Setting up site-to-site on AWS Virtual Gateway
  • 3 Minutes to read

    Setting up site-to-site on AWS Virtual Gateway


      Article summary

      Note: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.

      Please note, the choice between Transit Gateway or a simple Virtual Gateway depends on your AWS architecture. If you are not sure, we encourage you to visit AWS's official documentation.

      Configuring the tunnel in the AWS Console

      1. Go to the VPC section in the AWS Console

      2. Under Services, scroll down to Networking & Content Delivery and select VPC

      Screenshot 2022-07-18 at 13.35.46.png

      1. Under the left menu Virtual Private Network (VPN) section, go to Customer Gateways

      02 Setting up site-to-site on AWS Virtual Gateway.png

      1. Select Create Customer Gateway

      2. Select static routing

      3. Fill in the IP Address of your NordLayer dedicated server

      4. Select Create Customer Gateway. A message should display indicating the gateway was created successfully

      03 Setting up site-to-site on AWS Virtual Gateway.png

      Configuring a virtual private gateway

      If you already have a virtual private gateway attached to your VPC, skip this section and continue at Creating a virtual private network connection.

      1. Go back to Services, scroll down to Networking & Content Delivery, and select VPC

      Screenshot 2022-07-18 at 13.35.46.png

      1. On the left side, under Virtual Private Network (VPN) select Virtual Private Gateways

      Screenshot 2022-07-18 at 13.38.31.png

      1. Select Create Virtual Private Gateway

      Screenshot 2022-07-18 at 13.38.51.png

      1. Type the name of the gateway (for example US_HQ)

      2. Select ASN as Amazon default ASN

      3. Select Create Virtual Private Gateway

      07 Setting up site-to-site on AWS Virtual Gateway.png

      A message should display indicating that the virtual Private Gateway was created successfully.

      1. Select the newly created gateway and select Actions; on the context menu select Attach to VPC

      08 Setting up site-to-site on AWS Virtual Gateway.png

      1. From the drop-down menu, select the VPC and select Yes, Attach

      Creating a virtual private network connection

      1. Under Virtual Private Network (VPN) in the left menu, go to Site-to-Site VPN Connections

      09 Setting up site-to-site on AWS Virtual Gateway.png

      1. Select Create VPN Connection

      10 Setting up site-to-site on AWS Virtual Gateway.png

      1. Enter the name tag (for example EU_Office)

      2. Select the created Virtual Private Gateway

      3. Under Customer Gateway, select Existing

      4. Select the Customer Gateway that you have created

      5. Under Routing Options, select Static

      6. Fill in the following Static IP Prefixes: 10.6.0.0/20

      11 Setting up site-to-site on AWS Virtual Gateway.png

      1. Under Tunnel Options leave the default values as-is

      2. Select Create VPN Connection

      12 Setting up site-to-site on AWS Virtual Gateway.png

      In this page you can also select the inside subnets that you would like to connect via the tunnel.

      1. A message should display indicating that a VPN Connection Request was created successfully

      Configuring the routing rules to the default gateway

      1. Select the VPC section in the AWS Console and enter the Route table associated with your VPC

      13 Setting up site-to-site on AWS Virtual Gateway.png

      1. For the Route Tables menu option, select the routing table that is associated with the VPC you have created for the tunnel

      14 Setting up site-to-site on AWS Virtual Gateway.png

      1. Select Edit and add the new static routes for the subnets below:

      15 Setting up site-to-site on AWS Virtual Gateway.png

      Fill in 10.6.0.0/20 at the destination field and your new VPN Gateway ID as the target (it will appear under the subcategory Virtual Private Gateway).

      1. Select Save

      In case have a customized security group associated with your VPC:

      Allow incoming connections from NordLayer local network within your security groups: Configure your AWS security groups to allow all traffic from NordLayer (10.6.0.0/20) or allow only special traffic using the port or services from these sources.

      Collecting the tunnel configuration from the AWS Console

      1. Return to Site-to-Site VPN Connections and select Download Configuration

      16 Setting up site-to-site on AWS Virtual Gateway.png

      1. Fill in the following details and click on "Download".

      Download Configuration

      Obtain IPSEC Tunnel #1 details

      1. Open the configuration file which you have just downloaded and scroll until conn Tunnelid as shown in the screenshot below:

      AWS Tunnel Configuration


      1. Make a note of these details as they will be needed for the VPN server configuration:
      • IKE version: IKEv2 (recommended)
      • Remote IP (right): Your AWS Remote IP
      • Encryption settings IKE Encryption and DH Group
      • Local IP (-ll): Local Tunnel IP
      • Remote IP (-lr): Remote Tunnel IP
      • Mark (-m): specified in the config
      • Pre-shared key (PSK): Your Pre-Shared Key / Secret

      Obtain IPSEC Tunnel #2 details

      1. Within the same configuration file, scroll down to locate the section labeled conn Tunnel2.
      2. Take note of the following details as they will be required for configuring Site-to-Site connection:
      • IKE version: IKEv2 (recommended)
      • Remote IP (right): Your AWS Remote IP
      • Encryption settings IKE Encryption and DH Group
      • Local IP (-ll): Local Tunnel IP
      • Remote IP (-lr): Remote Tunnel IP
      • Mark (-m): specified in the config
      • Pre-shared key (PSK): Your Pre-Shared Key / Secret

      Submitting Site-to-Site request form

      Once you have obtained all necessary details from the AWS config – IPSEC Tunnel #1 and IPSEC Tunnel #2 – please proceed next by submitting our Site-to-site Request from.

      Note: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our 24/7 customer support team.


      Was this article helpful?