Setting up a VyOS instance to connect two VPCs
Creating multiple Virtual Private Clouds (VPC) in your AWS environments is a very common method of isolating different environments of your estate (which you would want to do for security reasons).
Although VPC Peering is quick and simple to setup, it comes with several routing restrictions. The way around it is what used to be the standard to connect two Virtual Private Clouds: using a virtual appliance to establish an IPsec VPN tunnel between the two. In this post we explore VyOS as a solution for the virtual appliance; VyOS is a fork of the old Vyatta Community Edition and is currently actively developed. You can find it on the AWS marketplace.
Consider the setup below for a site-to-site IPsec configuration between two VPCs
One of the VPCs will need to host a Virtual Private Gateway (VGW) and configure a Customer Gateway (CGW). The CGW needs to point to the Elastic IP of the virtual appliance, the VyOS instance. Finally, connect these two using a VPN Connection and download the Generic configuration file.
There is a lack of information online on how to properly set this up using the latest VyOS versions.
First, you need to configure the Virtual Tunnel Interfaces (VTI). They need to be setup so that they use the internal IP addresses provided by AWS for the two tunnels in the VPN connection.
Then configure the routing:
Set up the IPsec tunnel options:
And the final step, configure the actual tunnel themselves to reflect the configuration shown below:
That’s it. Get your AWS VPC Routing Tables and Security Groups right and you should be able to send traffic across the tunnel.