VPN TUNNEL in AWS

The idea is for all your private subnets to route via the VPN Tunnel.  Create a custom route table shown below for the first private subnet. This is the same routing table you will attach to successive subnets. A SINGLE routing table can have multiple routes

TESTING THE VPN TUNNEL

Protocol type	Protocol number	ICMP type	ICMP code	Source IP
ICMP	1	8 (Echo Request)	N/A	The public IPv4 address of your on premises computer or cidr range

1. Spin up an Ec2 instance, associate it with a SG that allows PING traffic (ICMP). Now, get its private IP address (for example, 10.0.0.4). The Amazon EC2 console displays the address as part of the instance’s details.
2. From a computer in your network that is behind the customer gateway device, use the ping command with the instance’s private IP address. A successful response is similar to the following:

   ping 10.0.0.4

PRIVATE SUBNETS NEED A ROUTE TO BOTH THE INTERNET (NAT GATEWAY) AND TO THE VPN TUNNEL (VGW). HOW DO YOU PROVIDE BOTH IN ONE CUSTOM ROUTE TABLE?

The ‘destination’ fields are different.

• For Private Subnets getting to On PRem Addresses – the destination is anything in the VPC (entire CIDR block – 10.0.0.0/16) and target is VgW
• For Private Subnets getting to Internet, the destination is 0.0.0.0/0 and the target is the NAT GW

For an advanced security consultation, please Contact AWS Security Architect