I want to connect a VPC to an on premise server via one VPN connection. This needs to be only one-way (from AWS to on-premise, outgoing) connection NOT site-to-site.
I have set up AWS VPN Connection, Virtual Private Gateway and Customer Gateway(Cisco-ASA). But as I found it is both way connection and it requires the customer to open connection toward us and keep it open so that we can have VPN connection to them.
This is what I have implemented on AWS side:
https://aws.amazon.com/answers/networking/aws-multiple-vpc-vpn-connection-sharing/
As we found for outgoing connection, the only way is Cisco AnyConnect it means in VPC, we need a server which has Cisco AnyConnect installed then we will be able to make this connection.
I'm wondering if there is any better way to have a one-way(outgoing) VPN connection for this case?(Only from VPC to on-premise)
Any help would be appreciated.
Second question:
If I use VPN connection of AWS for connecting to our data center, how can I connect multi VPC to one VPN connection? I have one main VPC that VPN has been established on it, and I made another VPC with a server in it and peered the two VPCs. I don't have any connection from my second VPC towards the data center. The route tables look like below:
VPN-VPC1 route table:
Destination Target
privateIP(VPC1) local
0.0.0.0/0 igw
datacenter-network1 vgw
datacenter-network2 vgw
privateIP(VPC2) pcx
VPC2 route table: (Subnet association:10.0.1.0/24)
Destination Target
privateIP(VPC2) local
0.0.0.0/0 igw
privateIP(VPC1) pcx
there is no connection between datacenter to 10.0.1.10/24
Am I missing something here?
There is no native support in VPC for what you need.
The root of the problem is that VPC's Hardware VPN isn't really designed for connections to third party networks. It's designed for interconnecting to your VPC to your physical data center network -- a trusted connection. A VPC VPN connection is effectively wide open, subject only to the limitations of your security groups and Network ACLs -- it doesn't have a route table or any filtering of its own, and has some other limitations, so it's really not the best choice for external connections. For connections to your data center, of course... it's excellent.
That isn't the only way... but it does have to be done with an EC2 instance running IPSec VPN software. There are three packages I'm familiar with, all of which are similar: openswan, libreswan, and strongswan. You can build your own tunnel server.
If you go this route, it's a little bit tricky to get the IP addresses configured correctly, but it's a viable solution. This is how I establish IPSec with external companies.
The circumstances aren't the same, but the idea of your address being split between the instance's private IP and the instance's Elastic IP (EIP) would be similar to what I suggested for the "left" side ("our" side, by my convention) in Strongswan VPN tunnel between two AWS instances won't connect:
Alternately, there are probably other offerings in the AWS Marketplace that will provide you with an EC2 instance that terminates IPSec tunnels... but there isn't another alternative, unless you have an offsite hardware gateway, outside of AWS, and you want to spoke both a VPC Hardware VPN connection and your third-party connections out of that device.