# AWS ## Step 1 - Creating a new cloud connection [Log in to the GoodAccess **Control Panel**, and go to **Network** > **Clouds & Branches**.](https://app.goodaccess.com/branches/) Click **+ Add new**, enter a **Name** (e.g., AWS Production), select the required **Gateway**, and define the **Subnets** **of your AWS VPC** (using CIDR notation). Choose **IPSec** **Protocol**, and click **Continue**. Fill out the configuration form (Public IP, Pre-Shared Key, etc.). These parameters must match the configuration you will set in your AWS environment in the next steps. Click **Submit** to finish, or **Continue** to define optional **Branch Segments** for finer access control. {% hint style="info" %} You may return to the configuration via the **Edit** button of your Cloud at any time. {% endhint %} {% hint style="info" %} **Example of configuration (Default preset):** * **Shared Secret** - Create a new strong password * **Public IP** - IP of the tunnel of your AWS VPN connection * **IKE Lifetime (Phase 1)** - 8 hours (28800 seconds) * **Tunnel Lifetime (Phase 2)** - 1 hour (3600 seconds) * **Dead Peer Detection Delay** - 30 seconds * **Encryption (Phase 1)** - aes256 * **Encryption (Phase 2)** - aes256 * **Integrity (Phase 1)** - sha256 * **Integrity (Phase 2)** - sha256 * **Diffie-Hellman Groups (Phase 1)** - 16 - modp4096 * **Diffie-Hellman Groups (Phase 2)** - 16 - modp4096 {% endhint %} ## Step 2 - Opening the VPC service Log in to the AWS, and go to **Services** > **VPC** (you can use the searchbar).

AWS's graphical user interface (GUI) showing a VPC service search query. — Locating the VPC application

## Step 3 - Creating a new customer gateway Go to **Virtual Private Network (VPN)** > **Customer Gateways** and click **Create customer gateway**. Give the customer gateway a name and set the configuration as follows: * **BGP ASN** - 65000 * **IP address** - IP of your GoodAccess Gateway Click **Create customer gateway** to confirm your settings.

AWS's graphical user interface (GUI) showing left side menu of the VPC service for the private virtual network (VPN) section. — Menu of VPC > VPN

AWS's graphical user interface (GUI) showing configuration of a customer gateway. — Creating a customer gateway

## Step 4 - Creating a new virtual private gateway {% hint style="danger" %} If you already have a virtual private gateway attached to your VPC, skip this section and continue with [Step 5 - Creating a new VPN connection](#step-5-creating-a-new-vpn-connection). {% endhint %} Go to **Virtual Private Network (VPN)** > **Virtual Private Gateways** and click **Create virtual private gateway**. Give the virtual private gateway a name, and choose **Amazon default ASN**. Click **Create virtual private gateway** to confirm your settings. Select the newly created virtual private gateway and click **Attach to VPC**.

AWS's graphical user interface (GUI) showing configuration of a virtual private gateway. — Creating a virtual private gateway

AWS's graphical user interface (GUI) with arrows highlighting key steps to attaching a virtual private gateway to the VPC. — Attaching the virtual private gateway to VPC

## Step 5 - Creating a new VPN connection Go to **Virtual Private Network (VPN)** > **Site-to-Site VPN Connections** and click **Create VPN connection**. Give the VPN connection a name and set the configuration as follows: * **Target gateway type** - Virtual private gateway * **Customer gateway** - Existing * **Routing options** - Static * **Static IP prefixes** - Subnet of your GoodAccess Gateway Open **Tunnel 1 options**: * **Pre-Shared key for Tunnel 1** - Shared Secret [(Step 1)](#step-1-creating-a-new-cloud-connection) * Select **Edit tunnel 1 options** * **Phase I & II** - Must match configuration from GoodAccess [(Step 1)](#step-1-creating-a-new-cloud-connection) Click **Create VPN connection** to confirm your settings.

AWS's graphical user interface (GUI) with arrows highlighting key steps to configuring a VPN connection. — Creating a VPN connection

AWS's graphical user interface (GUI) with arrows highlighting key steps to configuring the Tunnel 1 section of a VPN connection. — Setting up the Phase 1 & 2 configuration

## Step 6 - Adding new routes {% hint style="warning" %} If your AWS subnet is associated with multiple route tables, make sure to add the required routes to **each** of those route tables. {% endhint %} Go to **Virtual Private Cloud (VPC)** > **Route Tables**. Click **Edit routes** and **Add** the following **routes**: | **Destination** | **Target** | | --------------------------------- | ------------------------------------------------------------------------- | | Subnet of VPC | Local (default) | | 0.0.0.0/0 | Local Gateway (default) | | Subnet of your GoodAccess Gateway | [Virtual Private Gateway](#step-4-creating-a-new-virtual-private-gateway) | Don't forget to **Save changes**.

AWS's graphical user interface (GUI) with arrows highlighting key steps to editing routes. — Editing the routes

AWS's graphical user interface (GUI) showing configuration of routes. — Adding new routes

You have now successfully connected your AWS cloud to GoodAccess. {% hint style="warning" %} **Firewall rules** Make sure you allow connections from your **GoodAccess Gateway private subnet** to the resources in your **VPC** (e.g., virtual machines, databases, etc.). Depending on your AWS security setup, you may need to allow this communication in: * **Security Groups** * **Network ACLs** * **AWS Network Firewall** {% endhint %} {% hint style="info" %} **You may check the status of the connection in:** * **GoodAccess:** Go to **Control Panel > Network > Clouds & Branches** to view the tunnel status. Use the **Test Connection** button to validate the IPsec tunnel itself, or optionally to test a specific system (target must have ICMP enabled). * **AWS:** Go to **Virtual Private Network (VPN) > Site-to-Site VPN Connections**. {% endhint %}