Dieser Inhalt ist in der ausgewählten Sprache nicht verfügbar
Wir arbeiten ständig daran, Inhalte in der ausgewählten Sprache bereitzustellen. Vielen Dank für deine Geduld.
How can I configure a managed route-based static VPN between AWS and IBM Cloud?
Lesedauer: 4 Minute
0
I want to set up a static AWS Site-to-Site VPN connection between AWS and IBM Cloud.
Resolution
To set up a Site-to-Site VPN connection between AWS and IBM Cloud, you must do the following:
On the IBM side, configure a virtual private cloud (VPC), subnets, route tables, security groups, and access control list (ACL) rules.
On the AWS side, configure a VPC, subnets, and routing.
AWS configuration
Open the Amazon VPC console, and then create a customer gateway. Because you don't know the IP address of the IBM VPN gateway yet, you can add any details that you like. Later, you can specify the correct customer gateway IP address and Autonomous System Number (ASN).
Note: You must use AWS to create the customer gateway. The Amazon VPC console allows you to change your customer gateway after you configure it, and IBM Cloud doesn't.
Create a VPN connection. For Virtual private gateway, choose the name of the virtual private gateway that you created. For Customer gatewayID, choose the ID of the customer gateway that you created. For Routing Options, choose Static. (Optional) Under Advanced Options for Tunnel 1, turn on advanced encryption algorithms.
Open the IBM Cloud and use the instructions on the IBM website to create an IKE policy. Enter a name for your policy, and then enter the following details:
Region: Washington DC IKE version: 2 Authentication: sha1 Encryption: aes128 Diffie-Hellman Group: 2 Key lifetime: 28800
Create an IPsec policy. Enter a name for your policy, and then enter the following details:
Region: Washington DC IKE version: 2 Authentication: sha1 Perfect forward secrecy: Turned on Diffie-Hellman Group: 2 Key lifetime: 3600
Create a Site-to-Site VPN connection in the IBM Cloud. Enter the details of the IKE and IPsec policies that you created. In order to create the VPN connection, you need the Peer Gateway IP address and Pre-Shared Keys from AWS. Note this information from the configuration file that you downloaded from AWS before you continue to configure your VPN.
After you create the Site-to-Site VPN on the IBM side, you can view the Public IP address for Tunnel1. Note the IP address to use in the following steps.
Navigate to your Site-to-Site VPN connection. Choose Actions, and then choose Modify VPN Connection. Update the target type for the customer gateway. Choose the new customer gateway that uses the IBM VPN IP address.
Note: It takes a few minutes for AWS to modify and update the Site-to-Site VPN connection.
Confirm that the tunnel status is UP, and test the connection
After AWS finishes modifying the Site-to-Site VPN connection, confirm that the tunnel is UP. You must confirm this on both the AWS side and on the IBM side. Also, confirm that you have the correct routing. When the tunnel is up, both clouds don't allow traffic to flow by default.
On the Amazon VPC console, configure the network ACLs and security groups that are associated with your connection. This allows traffic to flow between AWS and IBM.
Perform a bidirectional connectivity test to check the tunnel connection between IBM and AWS. Be sure to do a ping test from AWS to IBM, and from IBM to AWS.