Step-by-Step Guide: Building a Site-to-Site VPN in AWS

12 min readSep 20, 2025

🌐 Introduction

In real-world enterprise environments, companies often need to connect their on-premises data centers to their AWS Cloud VPCs securely.
AWS Site-to-Site VPN provides a reliable and encrypted tunnel using the IPsec protocol, enabling private communication between these two networks.

But what if you don’t have a physical on-premises network? In this lab, we will simulate an on-premises environment using a second VPC in the same AWS region (us-east-1).
One VPC will represent the corporate/on-premises side, while the other will act as the AWS Cloud network. We will then connect them using a Site-to-Site VPN.

What is AWS Site-to-Site VPN?
A VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.
By default, instances that you launch into an Amazon VPC can’t communicate with your own (remote/on-premises) network.

Why Do You Need It?

Hybrid Cloud Architecture: Many companies want to keep some resources on-premises while leveraging AWS cloud services
Security Compliance: Regulations may require certain data to remain in your physical data center
Migration Strategy: Gradual movement of workloads from on-premises to cloud
Disaster Recovery: Create backup infrastructure in AWS while maintaining primary operations locally

How It Works — Simple Analogy: Imagine your office building (on-premises) and AWS (cloud) are two separate islands. Site-to-Site VPN creates a secure underwater tunnel between these islands, allowing people and resources to move safely between them without anyone else seeing the traffic.

Key Benefits:

Cost-Effective: Uses existing internet connection (no dedicated lines required)
Quick Setup: Can be configured in hours, not weeks
High Availability: AWS provides redundant tunnels automatically
Scalable: Supports up to 1.25 Gbps per tunnel

Technical Components Explained:

VPN connection: A secure connection between your on-premises equipment and your VPCs.
VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS.
Customer gateway: An AWS resource which provides information to AWS about your customer gateway device.
Customer gateway device: A physical device or software application on your side of the Site-to-Site VPN connection.
Virtual private gateway: The VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You use a virtual private gateway or a transit gateway as the gateway for the Amazon side of the Site-to-Site VPN connection.

Connection Flow:

Your Office Network → Customer Gateway Device → Internet → AWS VGW → Your VPC

Security Features:

IPsec Encryption: Military-grade encryption (AES-256)
Authentication: Ensures only authorized devices can connect
Integrity Checking: Verifies data hasn’t been tampered with during transit

Lab Details

This lab guides you through the step-by-step process of setting up a Site-to-Site VPN connection between your AWS Cloud and an On-premises Network.

⏱️ Duration: Approximately 45–60 minutes
💰 Estimated Cost: $3–6 (if you clean up the resources immediately after completing the lab)

Prerequisites:

An active AWS Account with permissions to create VPCs and related networking resources
Basic understanding of networking concepts (subnets, routing, gateways)

🏗️ Architecture Overview

Our lab consists of two VPCs in N. Virginia (us-east-1):

VPC-OnPrem (Corporate Simulation)

Public subnet
EC2 instance with Openswan (acting as a customer router)

VPC-AWS (AWS Cloud Network)

Private subnet
EC2 instance to test private connectivity

VPN Connection:

Customer Gateway (CGW) on AWS side (logical representation of the on-prem router)
Virtual Private Gateway (VGW) on AWS side (VPN concentrator)
Two VPN tunnels (AWS always provides redundancy, though in this lab we will focus on one active tunnel)

📌 Tip: Always make sure your VPC CIDR blocks do not overlap; otherwise, routing will fail.

Step 1: Create the On-Premises Simulation VPC

Go to VPC > Create VPC

Navigate to Your VPC’s on the left panel and click on the Create VPC.

Select VPC only
Name tag : Enter On_Premises_Network
IPv4 CIDR block : Enter 10.0.0.0/16

Leave everything else as default and click on the Create VPC.

Step 2: Create a Public subnet

Subnets → Create Subnet.

VPC ID : Select the On_Premises_Network VPC from the list.
Subnet name : Enter Public_subnet
Availability Zone :No preference
IPv4 CIDR block : Enter 10.0.1.0/24

Now click on the Create Subnet

Step 3: Create and attach an Internet Gateway

Internet Gateways → Create Internet Gateway

Name tag : Enter On_Premises_IGW

Click on the Create Internet Gateway

Now click on the Actions and select Attach to VPC.

Available VPCs : select On_Premises_Network from the list.

Click on the Attach Internet Gateway

Step 4: Create a Public Route Table and associate it with the subnet

Route Tables →Create route table button.

Name tag : Enter PublicRT
VPC* : Select the On_Premises_Network from the list.

Click on the Create route table button.

Route Tables →PublicRT →Subnet associations →Edit subnet associations

Now select the subnet Public_subnet and click on the Save associations button.

Step 5: Add public Route in the Route table

Route Tables → PublicRT

Routes → Edit routes button.

Now click on the Add route button.

Destination : Enter 0.0.0.0/0
Target : select Internet Gateway and then select the Internet Gateway id.

Click on the Save changes button.

Step 6: Create Security Group

EC2 → security groups → Create security group

Security group name : Enter On_Premises_Router_SG
Description : Enter Security group for public Router

To add SSH,

Choose Type: SSH
Source: Anywhere (From ALL IP addresses accessible).

For All TCP,

Click on Add Security group rule button.
Choose Type: All TCP
Source: Custom and Enter 30.0.0.0/16 in the textbox.

For IPv4 ICMP,

Click on Add Security group rule button.
Choose Type: All ICMP — IPv4
Source: Custom and Enter 30.0.0.0/16 in the textbox.

Step 7: Launch an EC2 instance

EC2→ Instances→ Launch Instances

Name :On_Premises_Router

Amazon Machine Image (AMI): Amazon Linux 2023 kernel-6.1 AMI

Choose an Instance Type: t3.micro

Key Pair : Choose Create a new key Pair from the dropdown list.

Key pair name : Router-key
Key Pair Type: RSA
Click on Create key pair button to download the key to your local machine.

Under Network Settings, click on Edit button.

Network : On_Premises_Network
Subnet : leave as default
Auto-assign Public IP : Enable

Configure Security Group:

Firewall(security groups) : Select existing security group
Select On_Premises_Router_SG

Click on Launch Instance button.

Step 8: Create AWS_Network VPC

VPC →Your VPC → Create VPC

Select VPC Only
Name tag : Enter AWS_Network
IPv4 CIDR block : Enter 30.0.0.0/16

Leave everything else as default and click on the Create VPC

Step 9: Create a Private subnet, a Private Route Table and associate it with the subnet

Subnets →Create Subnets

VPC ID : AWS_Network
Subnet name : Private_subnet
Availability Zone : No preference
IPv4 CIDR block : 30.0.1.0/24

Now click on the Create Subnet

Create a Private Route Table and associate it with the subnet

Route Tables →Create route table

Name tag : PrivateRT
VPC* : AWS_Network

Create route table→ Route Tables→ PrivateRT from the list and go to the Subnet associations tab in below.

Click on the Edit subnet associations button.

Now select the subnet Private_subnet and click on the Save associations button.

Step 10: Create security group

EC2 →Security Groups→ create security grouC.

Security group name : AWS_EC2_SG
Description : Security group for AWS EC2 instance

To add SSH,

Choose Type: SSH
Source: Anywhere (From ALL IP addresses accessible).

For All TCP,

Click on Add Security group rule button.
Choose Type: All TCP
Source: 10.0.0.0/16

For IPv4 ICMP,

Click on Add Security group rule button.
Choose Type: All ICMP — IPv4
Source: 10.0.0.0/16

Step 11: Launch an EC2 instance

EC2 →Instances → Launch Instances

Name:AWS_EC2

Amazon Machine Image (AMI): Amazon Linux 2023 kernel-6.1 AMI

Choose an Instance Type: t3.micro

Key Pair : Choose existing key pair

Key pair name : Router-key

Under Network Settings, click on Edit button.

Network : AWS_Network
Subnet : leave as default
Auto-assign Public IP : Disable

Configure Security Group:

Firewall(security groups) : Select existing security group(AWS_EC2_SG)

Click on Launch Instance button.

Step 12: Create a Customer Gateway

VPC → Virtual Private Network (VPN) → Customer Gateways

Click on the Create Customer Gateway

Name : On_Premises_Network_Gateway
IP Address : Enter On-premises EC2 instance IPv4 Public IP (EC2 act as the Public Router)
Leave everything else as default.

Click on the Create Customer Gateway

Step 13: Create a Virtual Private Gateway

Now scroll down and select Virtual Private Gateways under Virtual Private Network (VPN).

Click on the Create Virtual Private Gateway

Name tag : Enter AWS_Network_VPG
ASN : Leave as Default

Click on the Create Virtual Private Gateway

You need to attach the VPG to the VPC

Select the Virtual Private gateway that you just created (wait till the state changes to Available), click on the Actions button and select Attach to VPC.

VPC : Select AWS_Network from the list.

Click on the Attach to VPC

Now select the PrivateRT RouteTable, where VPC is mentioned as AWS_Network. And goto the Route propagation tab below and click on the Edit route propagation button.

Check the Enable checkbox and click on the Save button.

Step 14: Create a Site-to-Site VPN connection

VPC→Site-to-Site VPN Connections→Virtual Private Network(VPN) →Create VPN Connection

Name tag : AWS_On_Premises_Connection
Virtual Private Gateway* : AWS_Network_VPG
Customer Gateway ID* : On_Premises_Network
Routing Options : Static
Static IP Prefixes : 10.0.0.0/16

Tunnel Options :
Leave as default.

Click on the Create VPN Connection .It will take 3 to 4 Minutes to set up the VPN Connection.

Select the VPN Connection and on top, click on the Download the configuration

Vendor : Openswan

Platform : Openswan

Software : Leave default.

Click on the Download button and the configuration file will be downloaded to your local machine and note down the file name.

Step 15: Configure On-Premises Router

You need to SSH into the EC2 instance (On_Premises_Router) that you have created in the On_Premises_Network. This EC2 will act as the Public Router of On-Premises Network.

SSH to EC2 instance

ssh -i "Router-key.pem" ec2-user@35.153.135.244

⚠️ Important: Make sure to use your actual EC2 public IP address instead of the example IP (35.153.135.244)

Switch to root user :

sudo -s

Install Openswan

sudo dnf install libreswan -y

Next make sure the last line in /etc/ipsec.conf is not commented. (NO # in the beginning)

nano /etc/ipsec.conf

Scroll to the end and make sure the last line include /etc/ipsec.d/*.conf has no hash (#) in the beginning.

Click [Control] + X or [Ctrl] + X to exit the file.

Update /etc/sysctl.conf file

nano /etc/sysctl.conf

Add the below 3 lines in end of this file with no hash (#) in the beginning and add each in new lines

net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0

Click [Control] + X or [Ctrl] + X to exit the file.
Save modified buffer (Answering “No” will DISCARD changes.) : Enter Y
File Name to Write: /etc/sysctl.conf
Restart Network Service

sudo systemctl restart systemd-networkd

Next we need to configure IPSec and pre-shared keys in Openswan.

For that you have downloaded a configuration file from the Site-to-site VPN page to your local system. Open that file in your text editor.

Create or open /etc/ipsec.d/aws.conf file

vi /etc/ipsec.d/aws.conf

In the Configuration file, look for point number 4 under IPSEC Tunnel #1 and copy the entire code below point number 4.

Press “ i “ button in your keyboard to edit the file you have created.
Paste the code in the file we opened.
Remove the line auth=esp from the file (else the connection won’t work)
Push it to the ECR repository

Update( for better security (change 1024 to 2048))

phase2alg=aes128-sha1;modp1024
ike=aes128-sha1;modp1024

phase2alg=aes128-sha1;modp2048
ike=aes128-sha1;modp2048

Update leftsubnet and rightsubnet

leftsubnet= 10.0.0.0/16 (On-premises VPC CIDR)
rightsubnet= 30.0.0.0/16 (AWS VPC CIDR)

Click [Esc] button in the keyboard to exit the editing mode.
Now type :wq and hit [Enter] Key to save the file.

Create or open /etc/ipsec.d/aws.secrets file

vi /etc/ipsec.d/aws.secrets

In the Configuration file, look for point number 5 under IPSEC Tunnel #1 and copy the entire code below.

Press “ i “ button in your keyboard to edit the file you have created.
Paste the secret key in the file you opened.
vi /etc/ipsec.d/aws.secrets

Press enter or click to view image in full size

Click [Esc] button in the keyboard to exit the editing mode.
Now type :wq and hit [Enter] Key to save the file.

In case if your EC2 Session gets timed out. please follow the steps to SSH into EC2 Instance again.

Switch to root user :

sudo -s

Start IPSec service

systemctl start ipsec

Check the status of IPSec

systemctl status ipsec

Step 16: Test the connectivity between two Networks

Ping OnPrem EC2 to AWS Private EC2

ping 30.0.1.227 #ping <Private IPv4 Address of AWS_EC2>

Now scroll down and select Site-to-Site VPN Connection under Virtual Private Network(VPC).

Check the Tunnel Details and you will be able to see that Tunnel 1 is UP. Tunnel 2 is Down because in Openswan only one tunnel can be configured and we only used Tunnel 1.

✅ Success indicators:

Tunnel 1 status shows “UP”
Ping responds successfully
No packet loss in ping results

Step 17: Troubleshooting Common Issues

VPN Tunnel Status = DOWN:

Check Customer Gateway public IP is correct
Verify security groups allow IPsec traffic (UDP 500, 4500)
Confirm libraswan service is running
Check ipsec service is running (systemctl status ipsec)

Ping Tests Fail:

Verify route propagation is enabled on PrivateRT
Check security groups allow ICMP traffic
Confirm leftsubnet/rightsubnet in aws.conf are correct

Cannot SSH to instances:

Check security groups allow SSH (port 22)
Verify key pair permissions: (chmod 400 Router-key.pem)

Step 18: Delete AWS Resources

Terminate both EC2 instances (On_Premises_Router and AWS_EC2).
Delete the Security Groups created for the lab (On_Premises_Router_SG and AWS_EC2_SG).
Detach and delete the Internet Gateway from the On_Premises_Network VPC.
Delete the subnets (Public_subnet and Private_subnet).
Delete the Route Tables (PublicRT and PrivateRT).
Delete the Customer Gateway and the Virtual Private Gateway.
Delete the Site-to-Site VPN Connection.
Finally, delete both VPCs (On_Premises_Network and AWS_Network).