Setting up site-to-site on AWS Transit Gateway
  • 3 Minutes to read

    Setting up site-to-site on AWS Transit Gateway


      Article summary

      Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

      Please note, the choice between Transit Gateway or a simple Virtual Gateway depends on your AWS architecture. If you are not sure, we encourage you to visit AWS's official documentation.

      Creating the Transit Gateway

      1. Go to the VPC section in the AWS Console

      Screenshot 2021-05-21 at 13.34.51.png

      1. Under the left panel, select Transit Gateways

      Screenshot 2022-07-18 at 11.04.43.png

      1. Click on Create transit gateway at the top

      Screenshot 2022-07-18 at 11.05.38.png

      1. Fill in the following details:

      Screenshot 2022-07-18 at 11.06.16.png

      • Name tag - Insert the name of the Transit Gateway
      • You can keep the default parameters for the rest of attributes
      1. Click on Create transit gateway

      Creating the Transit Gateway attachments

      1. On the left pane, select Transit Gateway Attachments

      Screenshot 2022-07-18 at 11.09.17.png

      1. Click on Create transit gateway attachment at the top

      Screenshot 2022-07-18 at 11.10.22.png

      1. Fill in the following information and select Create transit gateway attachment

      Screenshot 2022-07-18 at 11.11.10.png

      • Name tag: Insert the name of the Transit Gateway Attachment
      • Transit gateway ID: Pick the newly created Transit gateway
      • Attachment Type: VPC
      • VPC ID: Select the relevant VPC
      • You can keep the other attributes in their default values

      Note: Please repeat the above procedure for each of the VPCs that you would like to gain access to.

      Creating the Transit Gateway VPN attachment

      1. Click on Create transit gateway attachment at the top

      Screenshot 2022-07-18 at 11.10.22.png

      1. Fill in the following details

      Screenshot 2022-07-18 at 11.16.48.png

      • Transit Gateway ID: Choose your newly created Transit Gateway
      • Attachment type: VPN
      • Customer Gateway ID: New
      • IP Address: the IP address of your NordLayer dedicated server
      • BGP ASN: Leave default values
      • Routing Options: Static
      • For the other attributes, leave them in their default values
      1. Click on Create transit gateway attachment

      Note: This may take several minutes

      In case you have 2 VPCs, this is how your Transit gateway attachment section should look like:

      Screenshot 2022-07-18 at 11.19.02.png

      Configuring the routing on AWS platform

      1. Go to the VPC section in the AWS Console. Under Transit Gateways, select Transit Gateway Route Tables

      Screenshot 2022-07-18 at 11.25.06.png

      1. 2. Choose the relevant Transit Gateway Route Table record

      2. On the bottom, choose Propagations

      3. Verify that all of the Transit Gateway Attachments are included. If you have 2 VPCs, this is how it should look like:

      Screenshot 2022-07-18 at 11.26.40.png

      In case one of the Transit Gateway Attachments is missing, click on Create propagation and add the missing record(s).

      1. On the bottom, select Associations

      2. Verify that all of the Transit Gateway Attachments are included (same as step 4)

      3. At the bottom, near the Propagations tab, select Routes

      4. Click on Create static route and fill in the following details:

      Screenshot 2022-07-18 at 11.29.33.png

      • CIDR: Insert the NordLayer subnet, which is 10.6.0.0/20
      • Choose attachment: Choose the VPN attachment

      If you have 2 VPCs, this is how it should look like:

      Screenshot 2022-07-18 at 11.30.57.png

      1. On the left side, under Virtual Private Cloud, click on Route Tables

      Screenshot 2022-07-18 at 11.31.49.png

      1. Select the Route Table for one of the attached VPCs

      2. On the bottom, click on Routes

      3. Click on Edit Routes, in a newly opened window select Add route and fill in the following details:

      Screenshot 2022-07-18 at 11.33.14.png

      • Destination: Your NordLayer network subnet - 10.6.0.0/20
      • Target: Choose Transit Gateway and pick the relevant Transit Gateway
      1. Click on Save changes

      Repeat the steps 10-12 for other attached VPCs.

      Collecting the tunnel configuration from the AWS Console

      1. Return to Site-to-Site VPN Connections and select Download Configuration

      16 Setting up site-to-site on AWS Virtual Gateway.png

      1. Fill in the following details and click on "Download".

      Download Configuration

      Obtain IPSEC Tunnel #1 details

      1. Open the configuration file which you have just downloaded and scroll until conn Tunnelid as shown in the screenshot below:

      AWS Tunnel Configuration


      1. Make a note of these details as they will be needed for the VPN server configuration:
      • IKE version: IKEv2 (recommended)
      • Remote IP (right): Your AWS Remote IP
      • Encryption settings IKE Encryption and DH Group
      • Local IP (-ll): Local Tunnel IP
      • Remote IP (-lr): Remote Tunnel IP
      • Mark (-m): specified in the config
      • Pre-shared key (PSK): Your Pre-Shared Key / Secret

      Obtain IPSEC Tunnel #2 details

      1. Within the same configuration file, scroll down to locate the section labeled conn Tunnel2.
      2. Take note of the following details as they will be required for configuring Site-to-Site connection:
      • IKE version: IKEv2 (recommended)
      • Remote IP (right): Your AWS Remote IP
      • Encryption settings IKE Encryption and DH Group
      • Local IP (-ll): Local Tunnel IP
      • Remote IP (-lr): Remote Tunnel IP
      • Mark (-m): specified in the config
      • Pre-shared key (PSK): Your Pre-Shared Key / Secret

      Submitting Site-to-Site request form

      Once you have obtained all necessary details from the AWS config – IPSEC Tunnel #1 and IPSEC Tunnel #2 – please proceed next by submitting our Site-to-site Request from.

      Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


      Was this article helpful?