Steps to Migrate AWS Classic VPN to AWS VPN connection

Migrate-AWS-Classic-VPN-to-AWS-VPN-connection

Now you can follow these steps to set a Site-to-Site VPN connection. Also remember, it is not possible to migrate to an AWS Classic VPN connection. If you are having an existing Site-to-Site VPN connection which is an AWS VPN connection.

Solution 1: Directly migrate to a new Virtual Private Gateway

You can create a new virtual private gateway and Site-to-Site VPN connection, by disconnecting the old Virtual Private Gateway from your VPC, and then attach the new Virtual Private Gateway to your VPC using this option.

To migrate to an AWS VPN connection:
1.    Go to the Amazon VPC console (https://console.aws.amazon.com/vpc/home).
2.   Select Virtual Private Gateways > Create Virtual Private Gateway and create a gateway in the navigation panel. Also, choose Site-to-Site VPN Connections > Create VPN Connection and click Create.

  • Virtual Private Gateway – Choose the virtual private gateway that you created previously.
  • Customer Gateway – Choose Existing > existing customer gateway for your current AWS Classic VPN connection.

3.    Select the new Site-to-Site VPN connection > click Download Configuration. Then download the configuration file that refers to your customer gateway device.
4.    Configure VPN tunnels on your customer gateway device using the configuration file. Check your customer gateway device for additional details. Do not turn on the tunnels and still if you need any guidance for keeping the newly configured tunnels deactivated, contact our Experts.

Optional: Create a test VPC and connect the virtual private gateway to it. Change the encryption domain/source and destination addresses as needed, and then test the connection from a host in your local network to a test instance in the test VPC.

5.    For using, route propagation to the routing table for your VPC, select Route Tables in the navigation pane > Route Propagation, Edit route propagation. Uncheck the box next to the old virtual private gateway and save.

Note: From the next step onwards, a connection will disrupt until the new Virtual Private Gateway is connected and the new Site-to-Site VPN connection is activated.

6.    Choose Virtual Private Gateways from the navigation pane, Select old virtual private gateway > Actions > Remove from VPC > Yes > Remove. Then, select new virtual private gateway > Actions > Attach to VPC. Choose a VPC for your Site-to-Site VPN connection > Yes > Attach.

7.    Select Route Tables from the navigation panel. Choose your VPC’s route table and perform one of the following:

  • For route propagation – Select Route Propagation, Edit route propagation. Check box the new virtual private gateway that is attached to the VPC and save.
  • For static routes – Select Routes > Edit. Then change the route to point to the new virtual private gateway and save.

8.    Disable the old tunnels and enable the new tunnels on your customer gateway device. To start the tunnel, you must connect to it from your local network. As well as, check your route table, if applicable, to confirm that the routes are being propagated. When the VPN tunnel’s state is UP, the routes propagate to the routing table.

Note: To revert to a previous configuration, remove the new virtual private gateway and then repeat steps 7 and 8 to reconnect the old virtual private gateway and update your routes.

9.    When you no longer require your AWS Classic VPN connection and do not wish to be charged for it. Then, remove the previous tunnel configurations from your customer gateway device, and delete the Site-to-Site VPN connection. To do so, go to Site-to-Site VPN Connections > Select Site-to-Site VPN connection > Delete.

Important: Particularly you cannot restore or migrate your new AWS VPN connection back to an AWS Classic VPN connection after deleting the AWS Classic VPN connection.

Solution 2: Use a Transit gateway to Migrate

In this method, you want to set up a transit gateway and connect it to the VPC where your Site-to-Site VPN connection is placed. Then use your existing customer’s gateway to create a temporary Site-to-Site VPN connection on the transit gateway. The traffic is then routed through the transit gateway VPN connection while you create a new Site-to-Site VPN connection on a new virtual private gateway.

You may also use this option to migrate your Site-to-Site VPN connection directly to a transit gateway. In this scenario, instead of creating a new virtual private gateway, create a new VPN connection on the transit gateway.

Method 1 – Set up a transit gateway and a VPN connection

To set up a transit gateway and a VPN connection:

1.    Go to the Amazon VPC console (https://console.aws.amazon.com/vpc/home).
2.    Select Transit Gateways > Create Transit Gateway and by using a default option, create a transit gateway in the navigation panel.
3.    Now in the navigation panel, select Transit Gateway Attachments > Create Transit Gateway Attachment. Then, enter the following information and click Create attachment.

  • For Transit Gateway ID – Select the transit gateway you created.
  • For VPC ID – Select the VPC to connect to the transit gateway.

4.    Once again, select Create Transit Gateway Attachment, enter the following information, and click Create attachment.

  • For Transit Gateway ID – Select the transit gateway you created.
  • Attachment type– Choose VPN.
  • Customer Gateway ID – Select Choose the customer gateway for your existing Site-to-Site VPN connection, as well as the routing options.

Method 2 – Creating a new virtual private gateway

Establish a new virtual private gateway and Site-to-Site VPN connection. This method is only essential if you wish to switch to a new Virtual Private Gateway. In that case, you can skip these steps and proceed right to Method 3 if you want to migrate your VPN connection to a transit gateway.

To create a new Site-to-Site VPN connection, follow these steps:

1.    Select Virtual Private Gateways > Create Virtual Private Gateway and create a new virtual private gateway in this panel.
2.    Select Site-to-Site VPN Connections > Create VPN Connection.
3.    For Virtual Private Gateway – Select the virtual private gateway you created.
4.    For Customer Gateway ID – Select the existing client gateway for your existing Site-to-Site VPN connection and define the routing type. Select create VPN Connection.
5.    Choose Download Configuration to download the example configuration file for your new Site-to-Site VPN connection. Then, configure the VPN connection on your customer gateway device but do not route any traffic yet.

Method 3 – Switch to the new VPN connection

In this step, you need to temporarily enable asymmetric routing for your VPN traffic while you switch traffic to the transit gateway and then to the new Site-to-Site VPN connection.

To enable the new Site-to-Site VPN connection:

1.    Now set up your customer gateway device to access the transit gateway’s VPN Connection (Specify a static route or allow BGP announcements, as required). As a result, asymmetric traffic routing is activated.
2.    Choose Route Tables in the navigation pane. Choose the route table for your VPC, and select Actions > Edit routes.
3.    Add routes to your on-premises network and choose the transit gateway as the destination. Enter additional exact routes for the destination routes.

For example: Consider if your on-premises network is 10.0.0.0/16 and then create a route that points to 10.0.0.0/17 and another route 10.0.128.0/17. All traffic is routed through the transit gateway when asymmetric traffic routing is detached.

4.    Now select Virtual Private Gateways from the navigation pane.
5.    Choose Actions > Detach from VPC for the old virtual private gateway that’s connected to your VPC. Select Yes, Disconnect.
6.    Choose Actions > Attach to VPC after selecting the new virtual private gateway you created before. Select your VPC, and then click the Yes, Attach.
7.    Next, select Route Tables from the navigation pane. Choose Route Propagation > Edit route propagation from the route table for your VPC. Select the new virtual private gateway check box and click Save. Ensure the route was already propagated to your VPC route table.

8.    Configure your customer gateway device to use the new virtual private gateway and use static routes or BGP to route traffic from your on-premise network to your VPC. As a result, asymmetric routing is initiated.
9.    Also, select Route Tables from the navigation pane. Then choose Actions > Edit routes from the route table for your VPC. Delete the more specified transit gateway routes. It will disable asymmetric traffic flow and routes all traffic through your new Site-to-Site VPN connection.

Method 4 – Clean Up

When you migrated to a new virtual private gateway, you can delete the transit gateway VPN connection and the transit gateway that you created during the migration process. Also, you can delete your AWS Classic VPN connection if not required.

Follow the below step to clean up your resource:

1.    First, remove the configuration for the temporary VPN connection on the transit gateway, as well as the configuration for the old VPN connection, from your customer gateway device.
2.    Choose Site-to-Site VPN Connections in the navigation pane. Then click your old Site-to-Site VPN connection, and then Actions > Delete.
3.    Choose Virtual Private Gateways, then select your existing virtual private gateway and click Actions > Delete. Meanwhile stop the process here if you migrated your VPN connection to a transit gateway.
4.    Select Site-to-Site VPN Connections and choose the transit gateway VPN connection. Click Actions > Delete.
5.    Then select Transit Gateway Attachments, and choose the VPC attachment. Select Actions > Delete.
6.    Choose Transit Gateways and select your transit gateway. Click Actions > Delete.

Solution 3: Delete and re-create VPN connection – Backup for AWS Direct Connect

Whereas if you have an AWS Direct Connect connection and an AWS Classic VPN connection on the same virtual private gateway and use the VPN connection as a backup for the AWS Direct Connect connection, choose this option. You can also delete the existing AWS Classic VPN connections on your virtual private gateway using this option. When the AWS Classic VPN connections are in the deleted state, you can migrate to an AWS VPN connection by creating a new VPN connection on the same virtual private gateway.

Follow the step to migrate an AWS VPN connection:

1.    Go to the Amazon VPC console (https://console.aws.amazon.com/vpc/home).
2.    Select Site-to-Site VPN Connections from the navigation pane, and then select the AWS Classic VPN connection. Click Action > Delete.
3.    Remove the previously configured tunnels from your customer gateway device.
4.   To repeat the previous two steps until all existing AWS Classic VPN connections for the virtual private gateway have been removed. Wait for the VPN connections to become deleted state.
5.    Enter the following information and then click Create VPN Connection. Choose the routing option as required.

  • Select the virtual private gateway that you used for the AWS Classic VPN connection.
  • Choose the Existing customer gateway for your current AWS Classic VPN connection.

6.   Choose Download Configuration for the new Site-to-Site VPN connection. Download the configuration file that relates to your customer gateway device.
7.    Configure VPN tunnels on your customer gateway device using the configuration file.
8.    On your customer gateway device, enable the new tunnels. To activate the tunnels, you must first connect to your local network.

Finally, check your route tables to confirm that the routes are being propagated, if necessary. When the VPN tunnel status is UP the routes will propagate to the routing table.

We can provide you assistance with the site-to-site VPN connections, so if you need any assistance Contact Us.

To get updates follow us on Facebook, Twitter, LinkedIn

Subscribe to get free blog content to your Inbox