---
title: "Setting up site-to-site on AWS Virtual Gateway"
slug: "site-to-site-aws-virtual-gateway"
description: "The choice between Transit Gateway or a simple Virtual Gateway depends on your AWS architecture.If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead."
updated: 2026-05-07T08:55:53Z
published: 2026-05-07T08:55:53Z
---
> ## Documentation Index
> Fetch the complete documentation index at: https://help.nordlayer.com/llms.txt
> Use this file to discover all available pages before exploring further.
# Setting up site-to-site on AWS Virtual Gateway
**Note**: If your device/service supports SHA256 and DH group 14, it is recommended to use these settings instead.
Please note, the choice between Transit Gateway or a simple Virtual Gateway depends on your AWS architecture. If you are not sure, we encourage you to visit [AWS's official documentation](https://aws.amazon.com/transit-gateway/).
## Configuring the tunnel in the AWS Console
1. Go to the **VPC section** in the **AWS Console**.png)
2. Under the left menu **Virtual Private Network (VPN)** section, go to **Customer Gateways**
.png)
1. Select **Create Customer Gateway**
2. Select **static routing**
3. Fill in the IP Address of your **NordLayer server with a dedicated IP**
4. Select **Create Customer Gateway**. A message should display indicating the gateway was created successfully
## Configuring a virtual private gateway
*If you already have a virtual private gateway attached to your VPC, skip this section and continue at **Creating a virtual private network connection**.*
1. Go back to **Services**, scroll down to **Networking & Content Delivery**, and select **VPC**
.png)
1. On the left side, under **Virtual Private Network (VPN)** select **Virtual Private Gateways**
1. Select **Create Virtual Private Gateway**
1. Type the name of the gateway (for example US_HQ)
2. Select **ASN** as **Amazon default ASN**
3. Select **Create Virtual Private Gateway**
*A message should display indicating that the virtual Private Gateway was created successfully.*
1. Select the newly created gateway and select **Actions**; on the context menu select **Attach to VPC**
.png)
1. From the drop-down menu, select the VPC and select **Yes, Attach**
## Creating a virtual private network connection
1. Under **Virtual Private Network (VPN)** in the left menu, go to **Site-to-Site VPN Connections**
1. Select **Create VPN Connection**
1. Enter the name tag (for example EU_Office)
2. Select the created **Virtual Private Gateway**
3. Under **Customer Gateway**, select **Existing**
4. Select the **Customer Gateway** that you have created
5. Under **Routing Options**, select **Static**
6. Fill in the following Static IP Prefixes: **10.6.0.0/20**
1. Under **Tunnel Options** leave the default values as-is
2. Select **Create VPN Connection**
*In this page you can also select the inside subnets that you would like to connect via the tunnel.*
1. A message should display indicating that a VPN Connection Request was created successfully
## Configuring the routing rules to the default gateway
1. Select the **VPC** section in the **AWS Console** and enter the Route table associated with your **VPC**
1. For the **Route Tables** menu option, select the routing table that is associated with the VPC you have created for the tunnel
1. Select **Edit** and add the new static routes for the subnets below:
*Fill in **10.6.0.0/20** at the destination field and your new **VPN Gateway ID** as the target (it will appear under the subcategory Virtual Private Gateway).*
1. Select **Save**
*In case have a customized security group associated with your VPC:*
*Allow incoming connections from NordLayer local network within your security groups: Configure your AWS security groups to allow all traffic from NordLayer (**10.6.0.0/20**) or allow only special traffic using the port or services from these sources.*
## Collecting the tunnel configuration from the AWS Console
1. Return to **Site-to-Site VPN Connections** and select **Download Configuration**
1. Fill in the following details and click on "**Download**".
.png)
## Obtain IPSEC Tunnel #1 details
1. Open the configuration file which you have just downloaded and scroll until **conn Tunnelid** as shown in the screenshot below:
---
1. Make a note of these details as they will be needed for the VPN server configuration:
- **IKE version**: IKEv2 (recommended)
- **Remote IP (right)**: Your AWS Remote IP
- **Encryption settings** IKE Encryption and DH Group
- **Local IP (-ll)**: Local Tunnel IP
- **Remote IP (-lr)**: Remote Tunnel IP
- **Mark (-m)**: specified in the config
- **Pre-shared key (PSK)**: Your Pre-Shared Key / Secret
## Obtain IPSEC Tunnel #2 details
1. Within the same configuration file, scroll down to locate the section labeled **conn Tunnel2**.
2. Take note of the following details as they will be required for configuring Site-to-Site connection:
- **IKE version**: IKEv2 (recommended)
- **Remote IP (right)**: Your AWS Remote IP
- **Encryption settings** IKE Encryption and DH Group
- **Local IP (-ll)**: Local Tunnel IP
- **Remote IP (-lr)**: Remote Tunnel IP
- **Mark (-m)**: specified in the config
- **Pre-shared key (PSK)**: Your Pre-Shared Key / Secret
## Ending note:
Once you have obtained all necessary details from the AWS config – **IPSEC** **Tunnel #1** and **IPSEC** **Tunnel #2** – please create a setup in [Sites tab of the NordLayer Control Panel](/v1/docs/site-to-site).
**Note**: In case you are experiencing different results, make sure that you have you carefully gone through all the steps. Having said that, in case the issue persists please feel free to contact our [24/7 customer support team](/docs/how-do-i-contact-nordlayer-customer-support).