Cloud Provider Interconnect (CPI) Customer Setup for AWS ...From the AWS console, select VPC and then click Subnets. Verify subnet details by selecting the subnet. To modify settings,

Cloud Provider

Interconnect (CPI)

Customer Setup

for AWS GovCloud

CPI Customer Setup for AWS GovCloud

Page 1 of 16 Last updated: 4/16/2018

Table of Contents Virtual Private Cloud (VPC) ................................................................................................................... 2

1.1 Create Virtual Private Cloud (VPC) ................................................................................................ 2

1.2 Network Access Control List (NACL) ............................................................................................. 3

1.3 Route Table ................................................................................................................................... 3

1.4 Security Groups (SG) ..................................................................................................................... 4

1.4.1 Accessing Security Groups .................................................................................................... 4

1.5 Subnets ......................................................................................................................................... 6

1.5.1 Create Subnet ....................................................................................................................... 6

1.5.2 View or Modify Subnet ......................................................................................................... 7

1.6 Virtual Private Gateway (VGW)..................................................................................................... 7

1.6.1 Create Virtual Private Gateway ............................................................................................. 7

1.6.1 Attach Virtual Private Gateway to the VPC ........................................................................... 8

1.7 Direct Connect Virtual Interfaces .................................................................................................. 9

1.7.1 Setup Virtual Interface .......................................................................................................... 9

1.7.2 Accept Virtual Interfaces ..................................................................................................... 10

1.7.3 Confirm Virtual Interfaces are Available ............................................................................. 11

1.8 Propagate Route ......................................................................................................................... 11

1.9 DHCP Options Set (Optional) ...................................................................................................... 12

1.9.1 Create DHCP Options Set .................................................................................................... 12

1.9.2 Update VPC to Use DHCP Option Set .................................................................................. 13

Verify CPI Setup and Connectivity ...................................................................................................... 13

2.1 Allow ICMP Traffic ....................................................................................................................... 13

2.2 Build an EC2 Instance in AWS ..................................................................................................... 14

2.3 Testing and Troubleshooting ...................................................................................................... 16

2.4 Stop and Terminate Instance ...................................................................................................... 16

Purpose: This guide is to assist CDT customers in Cloud Provider Interconnect (CPI) setup with a CDT provided AWS GovCloud account.



Virtual Private Cloud (VPC) CDT creates a default Virtual Private Cloud (VPC) during account setup. From the AWS GovCloud

console (https://signin.amazonaws-us-gov.com), select VPC and then click Your VPCs. VPC settings can

be modified using the Actions menu.

If using an existing VPC, skip Section 1.1 below.

Additional AWS Documentation can be found here: https://aws.amazon.com/documentation/vpc/

1.1 Create Virtual Private Cloud (VPC) From the AWS console, select VPC then click Create VPC. Complete the VPC details:

Name Tag = Enter the VPC name

IPv4 CIDR block - Enter the IP range provided by CDT

Tenancy = Default

Click Yes, Create

Three VPC components are created by default: Route Table, Network Access Control List and default

Security Group. Following are procedures to access these components.

Use the IP address range

provided by CDT

https://signin.amazonaws-us-gov.com/

https://aws.amazon.com/documentation/vpc/



1.2 Network Access Control List (NACL) A network access control list (NACL) is created by default when a VPC is created. Be sure to select the

NACL which corresponds to the correct VPC.

The NACL is open by default for both inbound and outbound traffic. The NACLs are stateless.

Additional AWS Documentation can be found here:

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

1.3 Route Table The VPC route table is also automatically created. Be sure to select the route table which corresponds

to the correct VPC.


https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Route_Tables.html



1.4 Security Groups (SG) A VPC default Security Group is added as part of the VPC creation. In order to test connectivity, add the

inbound and outbound rules. Security Group rules will be specific to customer network requirements.

See AWS Security Group Rules Reference for common implementation scenarios:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html

1.4.1 Accessing Security Groups The VPC Security Groups can be accessed from two areas: the Networking / VPC dashboard or the EC2

dashboard.

1.4.1.1 Security Group Access from Networking Menu

From the AWS console menu under Networking, select VPC then scroll down the left menu to Security

and select Security Groups. Look for the Security Group(s) that correspond(s) with the VPC and click to

view or edit.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html



1.4.1.2 Security Group Access from EC2 Dashboard

From the AWS console menu, select EC2 then scroll down the left menu to Network & Security and

select Security Groups. Look for the VPC ID that corresponds to the VPC to identify the default VPC

security group. Be sure to name the security group.

Click Inbound or Outbound tab and Edit button to modify rules.

Click pencil icon to

edit SG name

This SG edit popup window makes

recommendations as you type



1.5 Subnets CDT creates default subnets during account setup. Subnet configuration depends upon customer and

application requirements. For subnet design patterns and best practices (including subnet sizing

scenarios), see: https://aws.amazon.com/answers/networking/aws-single-vpc-design/

If using existing subnets, skip Section 1.5.1 below.


https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

1.5.1 Create Subnet To create a new subnet, from the console menu, select VPC then select Subnets from the left hand

menu. Click the Create Subnet button. Following naming conventions, type the Subnet name in the

Name tag field. Choose the VPC from the drop down selection. Click the Yes, Create button.

https://aws.amazon.com/answers/networking/aws-single-vpc-design/

https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html



1.5.2 View or Modify Subnet From the AWS console, select VPC and then click Subnets. Verify subnet details by selecting the subnet.

To modify settings, select Subnet Actions drop down menu.

1.6 Virtual Private Gateway (VGW) The Virtual Private Gateway connects the VPC to the Direct Connect Virtual Interface.

1.6.1 Create Virtual Private Gateway From the console, choose Virtual Private Gateway within the VPN Connections section. Complete the

name tag field and click the Create Virtual Private Gateway button.



1.6.1 Attach Virtual Private Gateway to the VPC Once the Virtual Private Gateway is created, it must be attached to the VPC. With the Virtual Private

Gateway selected, choose Attach to VPC from the Actions drop down menu.


https://aws.amazon.com/premiumsupport/knowledge-center/create-attach-igw-vpc/

Choose the VPC used or

created above

https://aws.amazon.com/premiumsupport/knowledge-center/create-attach-igw-vpc/



Ensure Virtual Private Gateway is in attached state.

1.7 Direct Connect Virtual Interfaces CDT will create two Virtual Interfaces for redundancy (primary and backup). These interfaces must be

configured on the customer side to associate the Direct Connect interfaces with the customer VPC.


https://docs.aws.amazon.com/directconnect/latest/UserGuide/accepthostedvirtualinterface.html.

1.7.1 Setup Virtual Interface From the AWS console, select Direct Connect, then Virtual Interfaces. There will be a message of

pending acceptance. Both primary and backup virtual interfaces should be pending acceptance.

https://docs.aws.amazon.com/directconnect/latest/UserGuide/accepthostedvirtualinterface.html



1.7.2 Accept Virtual Interfaces Select each one to see the details. Select “I understand that I will be responsible for data transfer

charges incurred for this interface” check box and choose Accept Virtual Interface.

Attach the connection to a Virtual Private Gateway and select the ID of the gateway which was created

in previous steps.



1.7.3 Confirm Virtual Interfaces are Available The acceptance process may take a few minutes. Confirm both primary and backup interfaces are

available.

1.8 Propagate Route Within the VPC dashboard, select Route Tables, select the route table corresponding to the VPC then

click the route propagation tab. Click on the Edit button then select checkbox to change Propagate from

No to Yes. Click Save.



Verify that route table has picked up propagated route(s)

1.9 DHCP Options Set (Optional) AWS assigns a default DNS server within the environment.

A DHCP option set must be created in order to use on-premises or CDT provided DNS services.

After creating the option set, update the VPC to use the new set.

1.9.1 Create DHCP Options Set From the console, select VPC then select DHCP Options Set from the left hand menu. Click Create DHCP

options set button. Complete the Name tag field, Domain name, Domain name servers and NetBIOS

information (if applicable).

Multiple IPs can be entered using

a comma delimited format



1.9.2 Update VPC to Use DHCP Option Set From the console, select VPC, select Your VPCs from the left menu, select the VPC then click on Actions.

Choose Edit DHCP Options Set.

Select the new DHCP options set ID from the drop down menu and click Save.

Verify CPI Setup and Connectivity

2.1 Allow ICMP Traffic Proper inbound and outbound rules must be attached to the security group(s) prior to testing

connectivity. To complete the following tests, ICMP traffic must be permitted between the test server

(or pc) and the VPC.

There are two methods to access security groups, refer to the Virtual Private Cloud Security Group,

Section 2.4. The following instructions use the VPC menu. From the main console, choose VPC and

scroll down to security groups.

Locate the VPC’s default security group and select it. Click on the Inbound Rules tab. Click the Edit

button then click on Add button. Select All ICMP – Ipv4 from the Type selection list. Type in the source

IP range (in CIDR notation) or the ID of another security group. Click the Save button.

Enter a valid CIDR range

or security group ID



2.2 Build an EC2 Instance in AWS In order to test connectivity, a resource in AWS must exist. If existing resources are to be used for

testing, this step may be skipped.

From the AWS console, select EC2 then click on the Create Instance button. Choose any type of machine

instance. For a low cost option choose Linux, t2.micro (charges per second). Use the examples below to

create the instance.

Choose default values and click Next: Configure Instance Details.

Choose the correct VPC for Network and confirm that the subnet appears below Network. Disable Auto-

assign Public IP. Click Next: Add Storage.

Accept defaults and click Next: Add Tags.

Add tags or accept the default and click Next: Configure Security Group.



Select existing security group where ICMP traffic was allowed and click Review and Launch.

If this EC2 instance is for testing purposes only, there is no need to retain or permanently manage keys.

Acknowledge check box and proceed to Launch Instances.

Wait for the new instance to launch and make note of the IP address from within the EC2 Dashboard.

Choose Existing SG



2.3 Testing and Troubleshooting From the on-premises server Command Prompt, use ping and / or tracert to verify connectivity. If

successfully connected, ping will respond with a reply from the AWS instance. Tracert should complete

the trace without timing out.

If connectivity tests fail, use the following troubleshooting tips:

Ensure Virtual Interfaces, VPC and subnet are in Available state.

Ensure VPG is in Attached state.

Check to see if non-AWS firewalls are restricting traffic using a port query tool.

Review Security Group and ACL rules to ensure they are allowing traffic.

Review tracert output and AWS Route table configuration to look for routing issues.

2.4 Stop and Terminate Instance Once you have verified your connectivity, remember to stop and terminate your instance.

From the console, select EC2, select Instances then choose your instance from the list. With the

instance selected, in the Actions drop down select Instance State, then Stop. Click Yes, Stop button to

confirm. Once the instance shows the status of stopped, choose Terminate from the Actions/Instance

State menu. Then click Yes, Terminate button to confirm.

Documents

Cloud Provider Interconnect (CPI) Customer Setup for AWS ...From the AWS console, select VPC and then click Subnets. Verify subnet details by selecting the subnet. To modify settings,