Apr 11, 2017 - Aviatrix is a next generation cloud networking solution built from the ... Virtual Private Gateway â Th
Aviatrix Virtual Appliance For AWS VPN Gateway Connection Configuration Guide Last updated: April 11, 2017
Aviatrix Systems, Inc. 411 High Street Palo Alto CA 94301 USA http://www.aviatrix.com
Tel:
+1 844.262.3100
Page 1 of 9
TABLE OF CONTENTS 1
Overview.............................................................................................................................................................3 1.1
2
3
4
Use Case – AWS VPC to Remote Site ..........................................................................................................3
Configuration Workflow .....................................................................................................................................4 2.1
Prerequisites ...............................................................................................................................................4
2.2
Configuration ..............................................................................................................................................4
2.2.1
Step1 – Deploy the Aviatrix Virtual Appliance....................................................................................5
2.2.2
Step 2 – Configure AWS VPN Connection ..........................................................................................5
2.2.3
Step 3 – Configure Aviatrix Site-to-Cloud VPN Connection ................................................................6
Troubleshooting .................................................................................................................................................8 3.1
Aviatrix Virtual Appliance Tunnel Status ....................................................................................................8
3.2
Remote site static routes............................................................................................................................8
3.3
AWS Instance Security Groups ...................................................................................................................8
Appendix –Support .............................................................................................................................................9 4.1
Aviatrix Support ..........................................................................................................................................9
Page 2 of 9
1 Overview Aviatrix is a next generation cloud networking solution built from the ground up for the public cloud. It simplifies the way you enable site to cloud, user to cloud, and cloud to cloud secure connectivity and access. The Aviatrix solution requires no new hardware and deploys in minutes. This configuration guide provides step by step instructions on how to deploy the Aviatrix virtual appliance for an AWS VPN gateway connection.
1.1 Use Case – AWS VPC to Remote Site In this use case, there is a need to connect a remote on-premise site to an AWS VPC. Instead of configuring the IPSec termination on the edge device, which may put tier 1 applications at risk, an Aviatrix virtual appliance can be deployed on premise to terminate the IPSec tunnel. With this approach, no changes are needed on the edge device. The IPSec tunnel configuration is configured directly on the Aviatrix virtual appliance. Below is an example of the solution. Remote Site
AWS VPC
VPC CIDR: 10.14.0.0/16 Compute Instances Compute Instances
Aviatrix Virtual Appliance
AWS VGW
SITE-2-CLOUD IPSEC
Edge Device
Users Subnet 10.16.0.0/16
Benefits 1. 2. 3. 4. 5.
Quick and Easy to deploy – up and running within minutes. No changes on edge device. Supports popular hypervisors – VMWare and Hyper-V. Supports all major public cloud providers (AWS, Azure, GCP). No exchange of public cloud credentials is needed.
Page 3 of 9
Subnet 192.168.50.0/24
2 Configuration Workflow 2.1 Prerequisites Please review the following before configuring the VPN connection. Confirm and check the following: 1. Make sure you have a valid AWS account. 2. Make sure the hypervisor that you’re using is supported. a. VMWare ESXi 5.0 or later. b. Windows 2012 R2 or later Hyper-V. 3. The Aviatrix virtual appliance requires the following: a. A static IP address (internal). b. Requires access to a DNS server. c. Requires outbound ports. o TCP 443. o UDP 4500 & 500. 4. In the remote site, create static routes to the AWS VPC network. a. In order for devices in the remote site to reach the AWS VPC, they must be routed to the Aviatrix virtual appliance.
2.2 Configuration The following configuration setup is based on the example environment shown below. Please replace values accordingly for your setup.
Remote Site
AWS VPC
VPC CIDR: 10.14.0.0/16 Compute Instances Compute Instances
Aviatrix Virtual Appliance
AWS VGW
SITE-2-CLOUD IPSEC
Edge Device Public IP 35.163.15.49
Public IP 207.47.51.61
Users Subnet 10.16.0.0/16
Page 4 of 9
Subnet 192.168.50.0/24
2.2.1
Step1 – Deploy the Aviatrix Virtual Appliance
Step 1 – Deploy the Aviatrix Virtual Appliance 1. 2. 3. 4.
Download the virtual appliance for your hypervisor. Download Import the virtual appliance into your virtualization environment. Once the virtual appliance boots up, login to the CLI console. The default login is admin / Aviatrix123# Use the following command to configure the static IP address on the virtual appliance: setup_interface_static_address ip_address subnet_mask default_gateway primar_dns secondary_dns
Example: setup_interface_static_address 10.16.0.11 255.255.255.0 10.16.0.10 8.8.8.8 8.8.4.4
5. Login to the virtual appliance web GUI. The default URL is: https://static_ip_address Default login is: admin / static_ip_address (i.e. 10.16.0.11). The system will prompt for a recovery email address and then prompt you to change the default password. The virtual appliance will initialize after the password change. Afterwards, login to the console with the new password. 6. Update the License key. Click Settings > License. Under Customer ID, enter in your customer ID and click Save. If you don’t have one, contact Aviatrix at
[email protected]. 7. Done.
2.2.2 Step 2 – Configure AWS VPN Connection On the AWS side, a VPN connection needs to be created. An AWS VPN connection consist of the following components. 1. 2. 3. 4.
VPC – This defines the network within an AWS account. Customer Gateway – This defines the network on the remote site. Virtual Private Gateway – This defines a gateway where the VPN will terminate in AWS. VPN Connection – This definition puts everything together.
Step 2 – Configure AWS VPN Connection 1. Log into the AWS Portal.
Page 5 of 9
2. Create a VPC (or identify VPC you want to use for the VPN connection). In this example, we will use the following values: a. Address Space (CIDR): (10.14.0.0/16). b. Subnets – Add as many subnets as you need. 3. Create a Customer Gateway. In this example, we will use the following values: a. Routing: Static (only static is supported at this time). b. IP Address: 207.47.51.61 (this is the public IP of the edge device at the remote site). o You can retrieve public IP from the Aviatrix virtual appliance GUI (Troubleshoot -> Diagnostics -> Controller Public IP). c. Address space: 10.16.0.0/16, 192.168.50.0/24 (these are subnets on the remote site). 4. Create a Virtual Network Gateway. Please note the following settings. a. Create the gateway. b. Attach it to the VPC you want to connect to from your remote site. 5. Create a Site-to-Site VPN Connection. Please note the following settings. a. Name tag: Type in a name of the connection (this is arbitrary). b. Virtual Private Gateway: Choose the one created above. c. Customer Gateway: Choose Existing and select the one created above. d. Routing Options: Static (only static is supported now). e. Static IP Prefixes: 10.16.0.0/16, 192.168.50.0/24 (these are subnets on the remote site). f. It will take a few minutes for AWS to create the connection. Be patient g. Download the configuration file – after the connection is created, click “Download Configuration”. For vendor, select Generic. Please note the following from the configuration file: o Pre-Shared Key o Outside IP Addresses of Virtual Private Gateway 6. Done.
2.2.3 Step 3 – Configure Aviatrix Site-to-Cloud VPN Connection To complete the connection, we must define the VPN connection on the Aviatrix virtual appliance as well. Step 3 – Aviatrix Site to Cloud Definition 1. Login to the Aviatrix Virtual Appliance. 2. Click Site2Cloud -> +Add New. a. VPC ID/VNet Name – Select Local. b. Connection Type – Unmapped. c. Connection Name – Type in a name of the connection. d. Remote Gateway IP Address – This is the public IP of the AWS VPN gateway. In this example, it is 35.163.15.49. e. Remote Subnet – Type in the CIDR of the AWS VPC (i.e. 10.14.0.0/16). If there are more than one network, use a comma. f. Local Subnet – Type in the network on the remote site side (i.e. 10.16.0.0/16, 192.168.50.0/24). Page 6 of 9
g. Pre-shared Key – Type in the pre-share key from the AWS VGW’s configuration file. h. Remote Gateway Type – choose AWS VGW. 3. Click Ok. 4. Done.
Congratulations. The configuration is complete.
Page 7 of 9
3 Troubleshooting Below are some troubleshooting tips.
3.1 Aviatrix Virtual Appliance Tunnel Status Tunnel status can be checked from the Controller. From the Controller GUI: 1. Click Site2Cloud -> Diagnostics. 2. Select the following: a. VPC ID / VNet / NET = Select Local. b. Connection = Select the connection you want to troubleshoot. c. Action = Select the diagnostics that you want to see. 3. Click OK.
3.2 Remote site static routes Make sure static routes are defined on your remote site to reach the AWS VPC. For example, in the below example, you will need to add a static route on the remote site. Destination 10.14.0.0/16
Next Hop Aviatrix Virtual Appliance
Remote Site
AWS VPC
VPC CIDR: 10.14.0.0/16 Compute Instances Compute Instances
Aviatrix Virtual Appliance
AWS VGW
SITE-2-CLOUD IPSEC
Edge Device Public IP 35.163.15.49
Public IP 207.47.51.61
Users Subnet 10.16.0.0/16
Subnet 192.168.50.0/24
3.3 AWS Instance Security Groups Check and make sure your security groups are configured properly for access from your remote site. By default, inbound access to AWS instances are restricted.
Page 8 of 9
4 Appendix –Support
4.1 Aviatrix Support Standard: 8x5 Enterprise Phone Support, email support, product-specific knowledge-base and user forum is included. For Additional levels of support and support offers please visit: www.aviatrix.com/support
Page 9 of 9
