test header script


In this post, AWS VPN tunnels will be created between on-premises Datacenter and AWS site. In AWS site, the VPC is created across 2 AZs with 1 public and private subnet in each AZ. To simplify the demo, the lab uses the us-west-2 region as the on-premises, represent as the on-premises datacenter. AP-Southeast-1 is the cloud region and gonna deploy virtual private gateway. The static routes will be routes between 2 regions. Router1 in on-prem is installed the openswan on the EC2 instance as the virtual appliance. Alright, it is enough information and time to dive into architecture diagram.

Architectural Diagram

Resource components

This lab will deploy the following resources in AWS and on-prem sites using terraform IAC codes.

Public Cloud (AP SouthEast1 Region)
  • AWS VPC ( and 2 Public subnets (,
  • 2 Private subnets (,
  • Security group and route tables
  • VPN GW , Customer GW and Site2site connection
  • EC2 instance named web-server
On-Prem (simulated in US-WEST-2)
  • AWS VPC ( and 2 Public subnets (,
  • 2 Private subnets (,
  • Security Group and route tables
  • 1 EC2 instance which installed openswan VPN as the Router 
  • 1 EC2 instance named test-server in the private subnet to test the site2site connectivity.

Notes: used terraform IAC to create the above resource to simulate this lab. Terraform VPC community module was utilize in this terraform codes as the reusable and best practices. Please download it here.

Notes: The EC2 instance linux (OpenSwan) will be installed in us-west-2 region and simulated as the router for ipsec vpn.


  1. Install Terraform
  2. AWS account with required identity roles and policies to deploy
  3. AWS CLI (to authenticate AWS account)
  4. git clone or download the terraform codes from here. <<To update

Deployment Steps

On-prem Steps (US-West-2)

1) Install AWS CLI and type “aws configure” to authenticate and key in the credentials.

To verify the authenticated status type aws cli command “aws iam list-users” if you see the user information, it means already been authenticated.

2) Download or clone the deployment terraform codes from here.

3) change directory to us-west-2

cd .\VPN-Terraform\us-west-2\

4) Initialize terraform backend and providers, modules 

terraform init

5) type terraform plan to compare .tfstate file and resources.

terraform plan

6) Then, deploy the AWS resources by typing terraform apply –auto-approve

terraform apply --auto-approve

it shows that 23 resources would be deployed in west-us-2 region. let’s go see the created resources in AWS portal below.

Note Router1 public ip (EIP) as this IP will be using in the customer gateway in other site. In this case AWS assigned public EIP address is

In your lab, you will get different IP address randomly from AWS. Well, now you have completed the deployment of AWS resources in US-west-2 region, which is simulated as the on-prem DC. Please see Part2 to continue deployment of AWS cloud resources and to bring up IPSEC tunnels.


Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

footer sc