This post is based on Connecting Multiple VPCs with Astaro Security Gateway. VPCs are isolated from each other even they are under the same AWS account in the same region. In order to tie them together, you will need to establish a VPN connection between each other. One way to do it is to use Sophos UTM (previously known as Astaro Security Gateway). I will walk through how to do it in the following few steps:
- Create the First VPC
- Launch a Sophos UTM Instance
- Create the Second VPC
- Setup the Sophos UTM Instance
Create the First VPC
The easiest way to create a VPC is to use the Start VPC Wizard. You can find the Start VPC Wizard button in the VPC Dashboard.
Once you click it, it will bring up a wizard below. Select VPC with a Single Public Subnet Only and click Continue.
By the default, the wizard will set the IP CIDR block to 10.0.0.0/16 and the subnet to 10.0.0.0/24. For my demonstration, I will use 10.10.0.0/16 and 10.10.0.0/24 respectively. You can leave everything alone and click Create VPC button. The VPC should get created right away.
Launch Sophos UTM Instance
In the EC2 Dashboard, click Launch Instances button. It will bring up a Create a New Instance wizard.
Select AWS Marketplace option and type Sophos. Then click GO. It will return 2 results for Sophos.
You will want to use the first one Sophos UTM 9 BYOL. The features that are required to connect multiple VPCs are all included in Essential Firewall Edition. You can request a license from Astaro’s License Key Registration form. You don’t have to apply the license key right away. You have 30 days before the evaluation period expires. Make sure you apply the license prior to it. Once the evaluation period expires, the web interface to administrate the Sophos UTM will be disabled. You will not be able to log in or make any changes.
Click Sophos UTM 9 BYOL link. It will get you more details about Sophos UTM 9. In the For region option, select the region you want to launch it. In my demonstration, it will be US West (Northern California) where the first VPC is created. Then click Continue button to proceed to the next screen.
The Region should have set to the region you have selected in the previous screen. If not, select your desired region. You can change the EC2 Instance Type to Standard Micro (t1.micro) to keep the cost minimum. You will need to select VPC and Subnet to reflect yours. Leave everything else alone and click Launch with 1-Click button to create the instance. It will take 15-30 minutes to provision the instance.
Go to VPC Management Console, select Route Tables from the left navigation section and add an entry to route 10.20.0.0/16 to the Sophos UTM assuming 10.20.0.0/16 is the CIDR block for the second VPC. If the instance ID of the Sophos UTM is not listed, you will need to select Enter instance ID to locate it.
Once the Sophos UTM Instance is provisioned, assign an elastic IP (public IP) to the Sophos UTM instance. You will also need to disable the Source/Dest Check setting. Right click the instance and select Change Source / Dest Check option. Click Yes, Disable button to disable the check.
Open https://:4444 to set up Sophos UTM, where is the public IP you have associated with your Sophos UTM instance. Fill out all the fields and click Perform basic system setup button to proceed.
Create the Second VPC
Go to another region and follow the steps listed in Create the First VPC. Instead of using 10.10.0.0/16 and 10.10.0.0/24 as the CIDR block and Subnet. Please make sure the blocks are different than the first VPC.
Select Customer Gateways from the left navigation section and create a new customer gateway which is the Sophos UTM resided in the first VPC. Make sure to select Dynamic for Routing and the public IP of the Sophos UTM for IP Address. BGP ASN can be set to 65000. Then click Yes, Create button to proceed.
Select Virtual Private Gateways from the left navigation section and create a new virtual private gateway which will be used by the route table to route 10.10.0.0/16 to Sophos UTM. Once the virtual private gateway is created, click Attach to VPC button attach it to the VPC.
Select VPN Connections from the left navigation section and create a new VPN connection to connect to the Sophos UTM. Select the virtual private gateway and customer gateway you have created. Make sure to select Use dynamic routing (requires BGP) option. Then click Yes, Create button to proceed.
Once the VPN connection is created, click Download Configuration to down the appropriate configuration file for Sophos UTM. You will need to select Sophos as Vendor, UTM as Platform, and V9 as Software.
You will need to replace the public IP of Sophos UTM with the private IP of the Sophos UTM in the downloaded configuration file. The replacement should occur in two places in the file.
Go to VPC Management Console, select Route Tables from the left navigation section and add an entry to route 10.10.0.0/16 to the Virtual Private Gateway assuming 10.10.0.0/16 is the CIDR block for the first VPC. The Virtual Private Gateway starts with vgw- prefix.
Setup the Sophos UTM Instance
Open https://Sophos UTM>:4444 to apply the configuration file to VPC config file under Site-to-Site VPN > Amazon VPC > Setup > Import via Amazon VPC configuration section.
Once the configuration file is imported and applied, you will see the tunnels turning green.
Go to Network Protection > Firewall and add a rule to allow any sources to any destinations for any services. You can click on the folder icon to drag and drop the Any option to each text area. When the rule is added, it is turned off by default. Make sure to toggle the switch from off position to on position to enable it.
The last step you may want to do is to apply the license. You can upload and apply it to License file under Management > Licensing > Installation.