Atlas Docs

Site-to-site VPN

Properties1
aliasesSite-to-Site VPN, Networking/Site-to-Site VPN

2 min read

Site-to-Site VPN

A Site-to-Site Virtual Private Network (VPN) establishes a secure, encrypted tunnel between your RunAtlas VPC and your local office, datacenter, or another cloud provider. This allows you to treat your RunAtlas resources as an extension of your existing network.

Prerequisites

  • A VPC with at least one Tier/Subnet.
  • A Public IP attached to the VPC Gateway (Source NAT).
  • Access to configure your local router/firewall (e.g., Cisco ASA, Juniper SRX, PfSense, OpenVPN).

Configuration Steps

  1. Enable VPN Gateway:

    • Navigate to Network > VPC.
    • Select your VPC.
    • Click the VPN Gateway tab (or icon).
    • Create/Enable: This assigns the VPN service to the VPC’s Source NAT IP. Note this public IP.

  2. Create Customer Gateway:

    • Within the VPC view (or under Network > VPN Customer Gateway if available globally), click Add Customer Gateway.
    • Name: e.g., “Office-HQ-Router”.
    • Gateway: The public IP of your office firewall.
    • CIDR: The IP range of your local network (e.g., 192.168.1.0/24).
    • IKE/ESP Policy: Define your encryption (AES-256), hash (SHA-256), and DH Group (e.g., Group 14).

  3. Create VPN Connection:

    • Navigate to VPN Connections (often a tab within the VPC or a sidebar item).
    • Click Create VPN Connection.
    • Select the VPN Gateway (your VPC) and the Customer Gateway (your office).
    • Passive/Active: Usually checks “Passive” if the office side initiates the connection.
    • Preshared Key (PSK): Copy the generated key (or provide one).

Local Configuration Example (Generic)

On your firewall:

  • Remote Gateway: RunAtlas Public IP.
  • Remote Subnet: RunAtlas VPC CIDR (e.g., 10.0.0.0/16).
  • Local ID: Your Firewall Public IP.
  • Preshared Key: The key generated above.
  • Phase 1: AES-256, SHA-256, DH2. Lifetime 28800.
  • Phase 2: AES-256, SHA-256, PFS (optional). Lifetime 3600.

Verification

Once configured on both sides:

  1. Initiate traffic from your local network to an instance in the VPC.
  2. Check the Status in the RunAtlas console (should turn Green/Connected).
  3. Verify routing tables in your VPC route traffic destined for your office (192.168.1.0/24) through the VPN Gateway.

Troubleshooting

  • Check Logs: Review firewall logs for Phase 1 (IKE) or Phase 2 (IPsec) negotiation errors.
  • Mismatched Proposals: Ensure encryption algorithms match exactly on both ends.
  • Firewall Rules: Verify UDP 500, UDP 4500, and ESP (Protocol 50) are allowed on both public IPs.

Backlinks