Setting up a AWS VPC/VPN for Multi-Region

Today i will show how to setup a complete VPC(Virtual Private Cloud) between 2 Data Centers in different Regions(I will use AWS Oregon and AWS N California) this is mandatory to test and run multi-data center solutions, we will need create a VPN(Virtual Private Network) over the internet, todo such a task we will use Open Swan.

This task is very complicated and have several steps its easy to make some mistake and mess with everything so be very careful, the whole exercise could easily take 3h or more. Also want say thanks to my Friend Joao Palma(AWS Solution Architect)who supported me on this task :-) and have extreme patience and know-how on the hard-core devops amazon cloud things :-)

How to configure a VPC site-2-site EC2 with 2 regions on AWS

tutorial Link: http://aws.amazon.com/articles/5472675506466066

Oregon

CIDR            10.0.0.0/16
public subnet   10.0.0.0/24
private subnet  10.0.1.0/24 
vpn ip private  10.0.0.126/32    (THIS WILL CHANGE YOU NEED GET FROM AWS CONSOLE)
vpn ip public   500.500.500.55/32  (THIS WILL CHANGE YOU NEED GET FROM AWS CONSOLE) 

California

CIDR            192.169.0.0/16
public subnet   192.169.0.0/24
private subnet  192.169.1.0/24
vpn ip private  192.169.0.247/32   (THIS WILL CHANGE YOU NEED GET FROM AWS CONSOLE)
vpn ip public   500.500.500.755/32    (THIS WILL CHANGE YOU NEED GET FROM AWS CONSOLE)

Creating a VPC

1. VPC wizard
   Select (2) public and provate subnets
   VPC name: oregon_vpc_redis
   az: us-west-2a - regon
   az: us-west-1a - california
   use the top table
   

2. create sg for nat and asign - name it as sg_nat
   

3. ssh to the nat machines to update the OS
   

ping www.terra.com.br
sudo yum update -y

Create VPN Instances and associate EIP

1. Associate EIP on VPN_INSTANCE oregon
   
2. Associate EIP on VPN_INSTANCE california
   
3. Disable Source Check for both california and oregon

Enable SG ports

sg_vpn_instance_california_to_EIP_oregon for 500 and 4500
sg_vpn_instance_oregon_to_EIP_california for 500 and 4500
add SG_vpn_instace to him on CIDR oregon
add SG_vpn_instace to him on CIDR california

SHH NAT instance

Oregon / California

sudo su -y
yum install telnet -y

Add route table

Oregon / California

0. GOTO ec2 instances click on th0 for the vpn_instance
   
1. look for ENI_VPN_INSTANCE
   
2. from oregon add route to CIDR california 192.169.0.0/16 from ENI_VPN_INSTANCE
   
3. do the same for both subnets(public and private)
   

Install Open Swarn

Oregon

sudo yum install openswan -y
sudo vi /etc/ipsec.conf
remove the # on last line
sudo vi /etc/ipsec.d/oregon-to-california.conf
conn oregon-to-california
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=500.500.500.55
        leftnexthop=%defaultroute
        leftsubnet=10.0.0.0/16
        right=500.500.500.755
        rightsubnet=192.169.0.0/16
        pfs=yes
        auto=start
sudo vi /etc/ipsec.d/oregon-to-california.secrets
500.500.500.55/32 500.500.500.755/32: PSK "YOUR_SHARE_SECURE_PASS_JUST_STRING_LONG"

sudo service ipsec start

sudo chkconfig ipsec on

sudo vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

sudo service network restart

for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done 
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done

sudo service network restart

California

sudo yum install openswan -y
sudo vi /etc/ipsec.conf
remove the # on last line
sudo vi /etc/ipsec.d/california-to-oregon.conf
conn oregon-to-oregon
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=500.500.500.55
        leftnexthop=%defaultroute
        leftsubnet=10.0.0.0/16
        right=500.500.500.755
        rightsubnet=192.169.0.0/16
        pfs=yes
        auto=start
sudo vi /etc/ipsec.d/oregon-to-california.secrets
500.500.500.55/32 500.500.500.755/32: PSK "YOUR_SHARE_SECURE_PASS_JUST_STRING_LONG"

sudo service ipsec start

sudo chkconfig ipsec on

sudo vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

sudo vi /etc/ipsec.d/california-to-oregon.conf
conn oregon-to-california
        type=tunnel
        authby=secret
        left=%defaultroute
        leftid=500.500.500.755
        leftnexthop=%defaultroute
        leftsubnet=192.169.0.0/16
        right=500.500.500.55
        rightsubnet=10.0.0.0/16
        pfs=yes
        auto=start
sudo vi /etc/ipsec.d/california-to-oregon.secrets
500.500.500.755/32 500.500.500.55/32: PSK "jxVS1kVUTTulkVRRTnTujSm444jRuU1mlkklku2nkW3nnVujxVS1kVUTTulkVRRT"

sudo service ipsec start

sudo chkconfig ipsec on

sudo vi /etc/sysctl.conf
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

sudo service network restart

sudo su -
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do echo 0 > $f; done 
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do echo 0 > $f; done

sudo service network restart
sudo service ipsec restart

sudo ipsec verify
sudo service ipsec status

DONE :-)

view raw vpc-regions.md hosted with ❤ by GitHub

Screen Shots 

0_oregon_vpc

 1_vpc_california

 2_create_sg_nat

3_sg_nat_acess_himself

 4_eip_vpn_nat_california

5_eip_vpn_nat_oregon

6_disable_source_check

7_vpn_instance_nat_california

8_vpn_instance_oregon

9_sg_vpn_instance_oregon

10_sg_vpn_instance_caliornia
 

11_ENI_california

12_eni_oregon

14_route_table_california

14_route_table_oregon

Cheers,
Diego Pacheco

Tags: update,