AWS IP address to use in terraform IPSec tunnels (via Transit Gateway)

Question

I'm trying to build an AWS terraform IPSec VPN config. However, I can't remember where to find the AWS IPSec IP address; the terraform cgw documentation says the ip_address field is required.

The answer should assume the VPN will be attached to my AWS Transit Gateway.

My terraform:

resource "aws_customer_gateway" "cgw-abbv-for-local-and-remote" {
  bgp_asn    = 65001
  ip_address = "A.B.C.D"   #<-- I need this IP before terraform apply
  type       = "ipsec.1"

  tags = {
    Name        = "insert-cgw-name-here"
  }
}

resource "aws_vpn_connection" "vpn-abbv-for-local-and-remote" {
  customer_gateway_id = aws_customer_gateway.cgw-abbv-for-local-and-remote.id
  transit_gateway_id  = aws_ec2_transit_gateway.my-tgw-name.id
  type                = aws_customer_gateway.cgw-abbv-for-local-and-remote.type

  tags = {
    Name        = "insert-vpn-name-here"
  }
}

Answer 1

Seems like OP already found the answer, but let me add my two cents since I spent a lot of time figuring things out when it comes to AWS VPN two years ago in order to pass the AWS Advanced Networking cert. This could potentially turn out useful for folks that are new to VPN - especially in the AWS ecosystem:

There is a fantastic book called AWS Certified Advanced Networking Official Study Guide which I would recommend everyone in a cloud network engineer role to read. [1]

It points out the following:

• After you create a VPN connection, the VPN tunnel activates when traffic is generated from your side of the VPN connection. The VGW is not the initiator; your customer gateway must initiate the tunnels. If your VPN connection experiences a period of idle time (usually 10 seconds, depending on your configuration), the tunnel may go down. This is because AWS uses an on-demand DPD mechanism. If AWS receives no traffic from a VPN peer for 10 seconds, AWS sends a DPD “R-U-THERE” message. If the VPN peer does not respond to three successive DPDs, the VPN peer is considered dead and AWS closes the tunnel. [pp. 100, 101]

• At the non-AWS end of a VPN connection, the VPN is terminated on a customer gateway. A customer gateway is the AWS term for the VPN termination device at the customer’s onpremises end. A customer gateway can also be hosted in AWS as an EC2 instance running VPN software that meets the requirements given in the next section. Most customers don’t require the purchase of an additional device and can reuse an existing on-premises VPN termination device to create a tunnel to a VPC. [p. 110]

• You can use any third-party VPN device that supports Layer 3 VPN technologies. AWS does not support Layer 2 VPN technologies. IPsec is used for the VGW at the AWS end of VPN termination, and so the IPsec protocol must be supported by your VPN device. You will set up two VPN tunnels per VGW. Support for BGP routing protocol is optional but recommended for advanced routing capabilities. Other routing protocols like Open Shortest Path First (OSPF) are not supported by AWS. You must ensure that you have opened the right ports in your on-premises firewall for the IPsec traffic to flow. [p. 111]
  That is in particular: both ends of the VPN connection must possess a public IP address!

If you didn't already, I really really recommend skipping through these pages to be aware of best-practices and the AWS-way of thinking when it comes to (hybrid) cloud architectures. You avoid getting confused afterwards if things didn't go the way you wanted to. IPSec (i.e. Layer-3) VPNs are harder to get right then most people think. One should be aware of all the routing and security relevant stuff such as: IKE, SAs, Policy-based routing, NAT-Traversal, ISAKMP etc. [see also p. 97: VPN Features -> Security & Routing sections].

Another good reference is the AWS Site-to-Site VPN guide (PDF). [2]

Also good to know: Many terraform attributes can also be found in the AWS CloudFormation docs. The docs for the AWS::EC2::CustomerGateway resource's IpAddress attribute state [3]:

The Internet-routable IP address for the customer gateway's outside interface. The address must be static.

[1] https://www.programmer-books.com/wp-content/uploads/2019/04/AWS-Certified-Advanced-Networking-Official-Study-Guide.pdf
[2] https://docs.aws.amazon.com/vpn/latest/s2svpn/s2s-vpn-user-guide.pdf
[3] https://docs.aws.amazon.com/de_de/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-customer-gateway.html#cfn-ec2-customergateway-ipaddress

Answer 2

The ip_address for the Customer Gateway is the IP of the physical appliance/router sitting on-premise in the customer's data center. You need this ip_address to establish a VPN connection. The AWS docs help when you get lost in terraform as well.

Answer 3

This is not very clear in the terraform documentation, but I found an example on the internet that clarified this question.

In short, the aws_customer_gateway config is not on the AWS side of the IPSec tunnel... these resources are "remote" with respect to AWS:

So in this case, the ip_address will be the destination ip address of AWS IPSec packets leaving the AWS Transit Gateway; the aws_customer_gateway ip_address is not owned by AWS.