Networking & Content Delivery
AWS Site-to-Site VPN and eero make remote connectivity for distributed sites simpler
Amazon Web Services (AWS) is working with eero to make it simpler and more convenient for organizations to establish secure connectivity between their remote sites and AWS in just a few clicks. The integration of AWS Site-to-Site VPN with eero’s devices enables organizations to scale site connectivity across many locations faster and more efficient, without requiring an on-site technician with networking expertise.
In this post, we explore common use cases where this integration simplifies configuration and operations, then walk-through on the configuration of AWS and eero accounts and creating VPN connections.
AWS Site-to-Site VPN is a fully managed service that allows you to create a secure IPSec VPN connection between your data center or branch office and your AWS resources. It provides critical connectivity for a variety of workloads: connecting on-premises workloads to the cloud, connecting devices to the cloud, and providing encrypted communication. eero, an Amazon company, was founded to make wifi and networking the way they should be: fast, reliable, secure, and, most importantly, easy to use. eero offers a comprehensive hardware and services portfolio from residences to businesses to service providers, with tens of millions of eeros deployed globally. eero also offers eero Insight for centralized fleet and site management, with advanced capabilities such as remote management, topology history, data streaming, events, recommendations, client health, and network health monitoring.
AWS Site-to-Site VPN & eero – Use cases
With this integration, eero helps abstract away networking complexity: no tunnel configs, no CLI, and no on-prem expertise required. You can establish Site-to-Site VPN connectivity to AWS Transit Gateway or AWS Cloud WAN in minutes. Instead of sending a network engineer, you ship and configure the eero from eero Insight, and the site can come online in minutes. In addition, for resilience, eero supports Dual-WAN, so if the primary Internet link fails, traffic automatically fails over to the secondary connection to keep the site connected without intervention.
- Onboarding of new sites without networking knowledge. You can place the eero device between your network and your Internet access and configure the VPN connection from the eero Insight console or APIs (requires eero account to access the API docs). The device will handle the VPN Internet Key Exchange (IKE) negotiation and initiation, and BGP configuration (if dynamic routing is selected).
- Scaled branch management without on-site networking staff. An on-site engineer is required when dealing with site connectivity at scale, as they need to manage the VPN connection configuration. Now, the local team only need to install the eero device in the site’s network, and the central networking team can use the eero Insight dashboard to manage the connectivity at scale.
- Simplified VPN configuration when moving site’s location. Even with network expertise, moving site locations can result in high operational effort as it requires performing all the network configuration from scratch. You can reduce the time to integrate the new site with your workloads in AWS by using this integration.
- Operational efforts and central visibility from one dashboard. The eero Insight dashboard provides central visibility of all your devices, sites, and VPN connections to AWS. Additionally, you have the same observability capabilities you currently have with AWS Network Manager, such as metrics, dashboards, or events.
Getting started
Time to show how easy it is to build Site-to-Site VPN connections. For this example, we are showing how to connect an eero device to both AWS Transit Gateway and AWS Cloud WAN. The AWS network configuration is out of scope for this blog, but you can check the Working with Route Tables in AWS Transit Gateway post or the AWS Cloud WAN blueprints for more information and examples on how you can create connectivity and routing in each service.
Your first step is to place the eero device at your site – between your carrier Customer Premise Equipment (CPE) and your users/devices. Then, set it up in the eero Insight dashboard. After the configuration is complete, provide AWS IAM permissions and build the VPN connection.
Figure 1. Site connectivity to AWS using eero devices (HLD)
Step 1: Provide AWS IAM permissions to eero for AWS resource configuration
You will need to provide permissions for eero to configure the VPN resources on your behalf in your AWS Account. The Site-to-Site VPN connection must be configured in the same Account that owns the AWS Transit Gateway or AWS Cloud WAN’s core network.
Navigate to the eero Insight dashboard and select Setting -> Network settings in the left-hand side menu, as shown in Figure 2. Under the SimpleConnect settings – AWS account linkage section, select Link to start the process. Note that you will need to create an IAM role in your AWS Account).
Figure 2. eero Insight dashboard – Network settings
As part of the AWS account linking flow, the eero Insight console provides the trust policy and the inline policy you need to create the IAM role in your AWS account. Once you get them, then follow the standard AWS IAM steps:
- Create IAM Role using the trust policy provided by eero Insight. Below you can see an example trust policy definition. You will be granting permissions to the AWS Account that eero uses for control plane operations. In addition, for enhanced security, you will see the
ExternalIdcondition. This value is your eero network ID, so only actions originating from that network will be allowed. At scale (multiple sites), you will need to update this trust policy with all the eero network IDs you own (site = eero network).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXXXXXXXX:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": [
"YYYYYYY"
]
}
}
}
]
}- Create IAM Policy using the inline policy provided by eero Insight, then attach it to the role. You will allow eero the management of VPN resources (customer gateway and VPN connections), attachments to AWS Transit Gateway and/or AWS Cloud WAN, and AWS Certificate Manager (ACM) resources (if using certificate-based authentication). Note that the policy definition allows these actions for any resource under your AWS Account. If you want to add granular controls, add the Amazon Resource Names (ARNs) of the specific resources you want eero to manage.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"acm-pca:DescribeCertificateAuthority",
"acm-pca:GetCertificate",
"acm-pca:GetCertificateAuthorityCsr",
"acm-pca:IssueCertificate",
"acm:DeleteCertificate",
"acm:DescribeCertificate",
"acm:ExportCertificate",
"acm:GetCertificate",
"acm:RequestCertificate",
"ec2:CreateCustomerGateway",
"ec2:CreateTags",
"ec2:CreateVpnConnection",
"ec2:DeleteCustomerGateway",
"ec2:DeleteVpnConnection",
"ec2:DescribeCustomerGateways",
"ec2:DescribeRegions",
"ec2:DescribeTransitGateways",
"ec2:DescribeVpnConnections",
"ec2:ModifyVpnConnection",
"iam:GetRolePolicy",
"iam:ListRolePolicies",
"networkmanager:CreateSiteToSiteVpnAttachment",
"networkmanager:DeleteAttachment",
"networkmanager:GetCoreNetwork",
"networkmanager:ListCoreNetworks",
"networkmanager:TagResource",
"ram:AcceptResourceShareInvitation",
"ram:GetResourceShareInvitations"
],
"Resource": [
"*"
],
"Effect": "Allow"
},
{
"Condition": {
"StringLike": {
"iam:AWSServiceName": "s2svpn.amazonaws.com"
}
},
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Effect": "Allow"
}
]
}After the IAM role is created, return to eero Insight and click Link account (as shown in figure 3). At this point, eero can configure Site-to-Site VPN connection on your behalf.
Figure 3. eero Insight dashboard – IAM role ARN (linking account process)
Step 2: Configure Site-to-Site VPN connection
At the beginning of this post, we stated: “establish connectivity to AWS in just a few clicks”. Now let’s demonstrate that this is accurate. From the Setting – Network setting dashboard under the eero Insight console, click Configure under SimpleConnet settings – Site-to-Site VPN. Figure 4 shows how to configure the VPN connection to AWS Transit Gateway, while figure 5 shows how to configure it for AWS Cloud WAN.
Figure 4. eero Insight dashboard – Creating Site-to-Site VPN connection to Transit Gateway
Figure 5. eero Insight dashboard – Creating Site-to-Site VPN connection to Cloud WAN
When configuring the VPNs, you need to provide the following information:
- VPN configuration type: AWS Transit Gateway or AWS Cloud WAN.
- Region: AWS Region where the VPN connection will terminate.
- AWS Transit gateway / Core network ID:
- If you select “Transit gateway”, the console will list all the Transit gateways in the selected Region.
- If you select “Cloud WAN”, you will see your Core networks available in the AWS Account, and you will need to specify the Core Network Edge (CNE) where the VPN will terminate.
- Authentication: Certificate or Pre-Shared Key (PSK). When you select the certificate-based option, the eero integration manages the certificate.
- Source based routing. In the eero network, you can configure different routing domains to allow segmentation in your site. Indicate which of those routing domains should connect to AWS.
- (Optional) VPN tag.
- (Optional) BGP – Local ASN. You can configure dynamic routing for the VPN connection. With BGP enabled, provide the local ASN you want to use – it must not overlap with any private ASN used in AWS.
- (Optional) Split tunneling. You can designate the destination(s) that you want to send directly via the Internet rather than through the VPN connection. In this example, we configure the default route so that only the routes advertised via AWS Transit Gateway or AWS Cloud WAN are routed through the VPN connection.
Once you finish the configuration, click Connect. You can monitor the VPN tunnels’ status both in the AWS management console or directly inside eero Insight — the dashboard shows tunnel state, link health, and connectivity status across all sites. Figure 6 shows the customer gateway and VPN connection created by eero on your behalf (to Transit Gateway). After a few minutes, you should see an Online status for both VPN tunnels.
Figure 6. eero Insight dashboard – Site-to-Site VPN to Transit Gateway
Similarly, figure 7 shows the customer gateway and VPN connection created when connecting to Cloud WAN.
Figure 7. eero Insight dashboard – Site-to-Site VPN to Cloud WAN
Step 3: Configure routing configuration in AWS
Time to verify in the AWS Management Console that all resources have been created as expected. Figures 8 and 9 show the customer gateway and VPN connection. Note that the configuration remains similar regardless of the AWS termination.
Figure 8. AWS management console – Customer gateway
Figure 9. AWS management console – Site-to-Site VPN connection (tunnels)
Figures 10 and 11 show the AWS Transit gateway and AWS Cloud WAN attachments created.
Figure 10. AWS management console – Transit gateway attachments
Figure 11. AWS management console – Cloud WAN attachments
Considerations
- AWS Site-to-Site VPN quotas do not change with this integration. Note that VPN termination to a Virtual private gateway (VGW) is not supported.
- When configuring your VPN connection to AWS Cloud WAN, you cannot configure any tags aside from
Name. Consider this when building the attachment association using attachment policies – you can use the Attachment type condition. - For PSK authentication, you must have a fixed public IP address at your remote site(s).
- Verify that your AWS Region(s) support certificate-based VPN authentication.
Conclusion
The AWS and eero integration helps simplify the hybrid connectivity of your sites to AWS by automating the creation and configuration of AWS Site-to-Site VPNs to AWS Transit gateway or AWS Cloud WAN. Whether you have limited to no network expertise on-site, a large number of sites to connect, or both; this integration allows you to more quickly onboard your sites to AWS and establish cloud connectivity.
To learn more about this integration, check the eero documentation. For more information about AWS Site-to-Site VPN, check the AWS service page and AWS documentation.
About the authors
Mark Sieglock
Mark Sieglock serves as the Executive Vice President of Software and Services at eero, an Amazon company. eero makes technology just work, through fast, reliable, and secure connectivity in tens of millions of households and businesses across 28 countries. Mark joined in 2015, helping eero launch their first products.
Tim Dormer
Tim, a Senior Solutions Architect at eero, is a cloud networking advocate passionate about helping customers navigate their digital transformation. With hands-on expertise in networking, wireless, and cloud technologies, he works closely with customers to build scalable, cost-effective infrastructures that ensure reliable connectivity from consumer to cloud. When not architecting solutions or optimizing wireless networks, he can be found exploring hiking trails with his family or optimistically attempting to solve bouldering problems at his local climbing gym – often with more enthusiasm than success.
Pablo Sánchez Carmona
Pablo is a Senior Network Specialist Solutions Architect at AWS, where he helps customers to design secure, resilient and cost-effective networks. When not talking about networking, Pablo can be found playing basketball or video-games. He holds an MSc in Electrical Engineering from the Royal Institute of Technology (KTH), and a Master’s degree in Telecommunications Engineering from the Polytechnic University of Catalonia (UPC).