Practitioner Level

Creating an AWS Site-to-Site VPN

What's a Hands-on Lab?Get Started Pricing Pricing

1.5 hours

5 Learning Objectives

About this Hands-on Lab

In this lab, we’ll create an AWS Site-to-Site VPN connection from an AWS VPC used by our organization’s main office to a private, remote data center used by a branch office. We will simulate the branch office network via a second AWS VPC, installing and configuring a software-based customer VPN gateway running on an EC2 instance. We’ll also create a virtual gateway and configure the Site-to-Site VPN to use a secure IPsec tunnel between sites. We will then test connectivity.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Verify Resources and Examine Network Configuration

Verify that the resources below exist.

Note: If using the pre-configured lab environment, these resources have already been configured for you. If not, you’ll need to create them.

Two VPCs in different Availability Zones:
- VPC-MainOffice with CIDR block 10.10.0.0/16
- VPC-BranchOffice with CIDR block 10.20.0.0/16
A public subnet in each VPC:
- Subnet-MainOffice-Public with CIDR block 10.10.1.0/24
- Subnet-BranchOffice-Public with CIDR block 10.20.1.0/24
An internet gateway (IGW) in each VPC
Two route tables, each attached to the appropriate subnet:
- Names: RT-MainOffice and RT-BranchOffice
- Routes: Local, and 0.0.0.0/0 pointing to the IGW

Create Two EC2 Instances

Create two new EC2 instances: one in VPC-MainOffice and one in VPC-BranchOffice.

`EC2-MainOffice`

AMI: Amazon Linux 2
Instance type: t2.medium
Network: VPC-MainOffice
Subnet: Subnet-MainOffice-Public
Auto-assign Public IP: Enable
Tags:
- Key: Name; Value: EC2-MainOffice
Security group: Create a new security group:
- Type: SSH; Source: My IP
- Type: All TCP; Source: Custom, 10.20.0.0/16
- Type: All UDP; Source: Custom, 10.20.0.0/16
- Type: All ICMP – IPv4; Source: Custom, 10.20.0 0/16
Key pair: Create a new key pair:
- Key pair name: Key-MainOffice
- Download and save key pair.

`EC2-BranchOffice`

AMI: Amazon Linux 2
Instance type: t2.medium
Network: VPC-BranchOffice
Subnet: Subnet-BranchOffice-Public
Auto-assign Public IP: Enable
Tags:
- Key: Name; Value: EC2-BranchOffice
Security group: Create a new security group:
- Type: SSH; Source: My IP
- Type: All TCP; Source: Custom, 10.10.0.0/16
- Type: All UDP; Source: Custom, 10.10.0.0/16
- Type: All ICMP – IPv4; Source: Custom, 10.10.0.0/16
Key pair: Create a new key pair:
- Key pair name: Key-BranchOffice
- Download and save key pair.

Once EC2-BranchOffice is created, disable the source/destination checks.

Create Virtual Private Network Resources

Create the following resources:

Virtual private gateway attached to VPC-MainOffice
- Name: VPG-MainBranch
Customer gateway
- Name: CGW-MainBranch
- Routing: Static
- IP Address: Public IP address of EC2-BranchOffice
Site-to-Site VPN connection
- Name: VPN-MainBranch
- Virtual Private Gateway: VPG-MainBranch
- Customer Gateway: CGW-MainBranch
- Routing Options: Static
- IP Prefixes: 10.20.0.0/16

It may take several minutes for the VPN connection to move from <span style="color:gold">pending</span> to <span style="color:green">available</span>.

Install and Configure Openswan

Connect via SSH to EC2-BranchOffice.
Install Openswan:
```
sudo su
```
```
yum install openswan
```
Configure /etc/ipsec.conf — if there is a # in front of this line, remove it:
```
include /etc/ipsec.d/*.conf
```

Configure /etc/sysctl.conf, adding these lines to the file:

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.default.accept_source_route = 0

Configure /etc/ipsec.d/aws.conf, adding these lines to the file:

conn Tunnel1
  authby=secret
  auto=start
  left=%defaultroute
  leftid=<CUSTOMER_GATEWAY_IP_ADDRESS>
  right=<VIRTUAL_PRIVATE_GATEWAY_IP_ADDRESS>
  type=tunnel
  ikelifetime=8h
  keylife=1h
  phase2alg=aes128-sha1;modp1024
  ike=aes128-sha1;modp1024
  keyingtries=%forever
  keyexchange=ike
  leftsubnet=10.20.0.0/16
  rightsubnet=10.10.0.0/16
  dpddelay=10
  dpdtimeout=30
  dpdaction=restart_by_peer

Configure /etc/ipsec.d/aws.secrets, using this format:

<CUSTOMER_GATEWAY_IP_ADDRESS> <VIRTUAL_PRIVATE_GATEWAY_IP_ADDRESS>: PSK "<PRE_SHARED_KEY>"

For example:

50.100.25.6 75.80.65.12: PSK "34nkfwoe732ddf"

Restart the network service:
```
service network restart
```
Set the ipsec service to run automatically if the server restarts:
```
chkconfig ipsec on
```
Start the ipsec service:
```
service ipsec start
```
Check the status of the ipsec service:
```
service ipsec status
```

Test Connectivity Across VPN

Connect via SSH to EC2-BranchOffice, and attempt to ping EC2-MainOffice:
```
ping <EC2-MainOffice_PRIVATE_IP_ADDRESS>
```
Connect via SSH to EC2-MainOffice, and attempt to ping EC2-BranchOffice:
```
ping <EC2-BranchOffice_PRIVATE_IP_ADDRESS>
```

Contact Sales Get Started See Pricing See Pricing

Additional Resources

The main office of your organization has completed their migration to the AWS Cloud, but a branch office is still using a private, remote data center. You need to configure a secure Site-to-Site VPN connection that will allow branch office servers to connect to data stored in the main office VPC in the AWS Cloud. The connection must be secure and use the internet connection already existing in the branch office data center.

The main office VPC has been created for you. The branch office remote datacenter will be simulated by using a second, separate AWS VPC in a different Availability Zone, which has also already been created for you.

You need to create an EC2 instance in each VPC, create a customer gateway, virtual private gateway, and Site-to-Site VPN connection in the main office VPC. You then need to install and configure OpenSWAN on the EC2 instance in the branch office VPC to function as the remote data center's software-based VPN. You'll also test connectivity by pinging each EC2 instance.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Plans & Pricing

Choosing is the first step

Whether you’re a small team, a global enterprise, or somewhere in between, we offer multiple plans so you can choose the one that best fits your needs.

Business Basic

^$ 33.27 / user monthly

Billed as $499 $399.20 / user yearly

Hands-on learning for smaller teams
Unlimited courses, quizzes, and practice exams
Full learn-by-doing experience with Hands-on Labs and Cloud Playground
User and skills analytics

Business Plus

^$ 46.60

Billed as $699 $559.20 / user yearly

Scalability for larger teams and entire organizations
Everything in Business Basic, plus:
Evaluate team readiness with Skills Assessment
Manage teams, single sign-on (SSO), and reporting
Fast-track learning with Study Groups and Accelerator Programs
Dedicated Customer Success Manager

Offer applies only to: new personal and business paying customers, existing personal and business customers who switch to an annual paid plan, and any additional annual plan licenses purchased by existing business customers. Offer valid for a limited time only, beginning 10:00AM CT on February 19, 2021. Offer may not be combined with other offers. Purchases are subject to applicable Terms of Use or Master Services Agreement.

Business Basic

$499 / year

Business Plus

$699 / year

Unlimited Courses

Learning without limits

Teams learn from anywhere with unlimited access to certification courses and deep dives on AWS, Azure, GCP, Linux, and so much more.

Unlimited Hands-on Labs

Learn faster by doing

Teams learn by doing with guided labs based on real-world scenarios in a secure, risk-free environment. Build new skills in as little as 15 minutes.

Learning Paths

Take your teams from novice to guru

Not sure how to proceed? We’ll guide you through the exact skills your team needs to progress from novice to guru across a variety of cloud specialties, including Architect, Security, and DevOps.

Cloud Playground - Servers

Cloud on demand

Your learners can spin up pre-configured, auto-provisioned servers in just a few clicks. Provide safe practice environments and never worry about a surprise cloud bill.

Cloud Playground - Instant Terminal

SSH on demand

Quickly and safely launch a secure, in-browser SSH terminal into any instance on any provider – even behind a firewall.

Cloud Playground - Sandboxes

Learn by doing

Teams learn faster by doing with Cloud Playground. Try out new cloud skills in live AWS, Azure, and GCP sandbox environments — without racking up a surprise bill. Cloud along with courses, test ideas, and prepare for exams.

ACG Original Series

Keep up with the cloud

Stay up-to-date on all things cloud with weekly and monthly videos about the latest developments in AWS, Azure, GCP, and Kubernetes.

Practice Exams

Put skills to the test

Learners prepare for certs with practice exams that mimic the real thing. Plus, they get personalized pointers on how to improve their scores.

Quizzes

Pop quiz, hot shot

Quickly check knowledge on a variety of topics and know where to brush up with short quizzes.

Community Forums

Cloud with friends

Learners get the help they need, when they need it, from industry experts and others in the community.

ACG Mobile Apps

Keep ACG in your pocket

Teams learn cloud from anywhere with our mobile apps for iOS and Android.

Mobile Offline Mode

Learn off the grid

No internet connection? No problem. Download courses for offline access with our app for iOS and Android.

Records of Completion

Achievement unlocked

Records of completion make it easy for your learners to mark and showcase progress.

Video Transcripts & Captions

For the record

Learners read along when sound isn’t an option and skip furiously scribbling notes. Our transcripts and captions are also fully searchable, making it easy to find exactly what they’re looking for.

Interactive Diagrams

Study aids on demand

Snag clickable, PDF versions of core concepts to revisit later. Our diagrams make great study aids, help build retention, and can act as handy cheat sheets for a quick refresher down the road.

Email Support

One dashboard to rule them all

Easily assign new users, track learning and ROI with usage and skill analytics, and manage the entire ACG for Business experience from one central location.

Unlimited Admin Seats

Manage cloud learning for teams

Scale freely and keep your ACG for Business licenses productive with unlimited free Administrators. Yes, you pay only for learners.

Skills Assessment

Know where you stand

Take stock of your organization’s cloud readiness so you can know exactly where to start.

Learning Accelerator

Get to the cloud faster

Fast-track your organization’s path to cloud fluency with sprint-based certification tracks, including weekly lessons, hands-on projects and whitepapers.

Study Groups

Learn better together

Group learners together so they can support each other and build skills faster. Discussing topics and helping others understand concepts boosts retention and builds camaraderie.

Certification Reporting

Skills at a glance

Keep tabs on skills and certifications across your organization to properly staff projects, track progress, and inform learning goals.

Team Management

Easy organization by teams

Create and assign learners to teams for easier management, tracking, and reporting. Designate team coordinators to help keep teams on track, and know who’s conquering the cloud or needs a nudge with the team leaderboard.

Single Sign-On

Invite 10 to 10,000 or more

Use your company’s ID and password to make management and scalability a breeze.

LMS Integration

Connect all the dots

Integrate results and reporting into your existing learning management systems for a 360-degree view of employee skills development.LMS Integration currently available for EdCast and Degreed.

API Access

Get your bits

Automatically transfer raw usage and skills data to your data warehouse or other repository.

Dedicated Customer Success Manager *

We’ve got your back

Get the most out of ACG for Business with a dedicated cloud learning consultant to support you with onboarding, best practices, and more.

Personalized Onboarding *

We’ll show you the ropes

Get up and running the right way. Let one of our learning gurus take you through an onboarding experience tailored to your needs.

Contact Sales

* Available with 50+ seats

Plans & Pricing

Choosing is the first step

Whether you’re an individual learner, a global enterprise, or somewhere in between, we offer several plans so you can choose the one that best fits your needs.

Free

^$ 0 / month

Limited access to basic courses and features
Rotating selection of limited courses
Stay ahead with weekly cloud roundups
Engage with a vibrant community of learners and experts

Save 20%

Personal Basic

^$ 39 ^$ 25.57 / month

Billed as $379 $303.20 / user yearly

Pay Yearly Pay Monthly

Save 35% with annual plan!

Full access to our hands-on learning library
Unlimited courses, quizzes, & practice exams
Unlimited Hands-on Labs
Practice in real multi-platform servers

Save 20%

Personal Plus

^$ 33.27 / month

Billed as $499 $399.20 / user yearly

Everything in Personal Basic, plus:
Full learn-by-doing experience in real AWS, Azure, & GCP environments!
Unlimited access to full Cloud Sandboxes
No account setup or cloud bills

Offer applies only to: new personal and business paying customers, existing personal and business customers who switch to an annual paid plan, and any additional annual plan licenses purchased by existing business customers. Offer valid for a limited time only, beginning 10:00AM CT on February 19, 2021. Offer may not be combined with other offers. Purchases are subject to applicable Terms of Use or Master Services Agreement.

Free

Personal Basic

$379 $303.20 / year

Personal Plus

$499 $399.20 / year

Unlimited Courses

limited

Learn without limits

Learn from anywhere with unlimited access to certification courses and deep dives on AWS, Azure, GCP, Linux, and so much more.

Quizzes

limited

Pop quiz, hot shot

Quickly check your knowledge on a variety of topics and know where to brush up with short quizzes.

ACG Original Series

Keep up with the cloud

Stay up-to-date on all things cloud with weekly and monthly videos about the latest developments in AWS, Azure, GCP, and Kubernetes.

Community Forums

Cloud with friends

Get the help you need, when you need it, from industry experts and other learners in the community — and help others in turn.

Learning Paths

Go from novice to guru in your chose specialty

Not sure how to proceed? We’ll guide you through the exact skills you need to gain to progress from novice to guru across a variety of cloud specialties, including Architect, Security, and DevOps.

ACG Mobile Apps

Keep ACG in your pocket

Learn cloud from anywhere with our mobile apps for iOS and Android.

Mobile Offline Mode

Learn off the grid

No internet connection? No problem. Download courses for offline access with our app for iOS and Android.

Unlimited Hands-on Labs

Get your hands cloudy

Learn by doing with guided labs based on real-world scenarios in a secure, risk-free environment. Build new skills in as little as 15 minutes.

Practice Exams

Put your skills to the test

Prepare for your certs with practice exams that mimic the real thing. Plus, get personalized pointers on how to improve your score.

Interactive Diagrams

Study aids on demand

Snag clickable, PDF versions of core concepts to revisit later. Our diagrams make great study aids, help build retention, and can act as handy cheat sheets for a quick refresher down the road.

Video Transcripts & Captions

For the record

Read along when sound isn’t an option and skip furiously scribbling notes. Our transcripts and captions are also fully searchable, making it easy to find exactly what you’re looking for.

Records of Completion

Achievement unlocked

Earn a little something when you complete courses. Records of completion make it easy to mark and showcase your progress.

Email Support

Cloud on demand

Spin up pre-configured, auto-provisioned servers in just a few clicks. Cloud along with courses, practice whenever you feel like it, and never worry about a surprise cloud bill.

Cloud Playground - Instant Terminal

SSH on demand

Quickly launch a secure, in-browser SSH terminal into any instance on any provider – even behind a firewall.

Cloud Playground - Sandboxes

Personal Plus Only

Learn by doing

Learn by doing with Cloud Playground. Try out new cloud skills in live AWS, Azure, and GCP sandbox environments — without racking up a surprise bill. Cloud along with courses, test an idea at work or prepare for exams.

Free
$0

Personal Basic
$379 / year

Personal Plus
$499 / year

Start Free

Free Trial

Browse Learning

Browse Platforms

Hands-on Labs

Creating an AWS Site-to-Site VPN

About this Hands-on Lab

Learning Objectives

EC2-MainOffice

EC2-BranchOffice

Additional Resources

Plans & Pricing

Choosing is the first step

Business Basic

Business Plus

Learning without limits

Learn faster by doing

Take your teams from novice to guru

Cloud on demand

SSH on demand

Learn by doing

Keep up with the cloud

Put skills to the test

Pop quiz, hot shot

Cloud with friends

Keep ACG in your pocket

Learn off the grid

Achievement unlocked

For the record

Study aids on demand

We’re here to help

One dashboard to rule them all

Manage cloud learning for teams

Know where you stand

Get to the cloud faster

Learn better together

Skills at a glance

Easy organization by teams

Invite 10 to 10,000 or more

Connect all the dots

Get your bits

We’ve got your back

We’ll show you the ropes

Plans & Pricing

Choosing is the first step

Free

Personal Basic

Personal Plus

Learn without limits

Pop quiz, hot shot

Keep up with the cloud

Cloud with friends

Go from novice to guru in your chose specialty

Keep ACG in your pocket

Learn off the grid

Get your hands cloudy

Put your skills to the test

Study aids on demand

For the record

Achievement unlocked

We’re here to help

Cloud on demand

SSH on demand

Learn by doing

How many seats do you need?

Ready to accelerate learning?

$2,495.00

`EC2-MainOffice`

`EC2-BranchOffice`