Data transfer across a VPN and use of the related gateways incur charges in AWS. In order to avoid these charges, the steps indicate at what point further progress in the project is optional. If you have plenty of free credit in your account or if spending a few dollars is not problematic for you, you might want to complete the project for the sake of the experience. However, these last few steps are not required to earn full credit for the project. Complete the following steps:

1. In your AWS Management Console, create a VPC, which you learned to do in Project 4-3. What CIDR block did you use?

2. From the list of VPCs, click your new VPCs main route table. Give this route table a name that you can easily identify later, such as MyVPN-RT. To add the name, click the pencil icon that appears when you point to the route tables name field, as shown in Figure 5-23. Figure 5-23 Click the pencil icon to give the route table a name Figure 5-23 Click the pencil icon to give the route table a name Source: Amazon Web Services, Inc.

3. Now youre ready to create the VPN gateways. In the navigation pane, scroll down and click Customer Gateways. Recall that the CGW is a VPN appliance in the customers on-prem network. This process does not create a new resource in AWSit simply informs AWS of how to find your VPN device in your on-prem network. You need your public IP address, which you can determine by searching online for what is my ip. Copy your public IP address from the search results.

4. Back in your AWS Management Console, click Create Customer Gateway. Give the CGW a name and paste your public IP address in the IP Address field. Click Create Customer Gateway and then click Close. What is your CGWs type?

5. Now youre ready to create a virtual gateway in AWS, which will provide access to the VPN connection on the VPCs side. In the navigation pane, click Virtual Private Gateways, and then click Create Virtual Private Gateway. Give the VGW a name. Leave the ASN selection as Amazon default ASN, click Create Virtual Private Gateway, and then

6. click Close. Click to select your new VGW and attach it to the VPC you created in Step 1.

7. If you were creating this VPN connection for use with a real CGW, you would also need to make some changes to the security group for this VPC. Like allowing traffic through a firewall, this would enable RDP, SSH, and ICMP traffic into the VPC from the on-prem network. Youll learn more about security groups in a later module. For now, because you wont activate the VPN connection in this project, you can skip this step. However, if youre planning to configure the VPN connection on an actual VPN gateway at your physical location, be sure to look up what changes you need to make to the VPCs security group.

8. Youre now ready to create the VPN connection between these two gateways. In the navigation pane, click Site-to-Site VPN Connections. Click Create VPN Connection. Give the VPN a name, and select the VGW and CGW that you created earlier in this project. Change the routing option to Static. In the Static IP Prefixes field that appears, enter a private CIDR range that you might be using in your on-prem network. If you were establishing this VPN connection for real, you would need to ensure that your on-prems private CIDR ranges and your VPCs CIDR range dont overlap.

9. WARNING: Do not complete the next few steps in this project if you need to avoid incurring any charges in your AWS account. You can read through the remaining steps and watch Video 5-1 instead. To avoid any charges, click Cancel, read through the next few steps, and complete Step 14. Otherwise, continue with the next step.

10. If you have credit in your account or if youre comfortable with paying a few dollars to complete this project, click Create VPN Connection, and then click Close.

11. The VPN connection will take a few minutes to reach an available state. In the meantime, click the Tunnel Details tab. As shown in Figure 5-24, the VPN has two tunnels to provide redundancy. Each of these tunnels can be configured separately when you first configure the VPN. Figure 5-24 Two tunnels in each VPN provide redundancy Figure 5-24 Two tunnels in each VPN provide redundancy Source: Amazon Web Services, Inc.

12. Instances in your VPC will need routes in the VPCs route table in order to find the CGW and to know what IP addresses exist on the other side of the VPN connection. You can configure these routes manually or enable route propagation so this is done automatically. To enable route propagation, in the navigation pane, click Route Tables and then select the route table you identified in Step 2. Click the Route Propagation tab, as shown in Figure 5-25, and then click Edit route propagation. Click the box to enable route propagation, and then click Save. Figure 5-25 Enable route propagation to allow the VPCs instances to reach the CGW Figure 5-25 Enable route propagation to allow the VPCs instances to reach the CGW Source: Amazon Web Services, Inc.

13. By now, your VPN connection should be available; if not, give it a few more minutes. Return to the Site-to-Site VPN Connections page. Select your VPN and click the Tunnel Details tab. Notice that both tunnels are still down. To complete the VPN configuration, youll need to download a configuration file from AWS and install it on the customer gateway device in your local network. If you dont have a real VPN gateway, you can still download the configuration file to see what information it includes. Click Download Configuration. For the Vendor, select Generic; then keep the default settings that appear (see Figure 5-26). Click Download. Figure 5-26 The configuration file can be customized for any of several VPN appliances, including Cisco, Fortinet, Juniper, and Palo Alto Networks devices Figure 5-26 The configuration file can be customized for any of several VPN appliances, including Cisco, Fortinet, Juniper, and Palo Alto Networks devices Source: Amazon Web Services, Inc.

14. After the file downloads, open it and explore the information given. Particularly important pieces of information used to complete the configuration on the customers side include the pre-shared key and the outside IP addresses for the CGW and VGW, as shown in Figure 5-27. Figure 5-27 These public IP addresses allow the VPN gateway devices to find each other across the Internet Figure 5-27 These public IP addresses allow the VPN gateway devices to find each other across the Internet Source: Amazon Web Services, Inc.

15. Using Visio or a free diagram-drawing app such as draw.io (which is a web app you access through your browser), draw a diagram of the resources used to create this VPN. Include the VPC, the on-prem network, both gateways, and the VPN connection. Use official AWS diagram symbols, such as those you saw in this module and in Video 5-1. 16. Delete all the resources you created in this project, including the VPC, both gateways, and the VPN connection (if you created it). In what order did you delete these resources? What error messages did you encounter? How did you handle these problems? Check through your account to confirm that all related resources have been deleted.