Amazon Web Services is changing the way that enterprise applications are developed and deployed, but it can also...
introduce technical challenges to the process. While AWS controls its own internal network architecture and performance, organizations that use the public cloud service must work to implement adequate network resources within AWS as well as across the intervening public Internet. Making the right network decisions and having the proper tools to monitor and troubleshoot network issues can make a significant difference in an enterprise's experience.
Amazon Virtual Private Cloud (VPC) is a powerful alternative for launching Web servers and hosting back-end applications; clients can launch resources in a virtual network that is logically isolated within AWS. A VPC connection provides extensive control over the network environment and enables clients to select IP address ranges, establish subnets and configure routing tables and other network gear within AWS. Clients can also enforce security using security groups and network access control lists.
A virtual private network (VPN) is typically used for an Amazon VPC connection to a customer gateway established in the data center. When VPC connection problems arise, some detailed troubleshooting may be required to isolate and correct the problem. Common problems often include configuration issues with the customer gateway. It's impossible to detail all of the troubleshooting permutations, but there are some basic issues.
An easy way to test a working VPN is to launch an instance into the Amazon VPC and ping its private IP address from the local customer gateway server; test instances should not have an Internet connection.
Start by opening the Amazon Elastic Compute Cloud console and select Launch Instance. Choose an Amazon Linux AMI and select an instance type. On the Configure Instance Details page, select the VPC from the network list and a private subnet -- which should already be configured when initially setting up the VPC -- from the subnet list. Be sure that the Auto-assign Public IP list is set to Disable.
When the Configure Security Group page appears, select an existing security group that has already been configured, or create a new security group with a rule that allows ICMP traffic from the gateway server's IP address. Now finish the wizard and launch the instance.
Find and select a new instance from the console's Instances page and note the private IP address of the instance from its details. Use a simple command-line tool, like ping, to test the connectivity between the customer gateway server and the Amazon VPC instance by using its private IP address. For example, a VPC with a private IP address of 10.0.0.15 might look like:
If the ping command is successful, it will return several reply packets and time measurements.
If the ping command fails, the root cause can be traced to several potential oversights. For example, you might have missed the security rule allowing ICMP packets to the VPC instance, or the security group's outbound rules might not be allowing IPsec traffic. Double-check that VPC instance can respond to ICMP traffic, such as Amazon Linux AMIs. In addition, verify that the firewall on the Windows VPC instance allows inbound ICMP traffic on the Windows firewall, and check that routing tables have been correctly configured for the VPC or subnet.
Windows-based customer gateways should disable source/destination checking. After checking and correcting any configuration problems, use ping to recheck the VPC connection.
Amazon provides highly detailed guidance for setting up VPC customer gateways for operating systems such as Windows Server 2012 R2.
Pros and cons of Amazon VPC
Set up and maintain Amazon VPC
Thwart attacks with AWS security tools