Amazon Elastic Disaster Recovery with site to site VPN setup (No internet access on-premise and cloud)

In this blog I will like to jot down the snippets of journey while I setup a AWS Elastic Disaster Recovery service for one of my client. Yes, I used AWS official blogs for this task.

Here, both the environment will not be having any internet access.

I've divided the process in two phases.:

  1. Setting up the AWS infrastructure like vpc and subnets based on the AWS EDR network architecture and client required CIDR for the VPC

  2. Setting up a Site to Site vpn connection from the client on-premise to our AWS VPC.

  3. Configuring and initializing AWS EDR service and data replication, drill and failover.

Aws infrastructure with one VPC having a CIDR 172.x.x.x/24 and 4 subnets (only 2 is required) named staging and recovery is created. Since we are going with no internet setup for the process, internet gateway was detached from the vpc.

For our project to be completed we need communications to the 3 public endpoints of AWS

  1. AWS Elastic Disaster Recovery Endpoint

  2. S3 regional Endpoint

  3. Ec2

To achieve the communication to these endpoint, we required 4 endpoints needs to be created in our vpc.

  1. S3 gateway endpoint - Gateway

  2. DR vpc endpoint - Interface

  3. S3 endpoint - Interface

  4. Ec2 endpoint - Interface

Make sure to create a security group that allows 443 communication with the vpc cidr attach these security group to the 3 of the above interfaces.

Now we proceed with the creation of the site to site vpn setup. For the same required few details collected from the client side, those are listed below

Firewall Details:

Firewall Public IP Address:

Firewall Device Name:

Firewall Device Model Number:

Routing options: Static / Dynamic

Additional Information:

Software version

Public IP

Preferred IP range for VPC (subnets /16 preferably or /24)

On-premise server IP

staic ip prefixes

Once these details are received we are good to go.

  1. Create customer gateway

    1. Provide the firewall public IP during this step.
  2. Create Virtual Private Gateway

  3. Site to Site VPN Connection

    1. Here provide the static prefix provided by the client
  4. Once done and the status become active you can download the configuration file. While downloading you have to specify the firewall vpn details given by the client son that AWS can download the configuration file respective to that vpn.

  5. Share this file with your client network team and they will be able to setup the tunnel from there end and if everything goes fine you can see the tunnel up status on your site to site vpn connection dashboard.

Next part of the phase will be discussed in my next blog..

Thank you