Setting Up a VPN into Amazon's Public Cloud VPC¶

The AWS VPC (Virtual Private Cloud) is somewhat inconvenient for developers. The standard way to access it is through an IPsec "hardware VPN". In practice this means having to deal with BGP, in addition to IPsec. This howto simplifies things by using StrongSwan to access the VPC instances. Neither hardware nor BGP are required.

Scenario¶

We assume a single VPC subnet with Internet access (i.e., located behind an Internet Gateway). We have a small number of clients accessing the VPC remotely, from Linux machines. I believe the solution can be tweaked to allow for larger deployments.

Solution Overview¶

We create a new, dedicated instance serving as a VPN gateway for the whole VPC. The solution uses tunnel-mode IPsec with IKEv2 and a virtual IP pool. StrongSwan is deployed on both client and gateway.

Solution Steps¶

1. Create a new VPC instance (the minimal instance type in VPC is Small). You can use an existing instance but that would be much less secure. Note that the VPN Gateway instance can be stopped when not in use, and later restarted.

Configuration Files¶