Amazon VPC connectivity
The aim here is to link up a local network to an Amazon VPC (Virtual Private Cloud). To do so, Amazon enables the creation of two routed tunnels between the local firewall and the Amazon cloud, and by routing this traffic via BGP.
Amazon configuration
Follow the steps below:
- Create an Amazon VPC,
- Create a sub-network in this VPC,
- Configure routing in this VPC,
- Create a dynamic VPN connection to the UTM via the object Amazon Virtual Private Gateway,
- Create ACLs to allow local traffic going to the web server,
- Routing: enable route propagation to the VPC’s routing table.
Extract from configuration help provided by Amazon during the configuration of the service:
| The Customer Gateway inside IP address should be configured on your tunnel interface. | |
|
Outside IP Addresses: |
|
| - Customer Gateway | : IP publique Firewall/Gateway |
| - Virtual Private Gateway | : IPAmazon-1 |
| Inside IP Addresses | |
| - Customer Gateway | : 169.254.254.66/30 |
| - Virtual Private Gateway | : 169.254.254.65/30 |
| Configure your tunnel to fragment at the optimal size: | |
| - Tunnel interface MTU | : 1436 bytes |
| #4: Border Gateway Protocol (BGP) Configuration: | |
| The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside IP addresses, to exchange routes from the VPC to your home network. Each BGP router has an Autonomous System Number (ASN). Your ASN was provided to AWS when the Customer Gateway was created. | |
| BGP Configuration Options: | |
| - Customer Gateway ASN | : 65000 |
| - Virtual Private Gateway ASN |
: 9059 |
| - Neighbor IP Address |
: 169.254.254.65 |
| - Neighbor Hold Time |
: 30 |
| Configure BGP to announce routes to the Virtual Private Gateway. The gateway will announce prefixes to your customer gateway based upon the prefix you assigned to the VPC at creation time. | |
Configuration of tunnels
In the Virtual interfaces module (Network section), the IPsec interfaces tab allows you to define the interfaces concerned:
In the IPsec VPN module (VPN section), under the Site to site (gateway-gateway) tab, you will be able to define the tunnels below using the following objects:
| Site_Amazon_vpn_gw1: | IPAmazon-1 | |
| Site_Amazon_vpn_gw2: | IPAmazon-2 | |
| Amazon_vpn_remote1: | 169.254.254.65 | |
| Amazon_vpn_remote2: | 169.254.254.69 |
BGP configuration
We have chosen to export only the network 10.0.1.0/24
| filter filter_net_in { | |
| if(net = 10.0.1.0/24) then { | |
| accept; | |
| } | |
| else reject; | |
|
} |
|
| protocol bgp router1 { | |
| local as 65000; | |
| neighbor 169.254.254.65 as 9059; | |
| hold time 30; | |
| multihop; | |
| import all; | |
| export filter filter_net_in; | |
| source address 169.254.254.66; | |
| } | |
| protocol bgp router2 { | |
| local as 65000; | |
| neighbor 169.254.254.69 as 9059; | |
| hold time 30; | |
| multihop; | |
| import all; | |
| export filter filter_net_in; | |
| source address 169.254.254.70; | |
| } | |