Hands-On Guide: Building a Highly Available VPN with BGP on AWS

Leave a Comment / By /

Introduction

In this advanced demo lesson, you’re about to embark on an immersive journey into building a dynamic, robust, and accelerated Virtual Private Network (VPN) solution using BGP (Border Gateway Protocol) for route advertisement. What sets this demo apart is that you won’t require any physical infrastructure – everything will be simulated within AWS using CloudFormation. By the end of this tutorial, you’ll be proficient in creating and configuring a comprehensive VPN environment encompassing AWS services, on-premises servers, and customer gateways.

Section 1: Overview

The goal of this tutorial is to guide you through the process of building a VPN architecture that brings together AWS resources and on-premises networks. To simplify the process, the on-premises environment is emulated within AWS. We’ll use Linux-based VPN servers, StrongSwan, and FRR (Free Range Routing) for BGP.

Section 2: Infrastructure Creation

In the initial stage, we’ll focus on creating the foundational infrastructure on both the AWS and on-premises sides using CloudFormation. The AWS environment consists of a Virtual Private Cloud (VPC) with subnets and EC2 instances, coupled with a Transit Gateway. On the simulated on-premises side, we’ll emulate a small business network with VPN appliances, Router1, and Router2.

Section 3: Customer Gateways

In this part of the demo, we’ll create two customer gateway objects in AWS. These gateways represent the routers in your simulated on-premises environment. By doing this, we establish how AWS will connect with these routers, a crucial step for the upcoming stages.

Hands-On: Implementing the Infrastructure

  1. Create Infrastructure with CloudFormation:
    • Use the provided one-click deployment link to create the architecture encompassing AWS resources and simulated on-premises environment.
    • Ensure you’re logged into your AWS account with admin permissions in the Northern Virginia region.
  2. Create Customer Gateway Objects:
    • Access the CloudFormation outputs tab to obtain the public and private IP addresses of Router1 and Router2.
    • In the AWS Management Console, navigate to VPC > Customer Gateways.
    • Create two customer gateway objects named ‘on-prem-router1’ and ‘on-prem-router2’.
    • Enter the respective public IP addresses and set the BGP ASN to 65016.
  3. Verify No Connectivity:
    • Go to EC2 > Instances and locate ‘AWS-EC2-B’. Note its private IP address.
    • Connect to ‘on-prem-server2’ using Session Manager and attempt to ping the AWS instance’s IP address.
    • No ping response will be received, illustrating the absence of connectivity between AWS and the simulated on-premises environment.

Hands-On: Creating AWS-side VPN Attachments

  1. Create Transit Gateway VPN Attachments:
    • Go to VPC > Transit Gateway Attachments and create two VPN attachments.
    • Select the A4L-TGW Transit Gateway and pick ‘VPN’ as the attachment type.
    • Choose the respective customer gateways (on-prem-router1 and on-prem-router2).
    • Enable acceleration for both attachments.
  2. Download Configuration Files:
    • Navigate to VPC > Customer Gateways and note the Customer Gateway IDs for Router1 and Router2.
    • Go back to Site-to-Site VPN Connections and select each VPN connection.
    • Download the configuration for each connection, specifying ‘Generic’ as the vendor and ‘IKEv1’ as the IKE version.
    • Rename the downloaded files as ‘Connection1Config.txt’ and ‘Connection2Config.txt’.

Part 2: On-Premises BGP Configuration and Testing

Welcome back to the next stage of our mini project where we’ll be configuring BGP (Border Gateway Protocol) on the on-premises routers. BGP will allow us to dynamically route traffic between our on-premises network and the AWS environment. Additionally, we’ll perform some testing to ensure that our VPN setup is working as expected.

Configuring BGP on On-Premises Routers

Now that our IPsec tunnels are up and running, the next step is to configure BGP on our on-premises routers. BGP is a dynamic routing protocol used to exchange routing information between different networks. In our case, it will enable our on-premises routers to communicate with the AWS environment and advertise routes.

Let’s connect to each on-premises router, access the command line, and configure BGP. You’ll need the information from the template document you filled out earlier.

On-Premises Router 1

Connect to the on-premises router 1 using Session Manager, and then run the following commands:

  1. sudo vtysh – This will take you to the Quagga router shell.
  2. conf t – This enters the configuration mode.
  3. For Connection 1 Tunnel 1:graphqlCopy coderouter bgp <Your ASN> # Replace <Your ASN> with the ASN you used in the template. neighbor <Connection 1 Tunnel 1 AWS Inside IP> remote-as 7224 # Use the AWS inside IP for tunnel 1. neighbor <Connection 1 Tunnel 1 AWS Inside IP> timers 10 30 # Adjust timers as needed. neighbor <Connection 1 Tunnel 1 AWS Inside IP> update-source <Connection 1 Tunnel 1 On-Prem Inside IP> network <Your On-Prem Network CIDR> # Replace with your on-premises network CIDR. exit
  4. For Connection 1 Tunnel 2:phpCopy coderouter bgp <Your ASN> neighbor <Connection 1 Tunnel 2 AWS Inside IP> remote-as 7224 neighbor <Connection 1 Tunnel 2 AWS Inside IP> timers 10 30 neighbor <Connection 1 Tunnel 2 AWS Inside IP> update-source <Connection 1 Tunnel 2 On-Prem Inside IP> network <Your On-Prem Network CIDR> exit
  5. write – This will save the configuration.

On-Premises Router 2

Connect to the on-premises router 2 using Session Manager, and then run similar commands:

  1. sudo vtysh
  2. conf t
  3. For Connection 2 Tunnel 1:phpCopy coderouter bgp <Your ASN> neighbor <Connection 2 Tunnel 1 AWS Inside IP> remote-as 7224 neighbor <Connection 2 Tunnel 1 AWS Inside IP> timers 10 30 neighbor <Connection 2 Tunnel 1 AWS Inside IP> update-source <Connection 2 Tunnel 1 On-Prem Inside IP> network <Your On-Prem Network CIDR> exit
  4. For Connection 2 Tunnel 2:phpCopy coderouter bgp <Your ASN> neighbor <Connection 2 Tunnel 2 AWS Inside IP> remote-as 7224 neighbor <Connection 2 Tunnel 2 AWS Inside IP> timers 10 30 neighbor <Connection 2 Tunnel 2 AWS Inside IP> update-source <Connection 2 Tunnel 2 On-Prem Inside IP> network <Your On-Prem Network CIDR> exit
  5. write

Testing BGP Connectivity

Now that BGP is configured on both routers, we can test the BGP connectivity. Let’s go back to the AWS console, and under the Site-to-Site VPN Connections, find the details of one of the connections. You should see the BGP details.

After a while, if everything is set up correctly, you should see the BGP status change from “Down” to “Up.” This indicates that BGP is functioning and routes are being exchanged between your on-premises network and the AWS environment.

Testing Connectivity

At this point, let’s perform a basic connectivity test between an EC2 instance in your AWS environment and a machine in your on-premises network.

  1. Launch an EC2 instance in your AWS VPC.
  2. Configure the instance with a public IP or an Elastic IP for easier testing.
  3. Use a tool like ping or curl to test connectivity between the EC2 instance and a machine in your on-premises network.

For example:

  • From the EC2 instance: ping <On-Prem Router 1 Inside IP>
  • From your on-premises machine: ping <EC2 Public IP>

Ensure that the connectivity tests are successful, indicating that traffic can flow between your on-premises network and the AWS VPC over the VPN connections.

Configuring BGP for Dynamic VPN Connectivity

In this third part of the mini-project, we’re going to configure BGP (Border Gateway Protocol) to enable dynamic routing over the IPsec tunnels that we’ve previously set up. This will establish a fully functional VPN connection between the on-premises routers and AWS. Let’s proceed with the two main tasks outlined for this stage:

Task 1: Installing FRRouting (FRR) Using a Script

We’ll begin by installing FRRouting (FRR), which is an open-source routing software suite that includes BGP capabilities. The installation script is already available on Router 1 and Router 2. Follow these steps on both routers:

  1. Connect to Router 1 using Session Manager.
  2. Run the following commands to navigate to the appropriate directory and make the script executable:bashCopy codesudo bash cd /home/ubuntu/demo_assets chmod +x ffrouting-install.sh
  3. Execute the installation script:bashCopy code./ffrouting-install.sh This process might take up to 20 minutes, so wait for it to complete.

Repeat the same steps on Router 2.

Task 2: Configuring BGP and Sharing Routing Information with AWS

  1. Connect to Router 1 using Session Manager.
  2. Enter the FRRouting console by typing:Copy codevtysh
  3. Enter configuration mode:Copy codeconf t
  4. Configure FRR defaults:Copy codefrr defaults traditional
  5. Configure BGP for the on-premises side using ASN ‘65016’:Copy coderouter bgp 65016
  6. Configure BGP neighbors for both IPsec tunnels on Connection 1:csharpCopy codeneighbor <Connection 1 Tunnel 1 AWS BGP IP> remote-as 64512 neighbor <Connection 1 Tunnel 2 AWS BGP IP> remote-as 64512 Replace <Connection 1 Tunnel 1 AWS BGP IP> and <Connection 1 Tunnel 2 AWS BGP IP> with the actual BGP IP addresses from your template.
  7. Configure BGP attributes for AWS interoperability:sqlCopy codebgp listen range 0.0.0.0/0 peer-group AWS maximum-paths 2
  8. Configure network redistribution for BGP:cssCopy codeaddress-family ipv4 unicast redistribute connected exit-address-family
  9. Exit configuration mode and save the configuration:luaCopy codeexit-address-family exit write memory exit
  10. Reboot Router 1:Copy codesudo reboot

Repeat the same BGP configuration steps on Router 2.

Verifying the BGP Configuration

  1. Connect to Router 1 and Router 2 after the reboots.
  2. Confirm BGP sessions are established and routes are learned using commands like:sqlCopy codevtysh show ip bgp summary show ip route

Cleaning Up and Conclusion

With BGP configured and dynamic routing established across the VPN tunnels, you’ve achieved a highly available and dynamic VPN connection between the on-premises network and AWS. This sophisticated architecture ensures redundancy and seamless communication.

Before concluding, it’s important to tidy up your environment. Delete the VPN connections, customer gateways, and CloudFormation stacks you created during this mini-project. Once these resources are removed, your AWS account will return to its initial state.

Congratulations! You’ve completed a comprehensive demo that covers a complex VPN implementation in AWS. This hands-on experience equips you with valuable skills and knowledge that can be applied in real-world scenarios. Whether you’re discussing VPN architectures in job interviews or designing VPN solutions for your projects, this demo has provided you with practical insights.

Thank you for joining us on this learning journey. If you have any questions or if you’d like to explore more advanced topics, feel free to explore further resources and tutorials.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top