This repository contains AWS CDK code to deploy an AWS Site-to-Site VPN Private IP VPN over AWS Direct Connect. The following resources are created by default:
- Direct Connect gateway. By default, both examples create a new Direct Connect gateway resource. If you want to test this code over an existing Direct Connect gateway, check each specific example to understand how you can configure this.
- Customer gateway, and AWS Site-to-Site VPN Private IP VPN.
- AWS Transit Gateway, and one Transit Gateway Route Table where all the VPCs and the VPN will be associated and they will propagate their routes.
- Two Spoke VPCs, each of them with EC2 instances and VPC endpoints (AWS Systems Manager) to test the end-to-end connectivity.
In both examples, the following variables are defined with default values:
- ASN numbers: AWS-side (for the Transit Gateway and the Direct Connect gateway), and customer-side (for the Customer gateway).
- Transit Gateway CIDR block - used for the private Outer IPs when creating the VPN.
- Allowed prefixes - AWS-side CIDR blocks to add in the Direct Connect gateway (if created)
- Customer gateway IP - use the private IP of your device on premises.
Feel free to change these variables (check each example to see how you can do that) to build the Private IP VPN connection with values from your hybrid network.
The resources deployed and the architectural pattern they follow is purely for demonstration/testing purposes. Take it as an example on how to create all the necessary resources to build a Private IP VPN on top of a Direct Connect connection. The AWS Direct Connect connection and Transit VIF required to finish the end-to-end connectivity are not built in this example. The configuration of the VPN tunnels in the on-premises routers is done as an usual AWS Site-to-Site VPN connection (check the documentation in the References section).
If you choose an AWS Cloud9 environment, it will contain all the tools and software to use this repository right away. Alternately anything with a command line and a text editor should do the trick! You can follow the getting started guide for Cloud9 here
If you're using Cloud9, you should already have the CDK installed (use version 2). Otherwise, you can follow these instructions to install the AWS CDK (version 2).
After installing the CDK, install the required NPM modules for the project by running:
npm installConfigure your AWS CLI Credentials to work against the account you will deploy to.
- If you're in an AWS Cloud9 environment this should already be done for you!
- If you're not using AWS Cloud9 configure the AWS CLI using these instructions.
Be sure to set the region to match the region you wish to deploy to. For example:
export AWS_REGION=eu-west-1Run a quick test to make sure the credentials are working. The following command should list the buckets in your deployment account (if you have the right permissions):
aws s3 ls The CDK requires a place to put assets it builds. Bootstrap this account to handle this by running. If you've done this before in this account you can skip this step.
cdk bootstrapThe initial parameters can be found in config/parameters.yaml. There you can find the default values of the variables needed to build the environment:
AppName: "private-ip-vpn-example"
ASNNumbers:
AmazonSideDXGW : 64531
AmazonSideTGW : 64532
CustomerSide : 64533
Parameters:
TGWCIDR : "10.0.0.0/24"
DXPrefixes : "10.0.0.0/8"
CGWIP : "10.0.0.1"
VPCA:
CIDR: "10.0.1.0/24"
CIDRtoTGW: "10.0.2.0/24"
VPCB:
CIDR: "10.0.2.0/24"
CIDRtoTGW: "10.0.1.0/24"Create your own configuration file in the 'config' folder in this project, or deploy using the sample configuration file parameters.yaml. Feel free to change the default values to ones more suitable for your environment. Remember the Direct Connect and Transit VIF are not created in this example, so the on-premises values provided are not real - provide yours to build end-to-end connectivity.
Copy this file to a new file, and set it up the way you want for a deployment!
After your configuration is set up the way you wish, execute this command to verify the configuration file contents are correct.
NOTE: Nothing gets deployed by a 'synth' command, but instead it just validates the configuration contents and generates templates in the cdk.out folder.
You will need pass the configuration file as an option on the command line.
cdk synth PreparationStack -c config=[configuration-file]
cdk synth VpnStack -c config=[configuration-file]Replace [configuration-file] with the filename in the 'config' directory you want to synth, or use the sample configuration parameters. Errors in the configuration file will be caught and shown.
Once you're comfortable that everything looks good, you can first deploy the preparation stack with all the required components to later deploy the VPN, by running:
cdk deploy PreparationStack -c config=[configuration-file]And when the Transit Gateway attachment is in the 'available' state, you can deploy the Private IP VPN by running:
cdk deploy VpnStack -c config=[configuration-file]Replace [configuration-file] with the filename in the 'config' directory you want to deploy, or use the sample configuration parameters.
After completing your demo, delete the two AWS CloudFormation Stack created using AWS CDK command:
cdk destroy VpnStackIn order to continue with the second stack deletion, first disassociate the AWS Transit Gateway from the AWS DirectConnect Gateway:
- Go to AWS DirectConnect Gateway console
- Select the AWS DXGW created and go to the Gateway associations tab
- Click on the orange button and Disassociate
- Once in the Gateway associations tab, the AWS TGW is disassociated (takes 20min aprox.) delete the last stack with the following command:
cdk destroy PreparationStack- AWS Blog: Introducing AWS Site-to-Site VPN Private IP VPNs
- AWS Documentation: AWS Site-to-Site VPN - Getting Started
See CONTRIBUTING for more information.
This library is licensed under the MIT-0 License. See the LICENSE file.