How to connect VPC to on-premise

AwsHow-ToBeginner · 4 min read

How to Connect AWS VPC to On-Premise Network Securely

To connect an AWS VPC to your on-premise network, use either an AWS Site-to-Site VPN for encrypted internet-based connection or AWS Direct Connect for a private dedicated network link. Both methods require configuring a virtual private gateway on AWS and a compatible customer gateway device on-premise.

📐

Syntax

Connecting a VPC to on-premise involves these main components:

Virtual Private Gateway (VGW): AWS side gateway attached to your VPC.
Customer Gateway (CGW): Your on-premise router or firewall device.
VPN Connection or Direct Connect: The link between VGW and CGW.

Basic steps include creating a VGW, defining a CGW with your on-premise device's public IP, and establishing a VPN or Direct Connect connection.

terraform

resource "aws_vpn_gateway" "vgw" {
  vpc_id = aws_vpc.main.id
}

resource "aws_customer_gateway" "cgw" {
  bgp_asn    = 65000
  ip_address = "203.0.113.12"
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "vpn" {
  customer_gateway_id = aws_customer_gateway.cgw.id
  vpn_gateway_id      = aws_vpn_gateway.vgw.id
  type                = "ipsec.1"
}

💻

Example

This example shows how to create a Site-to-Site VPN connection between an AWS VPC and an on-premise network using Terraform. It sets up the virtual private gateway, customer gateway, and VPN connection.

terraform

provider "aws" {
  region = "us-east-1"
}

resource "aws_vpc" "main" {
  cidr_block = "10.0.0.0/16"
}

resource "aws_vpn_gateway" "vgw" {
  vpc_id = aws_vpc.main.id
}

resource "aws_customer_gateway" "cgw" {
  bgp_asn    = 65000
  ip_address = "198.51.100.25"
  type       = "ipsec.1"
}

resource "aws_vpn_connection" "vpn" {
  customer_gateway_id = aws_customer_gateway.cgw.id
  vpn_gateway_id      = aws_vpn_gateway.vgw.id
  type                = "ipsec.1"
  static_routes_only  = true
}

output "vpn_connection_id" {
  value = aws_vpn_connection.vpn.id
}

Output

vpn_connection_id = vpn-0a1b2c3d4e5f67890

⚠️

Common Pitfalls

Incorrect IP addresses: Using wrong public IP for the customer gateway causes connection failure.
Missing routes: Not adding routes in VPC route tables or on-premise routers blocks traffic.
Security groups and firewall rules: Not allowing VPN traffic ports (UDP 500, UDP 4500) can block connection.
Mismatched VPN configurations: Encryption or tunnel settings must match on both sides.

terraform

/* Wrong: Missing route in VPC route table */
resource "aws_route_table" "rt" {
  vpc_id = aws_vpc.main.id
  /* No route to on-premise network */
}

/* Right: Add route to on-premise CIDR via VPN gateway */
resource "aws_route" "to_on_premise" {
  route_table_id         = aws_route_table.rt.id
  destination_cidr_block = "192.168.1.0/24"
  vpn_gateway_id         = aws_vpn_gateway.vgw.id
}

📊

Quick Reference

Use AWS Site-to-Site VPN for encrypted internet-based connection.
Use AWS Direct Connect for private dedicated network link with lower latency.
Configure Virtual Private Gateway on AWS and Customer Gateway on-premise.
Update route tables to direct traffic through the VPN or Direct Connect.
Ensure firewall rules allow VPN traffic ports (UDP 500, UDP 4500).

✅

Key Takeaways

Use AWS Site-to-Site VPN or Direct Connect to link VPC and on-premise securely.

Configure Virtual Private Gateway in AWS and Customer Gateway on your on-premise device.

Update route tables and firewall rules to allow traffic through the connection.

Verify IP addresses and VPN settings match on both sides to avoid connection issues.

Direct Connect offers lower latency but requires physical setup; VPN works over the internet.