log: 4
Connecting On-Premises Networks
8/3/2023
Today, I will go over a solution to connect on-premises networks with AWS Transit Gateway and AWS Site-to-Site VPN to provide a dedicated connection for continuous communication. I’ll also monitor the VPN tunnels connection with AWS CloudWatch.
Let’s dive in.
Customer Needs
The customer has a remote site with hardware for storing and processing data, but as the data grows, their on-site applications struggle to keep up with the load.
To address this, they want to distribute the data to an offsite location, with a reliable connection back to their AWS environment, to offload data processing and ensure smoother operations.
Objectives
- Check Connections
- Create Customer Gateway
- Create an AWS Site-to-Site VPN connection between an on-premises network and a VPC on AWS
- Edit subnet route tables to establish the proper routes between the connected networks
- Create a static route in the transit gateway route table
- Test connectivity between an on-premises and remote Amazon EC2 instance
- Create a CloudWatch dashboard to monitor connection of VPN tunnels
Note:
Should you choose to replicate this solution for demonstration purposes, please note that the values provided in this post may not match with your specific environment. It’s important to clarify that this content is intended solely for educational use. Prior to proceeding, verify the Region selector to confirm it aligns with the designated location settings for your workload. For instance, in my scenario, it’s configured for N. Virginia (us-east-1).
Check Connections
Before getting started on our solution, let’s check if the customer’s On-Premises File Server can be reached from the Network Testing Instance.
Navigate to the EC2 Dashboard and click “Instances” to view the customer’s running instances.

We’ll use a VPC to simulate an on-premises network.
On-Prem File Server instance IPv4 address - 10.1.1.26
I’ll connect to the Network Testing instance from Session Manager.
From the command prompt, ping the On-Prem File Server instance.
ping 10.1.1.26

Note the 100% packet loss, therefore there is no connection between the Network Testing instance and On-Prem File Server instance.
Create Customer Gateway

On-Prem Source - Public Subnet Allocated IPv4 Address - 44.212.251.52
An Elastic IP address is a static, public IPv4 address designed for dynamic cloud computing. It offers the flexibility to link an Elastic IP address with any instance or network interface within any VPC associated with your account.
Navigate to the VPC Dashboard

I’ll create a customer gateway in the Virtual Private Network section.


The IP address is the On-Prem Source - Public Subnet Allocated IPv4 Address from the Elastic IP addresses.
A customer gateway is an AWS resource you create in AWS that represents the customer gateway device in your on-premises network. The customer gateway provides information about your device to AWS.
The Border Gateway Protocol (BGP) exchanges routes between the customer gateway device and a virtual private gateway.
Create an AWS Site-to-Site VPN connection between an on-premises network and a VPC on AWS
Navigate to Site-to-Site VPN connections.
An AWS Site-to-Site VPN connection enables access to a remote network to and from your VPC.


The transit gateway VPN attachment provides the option of creating an IPsec VPN connection between your remote network and the transit gateway over the internet.

- Tunnel 1 Outside IP address - 34.231.219.109
- Tunnel 2 Outside IP address - 52.7.131.178
Download the Configuration File for the VPN connection. (I’m using Generic for Vendor settings for this demo)
The VPN configuration file contains the information necessary to establish the connection between your on-premises devices and the VPC on AWS.
I’ll copy the pre-shared key in IPSec Tunnel #1 section, under #1: Internet Key Exchange Configuration of the VPN configuration file.

A pre-shared key is a string used for authentication that you enter when you configure your customer gateway device.
Next i’ll copy the Outside IP address of the Virtual Private Gateway in the #3 Tunnel Interface Configuration subsection.

A virtual private gateway is the VPN endpoint, on the AWS side of your Site-to-Site VPN connection, that can be attached to a single VPC.
I’ll copy the pre-shared key and VPG Outside IP Address for Tunnel 1 and 2 respectively to later set values for the Tunnels in the On-Prem VPN Router instance.
TUNNEL_1_PRESHARED_KEY=[ENTER_PSK_HERE]
TUNNEL_1_IP_ADDRESS=[ENTER_IP_HERE]
TUNNEL_2_PRESHARED_KEY=[ENTER_PSK_HERE]
TUNNEL_2_IP_ADDRESS=[ENTER_IP_HERE]
Navigate back to the EC2 Dashboard - Instances, and connect to On-Prem VPN Router via Session manager.

The operating system sets values for the TUNNEL variables by running the commands above.
sudo sed -i "s/TUNNEL_1_IP_ADDRESS/$TUNNEL_1_IP_ADDRESS/g" /etc/strongswan/ipsec.conf
sudo sed -i "s/TUNNEL_2_IP_ADDRESS/$TUNNEL_2_IP_ADDRESS/g" /etc/strongswan/ipsec.conf
sudo sed -i "s/TUNNEL_1_IP_ADDRESS/$TUNNEL_1_IP_ADDRESS/g" /etc/strongswan/ipsec.secrets
sudo sed -i "s/TUNNEL_2_IP_ADDRESS/$TUNNEL_2_IP_ADDRESS/g" /etc/strongswan/ipsec.secrets
sudo sed -i "s/TUNNEL_1_PRESHARED_KEY/$TUNNEL_1_PRESHARED_KEY/g" /etc/strongswan/ipsec.secrets
sudo sed -i "s/TUNNEL_2_PRESHARED_KEY/$TUNNEL_2_PRESHARED_KEY/g" /etc/strongswan/ipsec.secrets

These commands replace values in configuration files with the values set in the TUNNEL variables.
sudo systemctl enable strongswan
sudo strongswan start
sudo strongswan up tunnel1
sudo strongswan up tunnel2
sudo strongswan status

The Strongswan application is used to establish VPN connections. A tunnel is an encrypted link where data can pass from the customer network to or from AWS.
Edit subnet route tables to establish the proper routes between the connected networks
Navigate to the VPC Dashboard > Route tables. From here we’ll want to edit the routes to determine where network traffic from the subnet or gateway is directed.


CIDR for the On-Prem Source Network - 10.1.0.0/21
- Remote Target - Private Subnet 1a
- Remote Target - Private Subnet 1b
- Remote Target - Public Subnet 1a
- Remote Target - Public Subnet 1b
When you attach a VPC to a transit gateway, you need to add a route to your subnet route table for traffic to route through the transit gateway.
Next we’ll edit the On-Prem Source - Private Subnet route.

CIDR for the Remote Target VPC - 10.0.0.0/21
The On-Prem VPN Router Network Interface ID can be found in Networking tab > Network Interfaces in the EC2 Dashboard.

On-Prem VPN Router Interface ID - eni-0596d0e554933e4bc
An elastic network interface (ENI) is a logical networking component in a VPC that represents a virtual network card. Network interfaces can be created, configured, and attached to instances in the same Availability Zone.
Create a static route in the transit gateway route table
Next, we’ll navigate to Transit gateway route tables to create a static route in the transit gateway.

Your transit gateway routes IPv4 and IPv6 packets between attachments using transit gateway route tables.

CIDR for the On-Prem Source Network - 10.1.0.0/21
Test connectivity between an on-premises and remote Amazon EC2 instance
Navigate back to the Network Testing instance in the EC2 Dashboard and use Session Manager to connect to the command prompt.
Ping the On-Premises File Server IP from earlier to check the connectivity.

Create a CloudWatch dashboard to monitor connection of VPN tunnels
Navigate to CloudWatch from the AWS Management Console search bar.
Amazon CloudWatch collects and visualizes real-time logs, metrics, and event data in automated dashboards to streamline your infrastructure and application maintenance.
- Create dashboard
- marsToAws_Dash
- Widget: Bar
- Data Source: Metrics
- Metric Graph: VPN > VPN Tunnel Metrics > Outside IP addresses for Tunnel 1 and Tunnel 2 - TunnelState

Solution Architecture

AWS Site-to-Site VPN connection is used to connect an on-premises network to a virtual private cloud (VPC) on AWS through an AWS Transit Gateway.
An on-premises network, containing a file server, uses a virtual private network (VPN) router device to establish an encrypted Site-to-Site VPN tunnel across the internet to a transit gateway on AWS.
The transit gatway acts as a cloud router, allowing the on-premises network to connect to the VP through the Site-to-Site VPN connection.
Routes are added to the VPC and transit gateway route tables to direct traffic between the on-premises network and the VPC through the established VPN tunnel.
A testing instance in the VPC sends a ping request to the on-premises file server. The traffic is routed to the transit gateway, then to the VPN tunnel over the internet. The ping reaches the on-premises VPN router device, which sends the traffic to the file server.
Conclusion
We’ve successfully connected an On-Premises network to an Amazon VPC utilizing a Site-to-Site VPN connection.
AWS Transit Gateway acts as a central hub to connect not only VPCs, but also on-premises networks. Following, AWS Site-to-Site VPN will give your on-premises network and VPC a dedicated connection for ongoing communication. Finally, you can monitor the VPN connection with Amazon CloudWatch.
Since Site-to-Site VPN has built-in redundancy, if the first tunnel loses its connection, a second tunnel, with its own unique IP address, is used.
To top it off, we’ve added a custom CloudWatch Dashboard to provide a convient way to show the TunnelState instead of manually checking tunnel status.
Learning more about AWS Site-to-Site VPN was super fun! I hope you enjoyed learning more about cloud technologies with me. I can always refer to my learnings like this log to further improve my skills.
Anticipating the next learning adventure!