my musings on technology

How to Create an Amazon VPC

Posted by on Aug 30, 2011 in Musings | 6 comments

How to Create an Amazon VPC

In this blog I will detail how to create a VPC within the Amazon AWS Cloud and then attach it via IPSEC VPN to your corporate network.

Phase 1 – Create VPC and VPN to a Single External Site
In order to create a VPC that connects to an external (non-Amazon) IPSEC device follow the steps below

  1. Log onto the AWS Console and Click on the VPC tab
  2. Click the ‘Get started creating a VPC’ button (make sure you have selected the correct region to create the VPC in)
  3. You’ll be presented with a number of options to select the type of VPC you’d like to create. I chose the VPC with Public and Private subnets and Hardware VPN access. This will create a VPC for the EC2 instances to be created in with 2 subnets (public and private) that can be connected to an external IPSEC VPN device. The public subnet is a subnet that can be made available publically, while the private subnet is only connected to your VPN device and is not available to the public Internet.
  4. The next screen asks you to specify the IP address of your VPN Gateway (ie the VPN device that you will use to create a VPN connection to AWS with)
  5. The final screen is the confirmation screen.  From here you can edit any of the information collected in the wizard.  When you’re happy with the configuration click the Create VPN button
  6. The next screen will confirm the VPC has been created and will give you the option to download a preconfigured VPN configuration for your VPN device.  As of the time of writing this only Cisco ISR (IOS 12.4+), Juniper (JunOS 9.5+, ScreenOS 6.1+), Yamaha (RTX 10.01.16+) and a Generic (Vendor Agnostic) configurations are available.
  7. Use the configuration you have downloaded to configure your VPN device.
    1. One caveat to note: The configuration you downloaded will use BGP to advertise the routes from your VPN device to the VPC. I don’t recommend using the default BGP configuration as it will inject a default route (0.0.0.0/24) to the routing table in the VPC which is fine if you are just connecting one site up to the VPC, but in the case you have multiple sites and want to create multiple VPN connections this will cause routing problems.
    2. My recommendation is to use BGP to specify the exact networks you’d like to advertise via BGP. In the case you use multiple VPN connections to connect multiple sites to the VPC you will want to make sure you use separate AS numbers for each BGP session. I’ll get into this a little later in this document.
  8. Click on the VPN Connections menu on the left side menu to see the status of the VPN connection you’ve just created. For me it took about 5 minutes for the VPN connection to be established, so don’t panic if the tunnel doesn’t come up straight away. This window will also show you the current status of the VPN connections as well as any potential error messages (like phase 1 proposal failed, preshared key failures etc).
  9. Once the tunnels are green your VPC and VPN connection to AWS are created and functioning. The next step is to launch EC2 instances into the newly created VPC. Please note you cannot move any of your existing EC2 instances into the VPC. To launch an EC2 instance into the VPC, click the Launch EC2 Instance button and when prompted for the Instance Details make sure you select the ‘Launch Instance Into Your Virtual Private Cloud’ option. You will also need to select which Subnet (public or private) you want to launch the EC2 instance into.
    1. Note: At the time of writing, I could not launch a micro instance into the VPC so the ‘Launch Instance Into Your Virtual Private Cloud’ option was greyed out, so make sure you change the Instance Type to a type that is supported inside the VPC.
  10. Once you’ve launched your instance, it will be given an IP address in the Subnet you selected and will not have a Public address (eg: ec2-xx-xx-xx-xx.us-west-1.compute.amazonaws.com)

Phase 2 – Extend VPC by adding a VPN to a Second External Site

  1. Follow the instructions above to create a VPC and a VPN to a Single Site
  2. IMPORTANT – DO NOT USE THE ‘Add VPN Connection’ button on the VPC Homepage to add a second VPN connection. If you do this, you will create a VPN that will use the default AS 65000 for BGP routing. To add a second (or third etc) site you will need to manually create the VPN and assign it a unique AS number (in the private 65000+ range)
  3. Create a new Customer Gateway – click Create Customer Gateway button and add the IP address of your second VPN gateway. MAKE SURE YOU USE A UNIQUE BGP ASN NUMBER
  4. Create a new VPN Connection. Click the Create VPN Connection button in the VPN Connections window. Make sure you select the Customer Gateway you just created in the step above.
  5. Download the configuration for your VPN device and use it to create the tunnel.
    1. One caveat to note: The configuration you downloaded will use BGP to advertise the routes from your VPN device to the VPC. I don’t recommend using the default BGP configuration as it will inject a default route (0.0.0.0/24) to the routing table in the VPC which is fine if you are just connecting one site up to the VPC, but in the case you have multiple sites and want to create multiple VPN connections this will cause routing problems.
  6. You will then see your second VPN tunnel come up and you will be able to access the VPC from your 2nd site.

Repeat these steps for any other sites you want to connect to the VPC.

Similar Posts:

Get Adobe Flash player