VPN TUNNEL in AWS

The idea is for all your private subnets to route via the VPN Tunnel.  Create a custom route table shown below for the first private subnet. This is the same routing table you will attach to successive subnets. A SINGLE routing table can have multiple routes

 Diagram for scenario 4: VPC with only a virtual private gateway

TESTING THE VPN TUNNEL

Protocol type Protocol number ICMP type ICMP code Source IP
ICMP 1 8 (Echo Request) N/A The public IPv4 address of your on premises computer or cidr range
  1. Spin up an Ec2 instance, associate it with a SG that allows PING traffic (ICMP). Now, get its private IP address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance’s details.
  2. From a computer in your network that is behind the customer gateway device, use the ping command with the instance’s private IP address. A successful response is similar to the following:
    ping 10.0.0.4

PRIVATE SUBNETS NEED A ROUTE TO BOTH THE INTERNET (NAT GATEWAY) AND TO THE VPN TUNNEL (VGW). HOW DO YOU PROVIDE BOTH IN ONE CUSTOM ROUTE TABLE?

The ‘destination’ fields are different.

  • For Private Subnets getting to On PRem Addresses – the destination is anything in the VPC (entire CIDR block – 10.0.0.0/16) and target is VgW
  • For Private Subnets getting to Internet, the destination is 0.0.0.0/0 and the target is the NAT GW

For an advanced security consultation, please Contact AWS Security Architect