search
GoodAccess WebsiteRequest Free TrialDownload App

AWS

This guide will show you how to connect your AWS cloud to the GoodAccess Gateway via a site-to-site connection using the IPsec protocol.

hashtag
Step 1 - Creating a new cloud connection

Log in to the GoodAccess Control Panel, and go to Network > Clouds & Branches.arrow-up-right

Click + Add new, enter a Name (e.g., AWS Production), select the required Gateway, and define the Subnets of your AWS VPC (using CIDR notation).

Choose IPSec Protocol, and click Continue.

Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set in your AWS environment in the next steps.

Click Submit to finish, or Continue to define optional Branch Segments for finer access control.

circle-info

You may return to the configuration via the Edit button of your Cloud at any time.

circle-info

Example of configuration (Default preset):

  • Shared Secret - Create a new strong password

  • Public IP - IP of the tunnel of your AWS VPN connection

  • IKE Lifetime (Phase 1) - 8 hours (28800 seconds)

  • Tunnel Lifetime (Phase 2) - 1 hour (3600 seconds)

  • Dead Peer Detection Delay - 30 seconds

  • Encryption (Phase 1) - aes256

  • Encryption (Phase 2) - aes256

  • Integrity (Phase 1) - sha256

  • Integrity (Phase 2) - sha256

  • Diffie-Hellman Groups (Phase 1) - 16 - modp4096

  • Diffie-Hellman Groups (Phase 2) - 16 - modp4096

hashtag
Step 2 - Opening the VPC service

Log in to the AWS, and go to Services > VPC (you can use the searchbar).

AWS's graphical user interface (GUI) showing a VPC service search query.
Locating the VPC application

hashtag
Step 3 - Creating a new customer gateway

Go to Virtual Private Network (VPN) > Customer Gateways and click Create customer gateway.

Give the customer gateway a name and set the configuration as follows:

  • BGP ASN - 65000

  • IP address - IP of your GoodAccess Gateway

Click Create customer gateway to confirm your settings.

AWS's graphical user interface (GUI) showing left side menu of the VPC service for the private virtual network (VPN) section.
Menu of VPC > VPN
AWS's graphical user interface (GUI) showing configuration of a customer gateway.
Creating a customer gateway

hashtag
Step 4 - Creating a new virtual private gateway

triangle-exclamation

If you already have a virtual private gateway attached to your VPC, skip this section and continue with Step 5 - Creating a new VPN connection.

Go to Virtual Private Network (VPN) > Virtual Private Gateways and click Create virtual private gateway.

Give the virtual private gateway a name, and choose Amazon default ASN.

Click Create virtual private gateway to confirm your settings.

Select the newly created virtual private gateway and click Attach to VPC.

AWS's graphical user interface (GUI) showing configuration of a virtual private gateway.
Creating a virtual private gateway
AWS's graphical user interface (GUI) with arrows highlighting key steps to attaching a virtual private gateway to the VPC.
Attaching the virtual private gateway to VPC

hashtag
Step 5 - Creating a new VPN connection

Go to Virtual Private Network (VPN) > Site-to-Site VPN Connections and click Create VPN connection.

Give the VPN connection a name and set the configuration as follows:

  • Target gateway type - Virtual private gateway

  • Customer gateway - Existing

  • Routing options - Static

  • Static IP prefixes - Subnet of your GoodAccess Gateway

Open Tunnel 1 options:

  • Pre-Shared key for Tunnel 1 - Shared Secret (Step 1)

  • Select Edit tunnel 1 options

  • Phase I & II - Must match configuration from GoodAccess (Step 1)

Click Create VPN connection to confirm your settings.

AWS's graphical user interface (GUI) with arrows highlighting key steps to configuring a VPN connection.
Creating a VPN connection
AWS's graphical user interface (GUI) with arrows highlighting key steps to configuring the Tunnel 1 section of a VPN connection.
Setting up the Phase 1 & 2 configuration

hashtag
Step 6 - Adding new routes

circle-exclamation

If your AWS subnet is associated with multiple route tables, make sure to add the required routes to each of those route tables.

Go to Virtual Private Cloud (VPC) > Route Tables. Click Edit routes and Add the following routes:

Destination

Target

Subnet of VPC

Local (default)

0.0.0.0/0

Local Gateway (default)

Subnet of your GoodAccess Gateway

Virtual Private Gateway

Don't forget to Save changes.

AWS's graphical user interface (GUI) with arrows highlighting key steps to editing routes.
Editing the routes
AWS's graphical user interface (GUI) showing configuration of routes.
Adding new routes

You have now successfully connected your AWS cloud to GoodAccess.

circle-exclamation

Firewall rules

Make sure you allow connections from your GoodAccess Gateway private subnet to the resources in your VPC (e.g., virtual machines, databases, etc.).

Depending on your AWS security setup, you may need to allow this communication in:

  • Security Groups

  • Network ACLs

  • AWS Network Firewall

circle-info

You may check the status of the connection in:

  • GoodAccess: Go to Control Panel > Network > Clouds & Branches to view the tunnel status. Use the Test Connection button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled).

  • AWS: Go to Virtual Private Network (VPN) > Site-to-Site VPN Connections.

circle-info

The configuration shows two tunnels created for the same VPN connection to AWS. We recommend using the first one.

If you have a second gateway and want backup, you can use the second tunnel for a high availability solution.

PreviousCloud ConnectorNextGoogle Cloud

Last updated

Was this helpful?