# AWS

## Step 1 - Creating a new cloud connection

[Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/)

Click **+ Add new**, enter a **Name** (e.g., AWS Production), select the required **Gateway**, and define the **Subnets** **of your AWS VPC** (using CIDR notation).

Choose **IPSec** **Protocol**, and click **Continue**.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set in your AWS environment in the next steps.

Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control.

{% hint style="info" %}
You may return to the configuration via the **Edit** button of your Cloud at any time.
{% endhint %}

{% hint style="info" %}
**Example of configuration (Default preset):**

* **Shared Secret** - Create a new strong password
* **Public IP** - IP of the tunnel of your AWS VPN connection
* **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds)
* **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds)
* **Dead Peer Detection Delay** - 30 seconds
* **Encryption (Phase 1)** - aes256
* **Encryption (Phase 2)** - aes256
* **Integrity (Phase 1)** - sha256
* **Integrity (Phase 2)** - sha256
* **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096
* **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096
  {% endhint %}

## Step 2 - Opening the VPC service

Log in to the AWS, and go to **Services** > **VPC** (you can use the searchbar).

<div align="center"><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FGoLgW0FLFvtBoacTbJAz%2FCloud%20Connector%20guides%20-%20AWS_step%203.PNG?alt=media&#x26;token=5e6324a5-398e-4f14-8683-6d6bafa44400" alt="AWS&#x27;s graphical user interface (GUI) showing a VPC service search query."><figcaption><p>Locating the VPC application</p></figcaption></figure></div>

## Step 3 - Creating a new customer gateway

Go to **Virtual Private Network (VPN)** > **Customer Gateways** and click **Create customer gateway**.

Give the customer gateway a name and set the configuration as follows:

* **BGP ASN** - 65000
* **IP address** - IP of your GoodAccess Gateway

Click **Create customer gateway** to confirm your settings.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2F0OHB94UEMDP8iC8TuulL%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_4.PNG?alt=media&#x26;token=c73e9d5c-b697-4263-ab7e-05f95cd09991" alt="AWS&#x27;s graphical user interface (GUI) showing left side menu of the VPC service for the private virtual network (VPN) section."><figcaption><p>Menu of VPC > VPN</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FvpIc3OWAWwnQK3lGIEQf%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_5.PNG?alt=media&#x26;token=50c58cd6-f0aa-4409-927c-5cfb0b2b3635" alt="AWS&#x27;s graphical user interface (GUI) showing configuration of a customer gateway."><figcaption><p>Creating a customer gateway</p></figcaption></figure></div>

## Step 4 - Creating a new virtual private gateway

{% hint style="danger" %}
If you already have a virtual private gateway attached to your VPC, skip this section and continue with [Step 5 - Creating a new VPN connection](#step-5-creating-a-new-vpn-connection).
{% endhint %}

Go to **Virtual Private Network (VPN)** > **Virtual Private Gateways** and click **Create virtual private gateway**.

Give the virtual private gateway a name, and choose **Amazon default ASN**.

Click **Create virtual private gateway** to confirm your settings.

Select the newly created virtual private gateway and click **Attach to VPC**.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FUrQFiY605EDJuoraqF5K%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_6.PNG?alt=media&#x26;token=271f035a-407a-4022-b3c4-946651eae81d" alt="AWS&#x27;s graphical user interface (GUI) showing configuration of a virtual private gateway."><figcaption><p>Creating a virtual private gateway</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FlMBHNyY37Mguyf1TEtAe%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_7.PNG?alt=media&#x26;token=6685bb77-7df7-4508-aac5-447c3822c01c" alt="AWS&#x27;s graphical user interface (GUI) with arrows highlighting key steps to attaching a virtual private gateway to the VPC."><figcaption><p>Attaching the virtual private gateway to VPC</p></figcaption></figure></div>

## Step 5 - Creating a new VPN connection

Go to **Virtual Private Network (VPN)** > **Site-to-Site VPN Connections** and click **Create VPN connection**.

Give the VPN connection a name and set the configuration as follows:

* **Target gateway type** - Virtual private gateway
* **Customer gateway** - Existing
* **Routing options** - Static
* **Static IP prefixes** - Subnet of your GoodAccess Gateway

Open **Tunnel 1 options**:

* **Pre-Shared key for Tunnel 1** - Shared Secret [(Step 1)](#step-1-creating-a-new-cloud-connection)
* Select **Edit tunnel 1 options**
* **Phase I & II** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-cloud-connection)

Click **Create VPN connection** to confirm your settings.

<div><figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FeIrvoZkJLisgU3Qh9Hj0%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_8.PNG?alt=media&#x26;token=fe47767d-9438-440b-a553-6c1b55b2c4f6" alt="AWS&#x27;s graphical user interface (GUI) with arrows highlighting key steps to configuring a VPN connection."><figcaption><p>Creating a VPN connection</p></figcaption></figure> <figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FKCvlMIGzNmX3t2w2nQpM%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_9.PNG?alt=media&#x26;token=dc5561c5-b533-49f6-ab13-dfb4b3cf3839" alt="AWS&#x27;s graphical user interface (GUI) with arrows highlighting key steps to configuring the Tunnel 1 section of a VPN connection."><figcaption><p>Setting up the Phase 1 &#x26; 2 configuration</p></figcaption></figure></div>

## Step 6 - Adding new routes

{% hint style="warning" %}
If your AWS subnet is associated with multiple route tables, make sure to add the required routes to **each** of those route tables.
{% endhint %}

Go to **Virtual Private Cloud (VPC)** > **Route Tables**. Click **Edit routes** and **Add** the following **routes**:

| **Destination**                   | **Target**                                                                |
| --------------------------------- | ------------------------------------------------------------------------- |
| Subnet of VPC                     | Local (default)                                                           |
| 0.0.0.0/0                         | Local Gateway (default)                                                   |
| Subnet of your GoodAccess Gateway | [Virtual Private Gateway](#step-4-creating-a-new-virtual-private-gateway) |

Don't forget to **Save changes**.

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2FaeOBc20sy1dRYI0WPCNT%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_10.PNG?alt=media&#x26;token=9bbfc7a8-8693-4d28-a501-5d01c867cc10" alt="AWS&#x27;s graphical user interface (GUI) with arrows highlighting key steps to editing routes."><figcaption><p>Editing the routes</p></figcaption></figure>

<figure><img src="https://418253935-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FiJ406Lpi9EKoWDi7GFL7%2Fuploads%2Fv98f25kXmKG77IeEP8kV%2FFeatures%20-%20Cloud%20Connector%20guides%20-%20AWS_11.PNG?alt=media&#x26;token=16db5d11-dc00-4d9c-8259-5252773e6419" alt="AWS&#x27;s graphical user interface (GUI) showing configuration of routes."><figcaption><p>Adding new routes</p></figcaption></figure>

You have now successfully connected your AWS cloud to GoodAccess.

{% hint style="warning" %}
**Firewall rules**

Make sure you allow connections from your **GoodAccess Gateway private subnet** to the resources in your **VPC** (e.g., virtual machines, databases, etc.).

Depending on your AWS security setup, you may need to allow this communication in:

* **Security Groups**
* **Network ACLs**
* **AWS Network Firewall**
  {% endhint %}

{% hint style="info" %}
**You may check the status of the connection in:**

* **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).
* **AWS:** Go to **Virtual Private Network (VPN) > Site-to-Site VPN Connections**.
  {% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://support.goodaccess.com/configuration-guides/cloud-connector/aws.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.