VPC Configuration Details

The AWS documentation for connecting a hardware device to a VPC provides a great amount of detail on configuring VPN Connections to VPC.

The main configuration elements that exist in Amazon’s data model are the Virtual Private Gateway, the Customer Gateway, and the VPN Connection. In order to configure a VPN connection to a VPC, all 3 of these need to exist. The Virtual Private Gateway is the VPN endpoint on Amazon’s side. The customer gateway is the VPN endpoint on the pfSense® instance/device being configured. The VPN Connection is the IPsec VPN between Amazon and the pfSense instance/device.

A Virtual Private Gateway needs to exist and be associated to the VPC. A particular VPN Gateway can only be associated to one VPC at a time. Once the VPC to connect to has been selected, the wizard invokes the AWS API call DescribeVpnGateways to determine if a VPN Gateway already exists that is attached to the VPC. If none exists, it creates one with the CreateVpnGateway API call and attaches it to the VPC with the AttachVpnGateway call.

A Customer Gateway needs to be created for the public IP address of the device or virtual machine that will be used to connect to the VPC. The wizard invokes the AWS API call DescribeCustomerGateways to determine if a Customer Gateway already exists. If none exists, one is created with the CreateCustomerGateway API call.

The VPN Connection connects the Virtual Private Gateway and Customer Gateway. The wizard checks to see if there is an existing VPN Connection configured that connects those endpoints by invoking the AWS API call DescribeVpnConnections. If none exists, one is created using the CreateVpnConnection call. One of the fields returned by this call is a block of XML configuration data that contains configuration data assigned by AWS for use with configuring the VPN Connection. This data is stored and used in subsequent steps to make the required configuration changes within pfSense.

Any objects created through API calls by the wizard will be tagged with names like auto-created by pfSense VPC <your_VPC_ID>. This is accomplished by calling the AWS API call CreateTags and using Name as the key for the tag.

In addition to creation of the items mentioned above, required adjustments are made to Security Groups and Route Tables to facilitate communication over the VPN. The Security Groups associated with the VPC are updated to allow inbound access from the local subnets on the pfSense end of the VPN. They are checked first via the DescribeSecurityGroups AWS API call to determine if the access is already allowed. Any of the subnets that is not already allowed has inbound access added via the AuthorizeSecurityGroupIngress AWS API call.

Route Tables associated with the VPC are updated to receive routes from the VPN Gateway used by the VPN Connection. They are checked first via the DescribeRouteTables AWS API call. If the VPN Gateway ID is not included in the list of VPN Gateways propagating routes, route propagation for the VPN Gateway is enabled on that table using the EnableVgwRoutePropagation AWS API call.

For VPN Connections using static routing, static routes for the specified subnets are added to the VPN Connection. This is done via the CreateVpnConnectionRoute AWS API call.