Aviatrix Gateway to AWS VGW¶
This document describes how to configure an IPsec tunnel between an Aviatrix Gateway and an AWS Virtual Private Gateway (VGW).
For this use case, we will configure the AWS VGW VPN connection first and then download the configuration from AWS and import it into Aviatrix.
Create the VPN Connection¶
- You have a VGW created and attached to a VPC
- You have an Aviatrix Gateway provisioned in a different VPC. You will need this gateway’s public IP address for the steps below.
Login to your AWS VPC Dashboard in the region where your VGW is located
Create a new Customer Gateway
Field Description Name Enter any name here Routing Select Static IP Address Enter the Aviatrix Gateway’s public IP
Create a VPN Connection
Field Description Name Enter any name here Virtual Private Gateway Select your VGW Customer Gateway Select Existing Routing Options Select Static Static IP Prefixes Enter the CIDR(s) of the VPC where the Aviatrix Gateway resides. Tunnel Options Leave blank/default
Select the VPN you just created and click the Download Configuration button along the top. At the dialog, select Generic for the Vendor, Generic for the Platform and Vendor Agnostic for the Software
Click Download Configuration. You will use this file to create the other side of the tunnel.
Login to your Aviatrix Controller
Follow the steps in this guide. Use this table for specific field values
Field Description VPC ID/VNet Name Select the Aviatrix Gateway VPC or VNet from the drop down. Connection Type Unmapped Remote Gateway Type AWS VGW Algorithms Checked
Populate the remaining fields.
Field Description Remote Gateway IP Address Enter the value that matches the value Tunnel Interface Configuration > Outside IP Addresses > Virtual Private Gateway Pre-shared Key Enter the value that matches the value Internet Key Exchange Configuration > Pre-Shared Key Remote Subnet Enter the value that matches the value Inside IP Address > Virtual Private Gateway, comma, the remote VPC CIDR Note, the remote VPC CIDR represents the VPC where VGW resides. For example, 169.254.44.145/30, 10.27.0.0/20
Once complete, test the communication using the tunnel
Wait 2-3 minutes for the tunnel to come up. If it does not come Up within that time, check the IP addresses to confirm they are accurate. Additional troubleshooting is available in the Diagnositics tab.
Appendix: Enable HA¶
You can enable HA for Aviatrix site2cloud connection to AWS VGW. Please add following extra steps to the configuration.
Create Aviatrix HA Gateway¶
Before creating site2cloud connection, following this guide’s Backup Gateway and Tunnel HA section to create Aviatrix HA gateway in the same VPC.
From AWS console, create a new VPN connection between VGW and Aviatrix HA Gateway¶
Create a new Customer Gateway for Aviatrix HA Gateway:
Field Description Name Enter any name here Routing Select Static IP Address Enter the Aviatrix HA Gateway’s public IP
Create a new VPN connection for Aviatrix HA Gateway:
Field Description Name Enter any name here Virtual Private Gateway Select the same VGW using for primary VPN connection Customer Gateway Select CGW your just created for HA Routing Options Select Static Static IP Prefixes Enter the CIDR(s) of the VPC where the HA Aviatrix Gateway resides. Tunnel Options Leave blank/default
Download Configuration for this new VPN connection just like you did earlier for the primary VPN connection.
Create Aviatrix Site2Cloud Connection with HA¶
From Aviatrix Controller UI -> Site2Cloud page, click + Add New, under Add a New Connection, make sure Enable HA is checked.
Additional fields are displayed when checked.
VPN information for backup need to be obtained from the downloaded configuration of AWS VPN connection between VGW and Aviatrix HA Gateway. Follow the same steps you did for primary connection.
|Backup Gateway||Select the Aviatrix HA Gateway you just created|
|Remote Gateway IP Address(Backup)||Enter the value that matches the value Tunnel Interface Configuration > Outside IP Addresses > Virtual Private Gateway|
|Pre-shared Key(Backup)||Enter the value that matches the value Internet Key Exchange Configuration > Pre-Shared Key|
Other fields should be filled as instructed in above section Configure Aviatrix.