Site-to-Site VPN Tunnel

Connect self-hosted software via site-to-site VPN

Allow Violet to connect directly to your self-hosted software tools by establishing a site-to-site Virtual Private Network (VPN) tunnel. This provides a secure, encrypted, point-to-point connection that masks your IP address. Site-to-site VPNs utilize the IPsec protocol to encrypt data.

The following instructions describe setup for a site-to-site VPN with a VioletGov instance (AWS GovCloud-hosted).

Step 1. Exchange information

First, provide the following to your Violet point of contact:

  • Public static IP of your VPN device (must not be behind NAT)

  • Your ASN (if using BGP) or the list of internal CIDR blocks (if static routing)

Violet will provide the following:

  • AWS public IP(s) of the VPN tunnel endpoints (2 tunnels, redundant)

  • Pre-Shared Keys (one per tunnel)

  • Inside tunnel IP addresses (for BGP or static routing)

  • AWS ASN (default 64512 unless overridden)

  • VPC CIDR ranges

Note, your setup must allow UDP 500/4500 and ESP through your external firewall (see the below section on AWS GovCloud minimum requirements for more information).

Step 2. VPN tunnel creation

First, the Violet team will:

  1. Create a Customer Gateway object (pointing to customer’s public IP and ASN)

  2. Create a VPN Gateway (VGW) or use a Transit Gateway attached to the VPC

  3. Create a VPN Connection between the VGW/TGW and the Customer Gateway

  4. Share the VPN configuration file (XML or text) that AWS generates, tailored to common vendors (Cisco, Palo Alto, Fortinet, etc.)

Step 3. Configure your device

Next, you'll need to configure your device (firewall/router) as follows:

  • Import or manually configure the two tunnels using the AWS-provided IPs, PSKs, and parameters.

  • Make sure the encryption domain (their internal CIDR) matches what was agreed.

  • Configure either:

    • BGP: advertise their prefixes and accept AWS’s VPC CIDRs.

    • Static routes: add AWS VPC CIDRs into the VPN crypto ACLs.

Step 4. Verification

The connection should now be ready to be tested and verified. To do this, we will need to:

  • Ping between internal subnets

  • Confirm that your tunnel shows as UP on your device

  • Test failover by bringing down one tunnel (AWS maintains two for redundancy)

Additional Resources

AWS GovCloud Minimum Requirements

GovCloud requires stronger cryptography than commercial AWS. Minimum requirements are as follows:

  • IKE (Phase 1)

    • AES-128 or AES-256

    • SHA-256 or stronger (SHA-1 not allowed)

    • DH Group 14 (2048-bit) or higher

    • Lifetime: 28,800s (8h)

  • IPsec (Phase 2)

    • AES-128 or AES-256

    • SHA-256 or stronger

    • PFS (DH Group 14+) required

    • Lifetime: 3,600s (1h)

  • Ports/protocols: UDP 500, UDP 4500, IP protocol 50 (ESP) - needed for key exchange between tunnels

PreviousVPN TunnelNextSecurity & Compliance

Last updated

Was this helpful?