Building highways over a series of internet tubes - but with potatoes

Goal

Build a VPN based infrastructure to connect infrastructure behind a PFsense towards an AWS VPC over the internet. - Static Routing only, no BGP to consider

Basic topology

Topology A –> Use a Transit Gateway to connect the Tunnels to the AWS VPC

Virtual Machine –> LAN –> PFsense –> IPSEC tunnels ¹⁄₂ –> internet –> AWS VPN –> AWS TGW –> AWS VPC

Topology B –> Use a VGW (Virtual Gateway) to connect the Tunnels to the AWS VPC

Virtual Machine –> LAN –> PFsense –> IPSEC tunnels ²⁄₂ –> internet –> AWS VPN –> AWS VGW –> AWS VPC

Main differences 1. AWS TGW are a managed routing construct. You can attach different network elements and provide transitive routing 2. AWS TGW are a paid construct. 3. You will pay per hour for the TGW per attachment (VPC, DXGW, VPN). –> CAN1-TransitGateway-Hours 4. You will pay for bandwidth transiting IN/OUT inside the TGW. It’s a bit more complex, but assume you will eat a $/GB charge. –>CAN1-TransitGateway-Bytes

AWS configuration

• Customer Gateway Link to the AWS doc
  • Needs to reference the target IP of the VPN client. Usually, a public IP.
  • For Static routing setups, you can pick 65000 for the BGP ASN as it will not be used.
  • For future proofing the setup, consider using dynamic routing and an appropriate ASN.
• Site to Site - VPN Connections Link to the AWS doc
  • This is where the Tunnels are built and where most of the configuration takes place.
  • Will always create two redundance tunnels. You are free to actually use only one. CAREFUL - AWS will perform regular maintenances on the tunnels. You should expect regular failovers. Running a single tunnel is not safe for production workloads.

For both of these AWS elements, the default settings we’re sufficient to allow the connections towards PFsense.

PFsense configuration

The default configuration, as long as the tunnel specifications are aligned is good enough.