# Site-to-Site VPN Tunnel

### Connect self-hosted software via site-to-site VPN

Allow Violet to connect directly to your self-hosted software tools by establishing a site-to-site Virtual Private Network (VPN) tunnel. This provides a secure, encrypted, point-to-point connection that masks your IP address. Site-to-site VPNs utilize the IPsec protocol to encrypt data.

The following instructions describe setup for a site-to-site VPN with a VioletGov instance (AWS GovCloud-hosted).

#### Step 1. Exchange information

**First, provide the following to your Violet point of contact:**

* Public static IP of your VPN device (must not be behind NAT)
* Your ASN (if using BGP) or the list of internal CIDR blocks (if static routing)

**Violet will provide the following:**

* AWS public IP(s) of the VPN tunnel endpoints (2 tunnels, redundant)
* Pre-Shared Keys (one per tunnel)
* Inside tunnel IP addresses (for BGP or static routing)
* AWS ASN (default 64512 unless overridden)
* VPC CIDR ranges

Note, your setup must allow UDP 500/4500 and ESP through your external firewall (see the below section on AWS GovCloud minimum requirements for more information).

***

#### Step 2. VPN tunnel creation

First, the Violet team will:

1. Create a **Customer Gateway** object (pointing to customer’s public IP and ASN)
2. Create a **VPN Gateway** (VGW) or use a **Transit Gateway** attached to the VPC
3. Create a **VPN Connection** between the VGW/TGW and the Customer Gateway
4. Share the **VPN configuration file** (XML or text) that AWS generates, tailored to common vendors (Cisco, Palo Alto, Fortinet, etc.)

***

#### Step 3. Configure your device

Next, you'll need to configure your device (firewall/router) as follows:

* Import or manually configure the two tunnels using the AWS-provided IPs, PSKs, and parameters.
* Make sure the encryption domain (their internal CIDR) matches what was agreed.
* Configure either:
  * **BGP**: advertise their prefixes and accept AWS’s VPC CIDRs.
  * **Static routes**: add AWS VPC CIDRs into the VPN crypto ACLs.

***

#### Step 4. Verification

The connection should now be ready to be tested and verified. To do this, we will need to:

* Ping between internal subnets
* Confirm that your tunnel shows as **UP** on your device
* Test failover by bringing down one tunnel (AWS maintains two for redundancy)

***

#### Additional Resources

<details>

<summary>AWS GovCloud Minimum Requirements</summary>

GovCloud requires stronger cryptography than commercial AWS. Minimum requirements are as follows:

* **IKE (Phase 1)**
  * AES-128 or AES-256
  * SHA-256 or stronger (SHA-1 not allowed)
  * DH Group 14 (2048-bit) or higher
  * Lifetime: 28,800s (8h)
* **IPsec (Phase 2)**
  * AES-128 or AES-256
  * SHA-256 or stronger
  * PFS (DH Group 14+) required
  * Lifetime: 3,600s (1h)
* **Ports/protocols:** UDP 500, UDP 4500, IP protocol 50 (ESP) - needed for key exchange between tunnels

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.violetlabs.com/resources/administrative/connect-self-hosted-software/site-to-site-vpn-tunnel.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.