Tutorials > Astaro > How to multiple configure an Astaro/Sophos UTMs to work with Amazon VPC (AWS VPN CloudHub)

Search the FAQ for entries containing:

This tutorial will show you how to configure multiple Astaro/Sophos UTM with an Amazon Web Service's (AWS) Virtual Private Cloud (VPC) taking advantage of the Amazon's CloudHub architecture.


For this tutorial we will work with a company that has offices in Los Angeles, Chicago, New York and Miami. Each of these offices has a Astaro/Sophos Unified Threat Mmanagement (UTM) unit with v8.3 or higher. We will assume that the VPC already has been created and the appropriate security groups and routing tables for the Amazon VPC are established.

Establishing the first connection

Before we start let's clarify some of the terms and desriptions that Amazon uses to define a VPN connection. 

Components of a VPN

you plan to have a VPN connection between your VPC and home network, you need to be familiar with the following concepts.

VPN Connection

An Amazon VPC VPN connection is a connection between your VPC and your data center, home network, or co-location facility. A VPN connection has two endpoints (or anchors): a customer gateway (your gateway) and VPN gateway (our gateway).

Virtual Private Gateway

An Amazon VPC virtual private gateway is the Amazon side of a VPN connection that maintains connectivity. The virtual private gateway interconnects your VPC (via an attachment) and your customer gateway (via a VPN connection).

Customer Gateway

An Amazon VPC customer gateway is your side of a VPN connection that maintains connectivity. The customer gateway can be either a physical device or software appliance. The internal interfaces of the customer gateway connect to your data center and the external interfaces connect to the VPN connection, which leads to the virtual private gateway in the AWS cloud.

VGW Attachment

An Amazon VPC virtual private gateway attachment is the connection between the virtual private gateway and the VPC. 


The following diagrams illustrate single and multiple VPN configuration using the preceding components in your VPC. The VPC has a virtual private gateway attached, and your home network includes a customer gateway, which you must configure to enable the VPN connection. You set up the routing so that any traffic from the VPC bound for your home network is routed to the virtual private gateway.

When you create multiple VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same external location. You can also use it to create VPN connections to multiple geographic locations. This is what we will be doing later in the tutorial.

Creating the Virtual Private Gateway and attaching it to the VPC

The first step is to create your VPG, this is the gateway on the Amazon side of the connection. This VPG will attach to the VPC.


  1. On your AWS Management Console select the VPC and on the Navigation pane (left side) select Virtual Private Gateway.

  2. Click on the button that says "Create Virtual Private Gateway". This will open a dialogue asking for confirmation, click on "Yes, Create" button.

  3. Once created select the VPG and click on the button that says "Attach to VPC" and go ahead and attach it to your VPC. Once this is done you will have a VPG attached to your VPC as shown below.

Creating the Customer Gateway

The next step is to create the Customer Gateway (CG). The CG sits on the customer's side of the VPN connection. There are a few restrictions with this connection. The CG has to have a static IP address and currently configuration files for only a few UTM devices are supported (Astaro/Sophos is one of them). Also it is important not to use the VPC Wizard to creat this connection. This is because the VPC wizard uses a standard Board Gateway Protocl (BGP) Autonomous System Number (ASN) of 65000 for all CGs created by it. This will cause problems when using multiple CG's as we are going to do later in this tutorial.


  1. On the AWS management Console go to the VPC and on the Navigation pane (left side) select Customer Gateways.

  2.  Click on the button that says Create Customer Gateway.

  3. The Create Customer Gateway appears asking your for the BGP ASN number. For the very first CG that you create you can leave it at 65000, you will need to use unique BGP ASN's for all other CGs.

  4. Enter the unique static IP address to the CG. This will typically be the External Address on your UTM.

  5. Click on the Yes, Create button. Once this is done you will have your CG created. The example below shows several CG's created. 

Creating the VPN Tunnel

The VPN Tunnel or in Amazon terms the VPN Connection VC is the connection between the VPG on Amazon's side and the CG on the customer's side. 

  1. On the AWS management Console go to the VPC and on the Navigation pane (left side) select VPN Connections.

  2. Click on the Create VPN Connections. This will open the Create VPN Connections dialogue.

  3. The Create VPN Connections dialogue will basically ask you 2 things, they are the VPG (on Amazon's side) and the CG (on customer's side). Go ahead and select the VPG and CG that we just created and click the Yes, Create button. Once you are done you will see the VC you just created. In this example there are already several created.

Creating the Astaro/Sophos UTM Siste-to-Site VPN

Now that we have created our infrastructre on the AWS side we need to create and then establish the connection on the UTM side. This part is pretty stright forward but I have changed a few things based on my own experience. It is also important to to publish the routes for the internal network via BGP which we will show you below.


  1. Go to your UTM and login as admin.

  2. On the left side select Site-to-Site VPN and then select Amazon VPC

  3. Click on the Setup tab.

  4. Here is where we differ from the original Astaro instructions. We have found that downloading the configuration file sometimes does not work. So we prefer to configure via "import Amazon Credentials". In order to get your credentials go to  https://aws-portal.amazon.com/gp/aws/securityCredentials. You will need to logon from there you will be able to get your Access key ID and your Secret Access key. Once you have that information enter the information in the respective fields of the Site-to-Site VPn setup tab.

  5. Click the Apply button, after a few moments you will get a confirmation that the tunnel has been created. Click on the Status tab to see the tunnels. There should be 2 tunnels created. Please be patient as it may take up to 10 minutes for the connection to be established. Once the connection is established you should see a screen similar to the one below.









Last updated on June 12, 2012 by CompuTrain User