This module deploys a secure connection between two AWS VPC's, using the AWS site-to-site VPN service on one end, and a standard Ubuntu 20.04 LTS instance as the Customer Gateway (CGW) on the other end. With this reference setup you can easily test scenarios when you need to expose your VPC services hosted in private networks, to any external network that could be either in a different cloud (Azure, Google cloud or Oracle cloud) or in your own facilities (home, office or data center).
The setup has two logic sides, the blue represents your AWS VPC where your VPC services are attached to, the green side any external network reachable through the internet. In this setup, the green side is also a VPC in the same account as this is the easiest way for an end-to-end automation.
Create a self-configured AWS site-to-site VPN between your VPC and a remote location through an IPSec tunnel.
A self-configured EC2 instance (Ubuntu 20.04 LTS) used as a remote-end for the secure connection established using an IPSec tunnel (Strongswan software) and a BGP session to advertise prefixes dynamically (Quagga software).
Auto-configured Tunnel Interfaces (green) The VPN instance has two additional interfaces, one for each IPSec tunnel. These tunnels work in an active/standby model.
IPSec Up and Running (green) IPSec tunnels established successfully.
BGP connection Established (green) BGP sessions established between the two neighbours, routes are being advertised and received.
Access your VPC services from a remote network without exposing them to the internet. Advertise routes dynamically using BGP protocol.
VPN instance routes (green) Private networks hosted in the blue side are reachable from the VPN instance through the tunnel interface.
AWS private subnet routes (blue) Private networks hosted in the green side are reachable through the Virtual Private Gateway (VPG). These routes are propagated from VPG and advertised by BGP.
This module is a reference implementation for testing purposes and is NOT intended for a production environment. By using it you are at your own risk.
For a production setup, I strongly recommend to read Amazon Virtual Private Cloud Connectivity Options from where you can take all the insights you need to design an scalable, highly-available and secure architecture.
This module can be deployed without any input parameter by setting the pre-defined values in all input parameters (see inputs docs).
module "my_vpn_setup" {
source = "aws-terraform-fullyconnectedvpn"
version = "1.0.5"
# insert the 12 optional variables
}
module "my_vpn_setup" {
source = "aws-terraform-fullyconnectedvpn"
version = "1.0.5"
green_vpn_inst_keyname = my-existing-keypair
green_vpn_inst_allowed_networks_ssh = ["108.34.76.23/32", ...] # SSH sessions will be blocked if source IP is not set
}
Do not define the input variable green_vpn_inst_keyname
if you prefer to have an auto-generated key pair.
module "my_vpn_setup" {
source = "aws-terraform-fullyconnectedvpn"
version = "1.0.5"
green_vpn_inst_allowed_networks_ssh = ["108.34.76.23/32", ...] # SSH won't be possible if source IP is not set
}
To access the VPN instance, use the private key securely stored in AWS Systems Manager parameter store.
Read this page if you're not familiar on how to Connect to your Linux instance using SSH.
module "my_vpn_setup" {
source = "aws-terraform-fullyconnectedvpn"
version = "1.0.5"
# blue side input params
blue_vpc_cidr = "172.17.0.0/16"
blue_asn = "64620"
blue_public_subnet_size = 20
blue_private_subnet_size = 20
# green side input params
green_vpc_cidr = "172.16.0.0/16"
green_asn = "65220"
green_public_subnet_size = 24
green_private_subnet_size = 24
}
This module deploys a public and a private subnets on both sides. The public subnet always uses the first block from VPC address space with the specified size for the public subnet. The private subnet always uses the second block from VPC address space with the specified size for the private subnet.
You can create more subnets using your own resources or modules by attaching them to the blue or green VPC. To get their ids see output documentation.
Name | Version |
---|---|
terraform | >= 1.0.11 |
aws | >= 4.5.0 |
tls | 3.1.0 |
Name | Version |
---|---|
aws | >= 4.5.0 |
tls | 3.1.0 |
Name | Source | Version |
---|---|---|
blue_vpc | terraform-aws-modules/vpc/aws | 3.13.0 |
green_vpc | terraform-aws-modules/vpc/aws | 3.13.0 |
Name | Type |
---|---|
aws_eip.green_vpn_inst | resource |
aws_eip_association.green_vpn_inst_eip | resource |
aws_instance.green_vpn_inst | resource |
aws_key_pair.green_vpn_inst | resource |
aws_route.green_blue_side_route | resource |
aws_security_group.green_vpn_inst_green_traffic | resource |
aws_security_group.green_vpn_inst_ipsec | resource |
aws_security_group.green_vpn_inst_ssh | resource |
aws_ssm_parameter.green_vpn_inst | resource |
aws_vpn_connection.blue_vpn | resource |
tls_private_key.green_vpn_inst | resource |
aws_ami.green_vpn_inst_ubuntu | data source |
aws_availability_zones.available | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
blue_asn | (Optional) The BGP Autonomous System Number (ASN) for the blue side. Select an ASN from the private pool 64512 - 65534) | string |
"64620" |
no |
blue_private_subnet_size | (Optional) Private subnet size for the blue side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. | number |
24 |
no |
blue_public_subnet_size | (Optional) Public subnet size for the blue side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. | number |
24 |
no |
blue_vpc_cidr | (Optional) Blue side VPC CIDR. VPC size from /16 to /27. | string |
"10.1.0.0/16" |
no |
green_asn | (Optional) The BGP Autonomous System Number (ASN) for the green side. Select an ASN from the private pool 64512 - 65534) | string |
"65220" |
no |
green_private_subnet_size | (Optional) Private subnet size for the green side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. | number |
24 |
no |
green_public_subnet_size | (Optional) Public subnet size for the green side. This size is a number that defines the subnet mask and can have any value from 16 to 28 as long as it is smaller than VPC size. We recommend to leave the default value If you have limited knowledge in subnetting. | number |
24 |
no |
green_vpc_cidr | (Optional) Green side VPC CIDR. VPC size from /16 to /27. | string |
"10.2.0.0/16" |
no |
green_vpn_endpoint_instancetype | (Optional) The instance type for the VPN EC2 instance used as Customer Gateway (CGW). Make sure you use an instance type that meets you requirements in network performance. | string |
"t3a.micro" |
no |
green_vpn_inst_allowed_networks_ssh | (Optional) Allowed networks (CIDR) to SSH to the VPN EC2 instance (green). Eg. 1. Use a single IP [1.1.1.1/32] 2. Use multple IP or networks [1.1.1.1/32, 10.0.1.0/24] | list(any) |
[] |
no |
green_vpn_inst_keyname | (Optional) Specify an existing key pair name to associate with the VPN EC2 instance in the green side. This key pair will be used for SSH authentication. If not specified, a new key pair will be created and the private key stored in parameter store. | string |
"" |
no |
project_tags | (Optional) A map of convenient tags assigned to all resources. | string |
"https://registry.terraform.io/modules/bsrodrigs/fully-connected-vpn/aws/latest" |
no |
region | (Optional) AWS region where the module will be deployed (eg. eu-west-1). | string |
"eu-west-1" |
no |
Name | Description |
---|---|
blue_vpc | Blue side VPC outputs. For more details see official documentation https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest?tab=outputs |
green_vpc | Green side VPC outputs. For more details see official documentation https://registry.terraform.io/modules/terraform-aws-modules/vpc/aws/latest?tab=outputs |