API Documentation
Home > Knowledge Base > Cloud VPN / SD-WAN, Load Balancing, Web Application Firewall > Creating an Active-Active VPN Tunnel with BGP in AWS

Creating an Active-Active VPN Tunnel with BGP in AWS

In this article we will outline the steps required to create an active-active VPN tunnel with BGP dynamic routing between Amazon Web Services (AWS) and the Total Uptime Cloud Platform.

By default, Total Uptime requires your devices (servers) to have internet-routable IPv4 or IPv6 addresses so we can direct traffic to them. By creating VPN tunnels between the Total Uptime platform and AWS, you can avoid the requirement for public IP space and securely route traffic to your cloud devices with a very high degree of availability.

Regardless of whether you use a VPN or not, Total Uptime already has direct network connectivity to Amazon Web Services with private peering to ensure high performance connectivity. Adding a VPN simply encrypts that traffic and allows you to use RFC1918 space.

Prerequisites

To begin you will require a few things.

  • An active AWS subscription
  • One or more networks on the AWS side approved by Total Uptime: _______________
  • An ASN approved by Total Uptime for use on the AWS side of the BGP connection: _______
  • Confirmation of the AWS region you wish to connect to: _______
  • The Total Uptime ASN assigned for you: _______
  • The Total Uptime VPN gateway IP addresses: _____________ and _____________
  • The Total Uptime Source IP subnets found on the dashboard of the panel.
  • Two Inside IP CIDR allocations: 254.x.x/30169.254.y.y/30
  • A pre-shared key for the VPN (you can create this)

STEP 1: Create a Virtual Private Gateway

  1. Log in to your AWS subscription, click the Services drop-down menu, search for VPC, and select the VPC
  2. In the navigation pane under the VPN Connections heading select Virtual Private Gateways.
  3. Click the Create Virtual Private Gateway
    OPTIONAL: Type a name for the Virtual Private Gateway. This will create a tag with a key of Name and the value you specify.
  4. For ASN, select Custom ASN and enter the value from the prerequisites above.
  5. Click the Create Virtual Private Gateway
  6. A Create Virtual Private Gateway succeeded page will be displayed. Click the Close
  7. Select the newly created Virtual Private Gateway, click the Actions button, and select Attach to VPC.
  8. Select your VPC in the drop-down menu, then click the Yes, Attach

STEP 2: Create two Customer Gateways

In the navigation pane under the VPN Connections heading select Customer Gateways.

Create the first gateway

Click the Create Customer Gateway button.

OPTIONAL: Type a name for the Customer Gateway.  This will create a tag with a key of Name and the value you specify.

For Routing select Dynamic, then specify a BGP ASN from the prerequisites.

For IP Address, enter the first VPN gateway IP from above.

Click the Create Customer Gateway button.

A Create Customer Gateway Request Succeeded page will be displayed.

Click the Close button.

Create the second gateway

Click the Create Customer Gateway button.

OPTIONAL: Type a name for the Customer Gateway.  This will create a tag with a key of Name and the value you specify.

For Routing select Dynamic, then specify a BGP ASN from the prerequisites.

For IP Address, enter the second VPN gateway IP from above.

Click the Create Customer Gateway button.

A Create Customer Gateway Request Succeeded page will be displayed.

Click the Close button.

STEP 3: Enable Route Propagation

In the navigation pane under the Virtual Private Cloud heading select Route Tables.

Select the route table which is associated with the approved subnet(s) listed in the prerequisites section above that you want routed via Total Uptime, then open the Route Propagation tab.

Click the Edit button.

Put a check mark in the Propagate box of the Virtual Private Gateway you just created.

Click the Save button.

STEP 4: Allow the Total Uptime Networks in Security Group

In the navigation pane under the Security heading select Security Groups.

Select the default security group for the VPC, then open the Inbound Rules tab.

Click the Edit button.

Click the Add another rule button and create rules for each of the Total Uptime source IP subnets.

  • For Type select All Traffic
  • For Protocol select ALL
  • For Source enter one of the subnets from above
  • OPTIONAL: Add a description

Click the Save button

STEP 5: Create two VPN Connections

In the navigation pane under the VPN Connections heading select VPN Connections.

Create the first VPN Connection

Click the Create VPN Connection button.

OPTIONAL: Type a name for the VPN connection.  This will create a tag with a key of Name and the value you specify.

For Virtual Private Gateway select the gateway we created earlier in step 1.

For Customer Gateway select Existing.

For Customer Gateway ID select the first customer gateway we created.

For Routing Options select Dynamic (requires BGP).

For Tunnel Options specify your own inside IP CIDR and pre-shared key for the tunnels.

  • For Inside IP CIDR enter the first /30 from the prerequisites section above (169.254.x.x/30)
  • For Pre-Shared Key enter an 8-64 character string with alphanumeric, underscore (_), and dot (.). It cannot begin with 0.

Click the Create VPN Connection button.

A Create VPN Connection Request Succeeded page will be displayed.

Click the Close button.

Create the second VPN Connection

Click the Create VPN Connection button.

OPTIONAL: Type a name for the VPN connection.  This will create a tag with a key of Name and the value you specify.

For Virtual Private Gateway select the gateway we created earlier.

For Customer Gateway select Existing.

For Customer Gateway ID select the second customer gateway we created.

For Routing Options select Dynamic (requires BGP).

For Tunnel Options specify your own inside IP CIDR and pre-shared key for the tunnels.

  • For Inside IP CIDR enter the second /30 from the prerequisites section above (169.254.y.y/30)
  • For Pre-Shared Key enter the same key you created for the

Click the Create VPN Connection button.

A Create VPN Connection Request Succeeded page will be displayed.

Click the Close button.

STEP 6: Download the VPN Configurations

Select the first VPN connection.

Click the Download Configuration button.

  • For Vendor select Fortinet.
  • For Platform select Fortigate 40+ Series.
  • For Software select FortiOS 5.0+.

Click the Download button.

Close the Download Configuration window.

Perform the previous steps for the second VPN.

Provide the downloaded configurations to Total Uptime.  We will complete the VPN configurations, build the BGP tunnels and complete. If you have production infrastructure at AWS that is currently behind the Total Uptime network using elastic (static) IP addresses, please let us know.

Build your own network mesh now!

CONTACT US