Skip to main content

Connect FCI to AWS via Transit Gateway

This guide explains how to connect VPNaaS between the AWS and OPS platforms on the Unify portal.

  • I. Configure VPN Site-to-Site on FCI Cloud/
  • II. Configure VPN Site-to-Site on AWS/
  • III. Update VPN Site-to-Site configuration on FCI Cloud with the new AWS VPN IP/

In this example, we will create a VPN Site-to-Site connection using the parameters shown in the topology below:

file

Configure VPN Site-to-Site on FCI Cloud

Step 1. Create Customer Gateways

1.1 Create a Customer Gateway as follows:

1.2 Enter the following information:

1.3 Result:

Note: because the AWS VPN has not been created yet, a placeholder IP is used here. At the end of this guide, you will update this IP in Section 1.1.

Step 2. Create a VPN connection The VPN Connection parameters consist of three main sections:

  • General information (general connection details)
  • Remote VPN Information (encryption settings and customer-side information)
  • Dead Peer Detection (number of automatic retries when a connectivity issue occurs)

Section 1: General information

Section 2: Remote VPN information When you select Providers "AWS", the system automatically fills in the IKE and IPSec settings as follows:

For IKE:

  • Encryption algorithm: aes-256
  • Authorization algorithm: sha256
  • IKE version: ikev2
  • Lifetime units: seconds
  • Lifetime value: 28800
  • DH Group: GROUP_14
  • Phase 1 negotiation mode: main

For IPSec:

  • Encapsulation mode: tunnel
  • Encryption algorithm: aes-256
  • Authorization algorithm: sha256
  • Lifetime units: seconds
  • Lifetime value: 3600
  • Perfect forward secrecy (PFS): GROUP_14
  • Transform protocol: esp

Section 3: Remote VPN information Enter the Delay and max failure values, then select Create VPN Connection. After the HAN VPN is initialized, the VPN Connection linking the two LAN network ranges will be ONLINE and the VMs will be able to communicate with each other using their LAN IPs.

Configure VPN Site-to-Site on AWS

Step 1. Create a Customer Gateway. A Customer Gateway is a resource in AWS that represents the gateway device at the on-premises network. To create a Customer Gateway:

  1. Go to: https://console.aws.amazon.com/vpc/
  2. Select Customer gateways > Create customer gateway.

Enter the required fields. For IP address, use the Local IP public of the FCI VPN Gateway.

file

  1. Select Create Customer gateway.

Details of the created Customer gateway:

file

Step 2. Create a Transit Gateway. To create a Transit Gateway:

  1. On the navigation pane, select Transit gateway > Create transit gateway. file
  2. Result after creation. file
  3. Attach the Transit Gateway just created to the VPC. file

Step 3. Create a VPN connection.

3.1 Create a VPN connection using the Customer Gateway (Section I.4.3) and the Transit Gateway created above. To create a VPN connection:

  1. On the navigation pane, select Site-to-Site VPN connections.
  2. Select Create VPN connection.
  3. Set Target gateway type to Transit Gateway.
  4. Select the Transit Gateway and the Customer Gateway created earlier.
  5. For Routing option, select Static. For static IP prefixes, enter the FCI subnet range (172.16.8.0/24).
  6. Enter Local IPv4 network: enter the FCI subnet range.
  7. Enter Remote IPv4 network: enter the AWS subnet range.
  8. Edit the parameters for tunnel1 and tunnel2.
  9. Select Create VPN connection.

file

file

3.2 Attach the Transit Gateway to the VPN connection. file Result: file

Step 4. Configure routing. Configure routing to direct traffic from the VPC (AWS) to the Customer Gateway (FCI) through the Transit Gateway. Add routes from the VPN connection to the route table (FCI subnet: 172.16.8.0/16). file

Step 5. Update Security groups. Update Security groups to allow SSH, RDP, and ICMP access. To add a rule to a Security group:

  1. On the navigation pane, select Security groups.
  2. Select the security group for instances in the VPC you want to allow access to.
  3. On the Inbound rules tab, select Edit inbound rules. Allow the FCI subnet range with All Traffic.
  4. Add rules to allow inbound SSH, RDP, and ICMP, then select Save rules. file The VPN Connection is successfully initialized with status 'Available'. Next, verify that the Route table is correctly configured.

Step 6. Download the configuration file. After creating the VPN connection, you can download a configuration file to use for configuration on the FCI VPC. To download the configuration file:

  1. Go to the VPN connection page.
  2. Select the connection just created > select Download configuration.
  3. Select Vendor: pfSense, IKE version: IKEv1 (or IKEv2) > select Download. file Use this configuration file to create the VPN Site-to-Site on the FCI side.

Update VPN Site-to-Site configuration on FCI Cloud with the new AWS VPN IP

  1. Use the Tunnel 1 IP to update the configuration on the FCI side: file
  2. Edit the Customer Gateway with the new AWS IP just created. file Enter the AWS tunnel IP in the remote IP public field.

file

  • You have now completed the VPN Site-to-Site configuration between AWS and FCI Cloud.
  • After a successful connection, the Operation status of the VPN connections on the FCI Cloud side will be Online and on the AWS side, tunnel 1 will show UP.
  • Check the connection status on AWS: Go to VPN connections > select the VPN connection > select Tunnel details. If the connection is successful, the tunnel status will be UP.
  • Verify the result:

Start VMs in each VPC using the network ranges configured in the VPN Site-to-Site, then ping the VMs from each side.

Ping result from FCI to AWS

Ping result from AWS to FCI Cloud

Last updated on by Dang Tran