惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

A
About on SuperTechFans
Cloudbric
Cloudbric
C
CERT Recently Published Vulnerability Notes
G
GRAHAM CLULEY
V
Vulnerabilities – Threatpost
C
Cisco Blogs
T
Tenable Blog
P
Privacy International News Feed
T
The Exploit Database - CXSecurity.com
I
Intezer
AWS News Blog
AWS News Blog
IT之家
IT之家
博客园 - 司徒正美
C
Cybersecurity and Infrastructure Security Agency CISA
博客园 - 【当耐特】
The Hacker News
The Hacker News
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Spread Privacy
Spread Privacy
S
SegmentFault 最新的问题
博客园 - Franky
人人都是产品经理
人人都是产品经理
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
V
Visual Studio Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
H
Hacker News: Front Page
Latest news
Latest news
Scott Helme
Scott Helme
腾讯CDC
宝玉的分享
宝玉的分享
大猫的无限游戏
大猫的无限游戏
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
A
Arctic Wolf
S
Securelist
雷峰网
雷峰网
The GitHub Blog
The GitHub Blog
Project Zero
Project Zero
Google DeepMind News
Google DeepMind News
P
Palo Alto Networks Blog
F
Fortinet All Blogs
Schneier on Security
Schneier on Security
云风的 BLOG
云风的 BLOG
Security Archives - TechRepublic
Security Archives - TechRepublic
The Last Watchdog
The Last Watchdog
WordPress大学
WordPress大学
MongoDB | Blog
MongoDB | Blog
L
LINUX DO - 最新话题
S
Schneier on Security
NISL@THU
NISL@THU
Jina AI
Jina AI
M
MIT News - Artificial intelligence

NetBird - Networking Knowledge Hub - RSS Feed

NetBird Is Now on the Vultr Marketplace Native NetBird on the GL.iNet Comet Pro (GL-RM10) NetBird v0.71 - IPv6 Overlay Addressing NetBird Exit Nodes - Appear at Home, or Anywhere Else Reporting Bugs and Requesting Features in NetBird Setup and Use Local AdGuard Home Anywhere with NetBird DNS How to Set Up NetBird on PiKVM for Secure Remote KVM Access NetBird v0.69 - CrowdSec IP Reputation for the Reverse Proxy Cloudflare Mesh vs NetBird vs Tailscale: Performance Compared Self-Hosting Nextcloud with Docker and NetBird Implementing Zero Trust with NetBird NetBird v0.67 - Layer 4 Proxy Support for TCP, UDP, and TLS Solwr Enhances Remote Connectivity with NetBird Self-Hosting NetBird with Authentik Jellyfin Media Server - Self-Host Your Movies, TV, and Music Cloudflare Tunnels vs. NetBird Reverse Proxy INFITX Builds Zero-Touch Kubernetes Networking with NetBird NetBird v0.66 - Expose Local Services to the Internet from the CLI Pangolin vs. NetBird Home Assistant Setup Guide with EASY Remote Access NetBird v0.65 - Built-in Reverse Proxy with Custom Domains Docker for Beginners - Everything You Need to Get Started NetBird for SOC 2 Compliance NetBird v0.63 - Custom DNS Zones for Private Network Resolution Vibecode This in a Weekend and Take 5% of the Company NetBird v0.62 - Built-in Local Users with Optional IdP Integration NetBird v0.61.0 - Granular SSH Access Control and Automatic Updates Top 5 Alternatives to OpenVPN Top 5 Open Source Alternatives to Tailscale Top 5 Alternatives to ZeroTier How to Set Up ZeroByte and REST Server for Backups with NetBird How to Install n8n v2.0 with NPM and PM2 ZeroTier vs. NetBird The Ultimate Immich Guide - Ditch Google and Amazon Photos for Good NetBird as Your Help with ISO 27001 Compliance NetBird and Huntress - Secure Network Access for MSPs How to Access Windows Shares from Anywhere with NetBird netgo Relies on Modern ZTNA with NetBird Connect to Your Homelab from Anywhere with a Raspberry Pi NetBird SSH - A New, Identity-Aware Approach The AI Mega Mesh: How to Connect 30+ GPU Cloud Providers Connect Multiple Ollama GPUs to OpenWebUI with NetBird Top 5 Tailscale Alternatives SSH and RDP, now in your browser NetBird–Acronis Integration: Empowering MSPs for Advanced Ransomware and Threat Defense Introducing the Control Center - Remote Access, Beautifully Visualized NetBird at MSP Global 2025 Understanding Overlay Networks - The Basics NetBird and SentinelOne Singularity™ - Automate Threat Response NetBird and Microsoft Intune - Enforcing Device Compliance for Zero Trust Rethinking Zero Trust Security with NetBird and pfSense Improving Unidirectional Access Control Proxmox VE for Beginners Guide with NetBird LXC Stronger Security: NetBird + GitHub Secure Open Source Fund NetBird's MSP Partner Program Signicat Enhances Cross-Cloud Accessibility with NetBird SonicWall SSL VPN NetExtender vs. NetBird NetBird Is Embracing the AGPLv3 License NetBird Profiles Have Landed - Manage Multiple Accounts Effortlessly Rethinking Access Control to Secure Your On-Premises SharePoint Servers Sport Alliance Increases Efficiency with Zero Trust Networking at Scale Rethinking Network Access: qwertiko Goes Zero Trust with NetBird Optimizing Network Efficiency with NetBird's Lazy Connections Use Port Ranges in Access Control Policies Generic HTTP Endpoint for Network Events Streaming NetBird’s Response to Spear-Phishing Campaign Targeting Financial Executives Zero-Trust Access to Internal Resources Without Installing Agents Enhance Network Visibility with NetBird’s Traffic Events Logging TrueNAS Made Easy - Install, Set Up, and Access From Anywhere Top 5 Alternatives for WireGuard Jump Hosts. Gateways for Remote Access NetBird Network Routes and Exit Nodes Security for All - SSO and MFA for Free Enhancing Network Access Control with NetBird's Identity Provider Feature Twingate vs. NetBird Limit Network Access Based on Running Applications FortiClient ZTNA vs. NetBird OpenVPN vs. NetBird Tailscale vs. NetBird Getting Started with an Azure Site-to-Site VPN Secure Remote Access to VPCs, LANs, and Offices regreSSHion - A New OpenSSH Server Remote Code Execution Vulnerability Evolve Bank & Trust Data Breach. What Happened? What Is a Site-to-Site VPN? IPSec Tunneling Demystified. Enhancing Data Security Across Networks Understanding IPSec Tunnel and Transport Modes Understanding the Differences Between IKEv1 and IKEv2 Understanding the IKEv1 Protocol in IPSec ZeroTier versus NetBird - Which Should You Choose? AWS Lambda Serverless Security. Mistakes, Oversights, and Potential Vulnerabilities Using NetBird for Kubernetes Access Serverless Security Vulnerabilities and Best Practices to Mitigate Them Security Best Practices for Serverless Azure Functions A Guide to Remote Access Security for SMEs IoT Security Essentials. How to Achieve Secure Remote Access Open Source Zero Trust Networking Using SSH for Secure Remote Access How We Integrated Rosenpass in NetBird The First Quantum-Resistant Mesh VPN Using eBPF and XDP to Share Default DNS Port Between Multiple Resolvers
Getting Started with an On-premise-to-AWS Site-to-Site VPN
Written byMatt Keib · 2024-07-23 · via NetBird - Networking Knowledge Hub - RSS Feed

A site-to-site virtual private network (VPN) is a secure, encrypted tunnel between two distant environments. For example, when you host a database server in the cloud, one way to enhance its security and integrity is by disabling its public-facing IP. This makes it inaccessible from outside the private network and reduces the network attack surface. While employees can access the server through a remote access solution like VPN, a site-to-site VPN is particularly useful for connecting entire networks across different locations, ensuring workloads can communicate securely with the database server.

In this article, you'll learn how to set up a site-to-site VPN to connect to an Amazon Virtual Private Cloud (Amazon VPC) from your on-premise environments. While this tutorial will help you achieve this connection, remember that one of the steps involves setting up a customer gateway , which may require access to Amazon Web Services (AWS) Identity and Access Management (IAM) .

Site-to-Site VPN: Why You Need One

If you're managing an on-premise network where your critical databases reside but your applications, which rely on this data, are running on the AWS cloud, securely connecting your on-premise network to the cloud is challenging. You need a reliable and secure way to ensure that your applications can seamlessly access the on-premise databases without exposing them to potential security threats.

Setting up a site-to-site VPN creates an encrypted tunnel between your on-premise network and AWS. Therefore, your applications can securely access the databases as if they were part of the same local network, ensuring data integrity and security:

Architecture diagram, courtesy of Matt Keib

Implement AWS Site-to-Site VPN

Setting up a site-to-site VPN on AWS isn't easy. It involves several gateway setups and configurations that can be difficult for anyone unfamiliar with AWS or site-to-site VPN setups in general.

Here's a brief overview of the steps you'll complete to configure your site-to-site VPN:

  • Create a customer gateway
  • Create a virtual private gateway
  • Configure your routing
  • Update your security group
  • Create a VPN connection

Create a Customer Gateway

The initial step in configuring your site-to-site VPN is to create a customer gateway. The customer gateway represents your on-premise device or software application and establishes the VPN connection with AWS. It defines the external IP address and routing information that AWS needs to connect to your on-premise network.

To create this gateway, you need to access your AWS Management Console, navigate to the Virtual Private Cloud dashboard , and select Customer gateways:

Customer gateway

Click Create customer gateway and follow the prompts to configure your gateway according to your on-premise network:

Details to create the customer gateway

Create a Virtual Private Gateway

After you've created your customer gateway, you need to create a virtual private gateway, which acts as the VPN concentrator on the AWS side of the VPN connection. This enables communication between your AWS VPC and your on-premise network and serves as the entry point for your VPN connection with AWS.

As you did in the previous step, access the AWS Management Console, navigate to the VPC Dashboard, and select Virtual Private Gateways. Then, click Create virtual private gateway and give the VPN a name. Unless you have a custom autonomous system number , leave that field with the default values:

Virtual private gateway options

Configure Your Routing

Configuring your routing ensures that network traffic knows how to travel between your on-premise network and your AWS VPC. This step sets up the route tables that direct the VPN traffic correctly, ensuring seamless communication between the two environments.

Navigate to the AWS Management Console > VPC dashboard and select Route tables. Select the route table associated with your subnet. Then click Edit route propagation. Select the virtual private gateway that you created in the previous step and then save it:

Finished configuration

You should see the route table associated with the subnet you're using to set up the site-to-site VPN, and there shouldn't be any other. Therefore, simply check the Enable box under Propagation:

This is the box you should check

In addition, make sure your virtual private gateway displays as Attached; otherwise, you won't be able to propagate it. In the following screen capture, the virtual private gateway shows its attachment status:

Attachment status

Update Your Security Group

To ensure that only the intended traffic is allowed through your VPN connection, you need to update your security group. Security groups act as virtual firewalls for your instances, controlling inbound and outbound traffic.

In the AWS Management Console, navigate to the EC2 Dashboard, select Security Groups, and update the rules to allow the relevant traffic (eg SSH, RDP, database ports) from your on-premise network's IP range:

Inbound rules example

Create a VPN Connection

Creating a VPN connection is a pivotal step in the site-to-site VPN process as it establishes the secure tunnel between your on-premise network and AWS. This connection encrypts data traffic and ensures secure communication across the internet.

To create a VPN connection, go to the AWS Management Console, navigate to the VPC Dashboard, and select VPN connections. Click Create VPN connection, configure the connection using the previously created virtual private gateway and customer gateway, and set up the necessary routing options according to your network and needs:

VPN configuration options

The final step on the AWS side of things is to download the configuration file. This file provides the necessary settings to establish the VPN connection on your on-premise device, including details like IP addresses, preshared keys, and other parameters required for the VPN setup.

After creating the VPN connection on the last step, you'll be greeted with the following panel:

Created VPN connection

Simply click the VPN ID, and you'll be shown its details:

VPN details

Click the Download configuration button on the right and choose the type of networking appliance that best fits your networking setup. You can choose Generic if yours doesn't show up.

All that's left is to load the configuration file on your hardware (or software) to be able to securely connect to your VPC from your on-premise environment.

Connect to Your Resources

For this tutorial, a FortiGate 60F appliance is used to establish the connection with AWS from the on-premise network. It's worth noting that configuring the appliance with the downloaded VPN configuration is not difficult. For the VPN tunnel to actually work, network access control lists, security groups, and static IPs have to be set up to allow the traffic coming from the on-premise network toward AWS. Even then, additional steps have to be taken since the appliance needed specific Diffie-Hellman configurations and AWS needed the correct encryption and authentication algorithms set up. While doing this, you can occasionally collide with other security policies at the organizational level, which might also become an obstacle.

By default, inbound Internet Control Message Protocol (ICMP) echo is not allowed on AWS instances; it's easier to connect to the instances initially instead of trying to reach them through ICMP . For this article, two virtual machines (VMs) were set up. A Windows Server 2022 and an Ubuntu 20.04 LTS.

Following, you will see part of the configuration that took place at the network appliance level and an established connection toward the Windows Server VM from the on-premise network:

Configuration on the appliance side and a connection with the AWS Windows VM

A connection with the Windows Server VM was established:

Connection from the device behind FortiGate 60F toward the AWS Windows Server VM

In addition, the connection was further tested by copying a file from the on-premise computer to the Ubuntu VM on AWS:

File transfer from the on-premise computer to the Ubuntu VM on AWS

As you can see, deploying VPC features to set up the VPN on AWS is easy if you follow their documentation. However, making it work and being able to bring up the tunnel and connect to the resources are completely different stories. It gets worse if you've never worked with VPNs before or if you are not well-versed in AWS.

Connect On-Premise to AWS Without the Hassle

NetBird offers a powerful and user-friendly alternative for creating and managing site-to-site VPNs. By leveraging advanced technologies like WireGuard and zero-trust principles, NetBird simplifies the setup and maintenance of secure connections between different environments.

Setting up NetBird is significantly easier compared to traditional AWS site-to-site VPN configurations. With NetBird, you can connect machines directly without configuring the entire network. For instance, you can directly connect a database server on-premise to a web server in the cloud by installing the NetBird agent on both machines. The agents will discover each other and establish a direct end-to-end encrypted connection without requiring you to configure security groups, firewalls and opening ports. This approach eliminates the need for complex network configurations, provides a straightforward way to secure communication between specific resources, and saves one of your company's most precious resources: time.

NetBird Site-to-Site

NetBird offers flexibility with two main options for connectivity:

  • Direct machine connections: The preferred and simplest method involves installing the NetBird agent directly on the machines you wish to connect. For example, installing the agent on your on-premise database server and your cloud-based web server ensures direct, secure communication without exposing the entire network.
  • Network routes: For scenarios requiring access to the entire infrastructure on AWS (or vice versa), NetBird supports network routes. You can run NetBird network routes on your on-premise setup and connect individual NetBird peers in the cloud or set it up the other way around. This flexibility allows comprehensive access while maintaining security and ease of management.

Conclusion

In this tutorial, you learned how to configure a site-to-site VPN to connect your local environment to the cloud. While it may seem straightforward initially, additional overhead may be required for more complex network architectures or environments with productive resources, failover mechanisms, proxy settings, or load balancing .

NetBird offers a powerful alternative for creating and managing site-to-site VPNs. Setting up NetBird is significantly easier compared to traditional AWS site-to-site VPN configurations. With NetBird, you can connect machines directly without complex network configurations.

Now that you know what it takes to set up a secure connection between AWS VPCs and your on-premise environment, take a minute to experience the seamless and convenient configuration NetBird has to offer. You won't regret it.