the on-premises router.
VPC → VPN connection → selects the VPN connection → “Download Configuration” and choose your on-premises router model and download it.
This download configuration file will help to configure the on-premises DC router. To know more about the configuration of VPN on Router using the downloaded configuration file click here.
8. To propagate routes to the routing tables of a VPC enable the virtual private gateway on the route table of the corresponding VPC. For that go to the route trouteingon VPC console and follow the figure
then,
Route table will automatically update once this step had done (step — 8).
By default, AWS will create two tunnels while creating a VPN connection to make more redundancy and high availability of on-premises DC.
You can check VPN connection status on Tunnel details Tab. Once the on-premises router had configured properly as per the downloaded configuration file, then Tunnel status changes from “DOWN” to “UP”.
