Setup
On the Site-to-site VPN > Amazon VPC > Setup page you add connections to your Amazon Virtual Private Cloud (VPC). You can either import all connections configured with one Amazon Web Service (AWS) account and using the IP address of your Sophos UTM as Customer Gateway (Amazon term for your endpoint of a VPC VPN connection). Or you add connections one by one using the configuration file which you can download from Amazon.
Import Via Amazon Credentials
You can import all connections configured within your VPC and use the IP address of your Sophos UTM as the Customer Gateway. You will need to create AWS access keys and secret keys to import the configuration.
Note – For more information, see the AWS Documentation.
Note – All existing connections listed in the Status tab will be deleted during the import.
The key pair you are required to enter for the import must belong to an AWS user with sufficient privileges. You can use the predefined policy AmazonVPCReadOnlyAccess. Alternatively, create a policy with the following set of permissions:
-
ec2:DescribeVpnConnections
-
ec2:DescribeVpcs
-
ec2:DescribeVpnGateways
To import connections, proceed as follows:
-
Specify the following settings:
Access key: Enter the Amazon Access Key ID. It is a 20-character, alphanumeric sequence.
Secret key: Enter the Secret Access Key. It is a 40-character sequence.
-
Click Apply.
The connections are imported and subsequently displayed on the Status page.
Import Via Amazon Configuration
To add a single connection to the existing list of connections you have to upload the configuration file of the respective connection.
To import a single connection, proceed as follows:
-
Download the configuration file of your Amazon VPC connection.
In Amazon's download dialog make sure to select Sophos from the Vendor drop-down list.
-
Open the Upload file dialog window.
Click the Folder icon next to the VPC config file box.
-
Select the configuration file and upload it.
To upload the selected file click the button Start Upload.
The filename is displayed in the VPC config file field.
-
If you use static routing, enter the remote network.
The remote network is not part of the configuration file. Therefore you need to enter it separately into the Remote network field, e.g. 10.0.0.0/8. This field is only important if you have configured the use of static routing instead of dynamic routing in Amazon VPC.
-
Click Apply.
The connection is imported and subsequently displayed on the Status page.
Route Propagation
You can configure networks which are being pushed in route propagation enabled routing tables in the Amazon VPC.
To select local networks, proceed as follows:
-
Add local networks.
Add or select a local network that should be pushed in route propagation. How to add a definition is explained on the Definitions & Users > Network Definitions > Network Definitions page.
-
Click Apply.
The route propagation networks are applied.