Connecting Multiple VPCs with Astaro Security Gateway
- Cross-Region Setup
- Appendix: High-Level High Availability Architecture for Astaro
To achieve a higher level of availability and redundancy, Amazon Web Services (AWS) customers can deploy their applications and services across multiple regions. While it is simple for Amazon Elastic Compute Cloud (Amazon EC2) instances to communicate with each other across regions over the Internet, enabling cross-region communication within a Virtual Private Cloud (VPC) environment requires additional configuration. While AWS current does not provide an end-to-end, cross-region VPC connectivity solution, customers can achieve this on their own with third-party virtual private network (VPN) solutions. This whitepaper describes how customers can leverage the Astaro Security Gateway Amazon Machine Image (AMI) to establish cross-region VPC connections between EC2 instances in one region and a VPC virtual private gateway (VGW) in another region.
- Astaro is a third-party commercial product with multiple licensing and support options. The functionality described in this document is offered by Astaro in a freemium licensing model.
- The Astaro EC2 instance is a potential single point of failure. Please see the Appendix for a high-level High Availability design for this component.
- This guide assumes you already have two VPCs in separate regions created (or two VPCs within the same region). For instructions on creating VPCs, please see the Amazon Virtual Private Cloud Getting Starting Guide.
- The VPCs must not have overlapping IP address ranges.
- In this scenario, AWS is responsible for managing the Internet gateway and virtual private gateway on behalf of the customer. The customer is responsible for launching and managing the Astaro Instance(s) and implementing some sort of HA design if required (see the Appendix for a high-level HA design).
Please reference the Amazon Virtual Private Cloud Network Administrator Guide for complete VPC networking documentation; however, Figure 1 and following gdefinitions may be helpful for understanding the content of this paper:
Virtual Private Gateway (VGW)
A VGW is an egress point from a customer's VPC that will establish a hardware VPN connection with a customer gateway. In this scenario, the VGW will provide VPN connectivity for one VPC, while the Astaro instance will provide connectivity for the other VPC.
Customer Gateway (CGW)
A CGW is the anchor on the customer's side of the VPN connection. In this scenario, it will be the Astaro instance in one VPC, communicating with the VGW in the other VPC.
Astaro provides a virtual firewall/VPN appliance called the Astaro Security Gateway that ships with an out-of-the-box VPC connector. Astaro provides both 32-bit and 64-bit AMIs. When launching an Astaro instance, search for "asg" under Community AMIs to locate the most recent version for your region. The following screenshot demonstrates this search in the US-East region:
Internet Gateway (IGW)
The IGW is an egress point from a customer's VPC that will map a public Elastic IP address to the Astaro EC2 instance, allowing the Astaro instance in one VPC to communicate with the VGW in the other region.
A VPN connection is used to describe the network connectivity that is established between the Astaro EC2 instance and the VGW.
The high-level architectural in Figure 1 shows two lines between the Astaro instance and VGW because the VPN connection consists of two tunnels. AWS chose this design to provide increased availability for the Amazon VPC service by automatically failing over from one tunnel to another in the event of an AWS device failure. The Astaro Secure Gateway automatically configures and manages these tunnels for you.
In this walkthrough, we will perform the following steps:
- Launch an Astaro instance
- Create and configure a VGW
- Configure the Astaro instance
- Configure VPC route tables
- Test connectivity
In your first VPC (US-East in this example), perform the following steps to launch your Astaro instance:
- Launch an Astaro instance in your subnet using the Create New Instance Wizard. AWS recommends the 64-bit instance because 64-bit instances are supported by more instance types.
Additionally, we recommend assigning an IP address to the instance to ensure that this gateway's IP address will remain constant.
Astaro provides a getting started guide here. When creating your instance, Astaro recommends that you create a new security group that grants full access to all TCP and UDP ports (for more information, please go to the Security Group in the Amazon Elastic Cloud Compute User Guide). You will also need to make sure you create your instance in a subnet that routes Internet traffic to a VPC Internet gateway.
- Disable Source Destination Checking for the instance so that traffic can pass through the instance.
- Create an EIP for your Astaro instance and attach it.
Note this EIP. You will need it to configure your VPC customer gateway and to log into your Astaro Security Gateway to configure the VPN connection and firewall settings.
In the VPC in the other region (US-West in this example), perform the following steps to setup your VGW:
- Create a virtual private gateway and attach it to your VPC. For additional instructions on this step, go to Adding a Hardware Virtual Private Gateway to Your VPC in the Amazon Virtual Private Cloud User Guide.
- Create a customer gateway using the EIP you created in the previous section for your Astaro instance.
- Create a VPN connection between the customer gateway you just created and the virtual private gateway created in step 1.
- Once the VPN connection is created, you will need to download the configuration for Astaro.
- After you download this configuration file, you will need to modify it by replacing the EIP of your Astaro instance with its private IP. This is required before you can upload the configuration to your Astaro Security Gateway. In the example below, we used a text editor and replaced the EIP of 22.214.171.124 with the internal IP address of 172.16.0.5.
- Log in to your Astaro instance, and set up the VPN and Firewall connections. Open a web browser and go to https://<Your EIP>:4444/
- Navigate to Site-to-Site VPN on the left navigation bar, click Amazon VPC, and then the Setup tab. From here, you will upload the VPC configuration file that you downloaded and modified in the previous step.
- After uploading the configuration file and enabling the Amazon VPC connection, you should see Astaro report the VPC Tunnel status indicating that the connection was established through both BPG tunnels.
- Finally create an Any-Any-Any Firewall rule to allow communication in both directions through the VPN connection that you established in the Network Security Configuration.
Make sure you enable your firewall rule after creation. You may also want to enable ICMP and traceroute traffic in the ICMP tab of the Astaro gateway configuration in order to help you verify and troubleshoot network connectivity issues.
- For the VPC to leverage the Astaro instance, configure your VPC subnet routing to point all traffic for the remote region to your Astaro instance. In this example, the remote VPC uses the 172.16.0.0/16 range and the Astaro instance-id is i-0b61a7bc:
- For the VPC to leverage the VGW, configure your VPC subnet routing to point all traffic for the other VPC to your VGW. In this example, the remove VPC uses the 10.0.0.0/0 range and the VGW ID is vgw-2928cf40:
- Connect to an instance in VPC1 and ping an instance in VPC 2. Please go to Launch an Instance in the Amazon Virtual Private Cloud Getting Started Guide for information about launching and connecting to Amazon VPC instances.
Creating a fully redundant VPC connection between VPCs in two regions requires the setup and configuration of two Astaro instances and a monitoring instance to monitor the health of the Astaro instances.
We recommend configuring your VPC route tables to leverage both Astaro devices simultaneously by directing traffic from all of the subnets in one Availability Zone through an Astaro device in the same Availability Zone, and all traffic from subnets in another Availability Zone use an Astaro device in their Availability Zone. Each Astaro instance will then provide cross-region connectivity for instances that share the same Availability Zone to the Amazon VGW in the other region.
The Astaro Monitor is a custom instance that you will need to create and develop monitoring scripts to run on. This instance is intended to run and monitor the state of the VPN connection and Astaro instances. If either Astaro instance goes down, the monitor will need to stop or terminate and restart the Astaro instance while also re-routing traffic from one subnet to the working Astaro instance until both connections are functional. Amazon does not provide any guidance or scripts to use to set up this monitoring instance, so it is up to you to develop the necessary business logic to provide notification and/or attempt to automatically repair network connectivity in the event of a VPN connectivity failure.