AWS instances, by default, cannot connect to private campus networks. AWS VPN allows a secure connection from instances to U-M campus private networks. The VPN consists of two tunnels for automatic failover to avoid access interruption to your AWS VPC. By design, only one tunnel is active at a time, with the other being a standby tunnel which becomes active if the other tunnel goes down. See Example:Cisco ASA Device in AWS.
AWS charges $0.05 per VPN Connection-hour
Request AWS VPN
AWS Internet Access
Our VPN to AWS only provides access to U-M campus private networks. There are two ways to access the internet via AWS’s Internet Gateway :
- Use a public IP address, which allows outbound traffic to the internet and inbound traffic from the internet to an instance.
- Use a Network Address Translation (NAT) gateway, which enables an instance in a private subnet to access the internet without attaching a public IP to the instance.
Troubleshooting AWS VPN
The most common AWS VPN issue is typically caused by the VPN tunnel going down due to idle timeout. (There is no traffic going through the VPN tunnel for about 10 seconds). To bring the connection back, generate traffic to the instance from a campus network (i.e. pinging the instance). See AWS VPN Connections for more information.
Another issue is caused by asymmetric routing when users on campus try and access an instance in AWS behind the VPN using a public IP. On campus, private routes takes precedence over the default internet route so traffic destined for an instance’s public IP will be delivered but will return traffic will go over the VPN tunnel and be dropped. We recommend using private IPs to connect from campus. Additionally we can work with hostmaster to set up split view DNS.
AWS Compatible Networks
A List of U-M Private Networks allowed through VPN has been compiled. Check the list to see if a network will work with AWS.