Tutorial: Connect AWS VPC to CloudConnexa with IPsec using Transit Gateway
Configure an AWS Transit Gateway VPN between your VPC and CloudConnexa to enable scalable connectivity across multiple VPCs, including routing setup and tunnel configuration.
This tutorial walks you through setting up an IPsec tunnel between your AWS environment and CloudConnexa using a Transit Gateway.
You'll complete steps in both the AWS Console and the Cloud Connexa Administration Portal. To make this easier to follow, each step is labeled with an icon:
☁️ AWS Console steps — performed in AWS
🔐 CloudConnexa steps — performed in CloudConnexa
Use this configuration when you need connectivity across multiple VPCs, shared services, or internet-bound traffic through CloudConnexa.
To complete this setup, you'll configure:
A Transit Gateway to act as a central routing hub.
A Transit Gateway attachment to connect your VPC.
A site-to-site VPN connection between AWS and CloudConnexa.
Routing tables for:
Your VPC subnets.
The Transit Gateway.
(Optional) A NAT Gateway for internet-bound traffic from private subnets.
Tunnel configuration using an AWS-generated configuration file.
Once configured, users and networks connected to CloudConnexa can securely access resources in your AWS environment.
Overview
In this setup, AWS Transit Gateway acts as a central routing hub that connects:
One or more VPCs.
Additional network resources.
Compared to a virtual private gateway, a Transit Gateway supports broader and more flexible connectivity.
When to use this setup
Use this configuration when you need connectivity across multiple VPCs or more advanced routing scenarios. If you only need a connection to a single VPC, refer to ???.
Before you begin
Ensure you have a CloudConnexa account and Cloud ID.
Ensure your AWS VPC and subnets are configured.
Ensure you have permissions to create AWS networking resources.
🔐 Step 1: Create a Network (CloudConnexa)
Navigate to Networks → Networks.
Click Add Network.
Select at least one Network Scenario. Refer to these tutorials for details:
Click Continue.
For the Network Configuration, enter a name and description (optional).
Select IPsec as the Connector Tunneling Protocol.
For the Connector, enter a name and description (optional).
Click Next.
🔐 Step 2: Select AWS as the platform (CloudConnexa)
In the Network Configuration Wizard, you'll begin configuring your AWS VPC.
2.1 Select the AWS platform
In Platform to Connect, select AWS. Refer to CloudConnexa Connectors and About Network Connectors.
Instructions will appear on how to configure IPsec connectivity with CloudConnexa.
Review the step-by-step guide.
Click Next.
2.2 Review AWS configuration details
CloudConnexa displays the values required for AWS configuration.
Note the following values from AWS Configuration Details:
Target Gateway
Virtual Private Gateway / Transit Gateway
Customer Gateway
Remote Gateway IP Address
Certificate ARN
Routing Options
Static IP Prefixes
You will use these values when configuring AWS resources.
☁️ Step 3: Configure AWS resources (AWS Console)
Set up the AWS components required for Transit Gateway-based VPN connectivity.
3.1 Create a Transit Gateway
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
Navigate to Transit Gateways.
Click Create transit gateway.
Configure settings as needed.
Click Create transit gateway.
3.2 Create a site-to-site VPN connection
Navigate to Site-to-Site VPN connections.
Click Create VPN connection.
Configure:
Target gateway type: Select Transit gateway, and select the new transit gateway.
Customer gateway: Select New, and enter CloudConnexa values.
Routing options: Select Static.
For Static IP Prefixes, copy and paste the Static IP Prefixes displayed on the CloudConnexa Administration Portal's Connector Configuration page, as shown in AWS Configuration Details.
Note
The Static IP Prefixes include the Routes of all CloudConnexa Networks configured so far. If you add new Networks or Routes and want site-to-site networking with your VPC, you must update the Static IP Prefixes.
Click Create VPN connection.
3.3 Attach your VPC to the Transit Gateway
Navigate to Transit Gateway attachments.
Click Create transit gateway attachment.
Select the new transit gateway for the Transit gateway ID.
Configure your transit gateway attachment as needed for your VPC and subnets.
Click Create transit gateway attachment.
3.4 Create a NAT Gateway (for internet-bound traffic)
Navigate to NAT gateways.
Click Create NAT gateway.
Configure the NAT gateway for your VPC and associate it with an Elastic IP.
Click Create NAT gateway.
3.5 Configure VPC route tables
Configure the private subnet route table
This route table is used by resources that don't have direct internet access.
Navigate to Route tables.
Select the route table associated with your private subnet.
Click Edit routes.
Add the following routes:
Destination:
0.0.0.0/0→ Target: NAT GatewayDestination:
100.96.0.0/11→ WPC Subnet Target: Transit GatewayNote
This is the default WPC Subnet value. You can configure this under Settings → WPC in the CloudConnexa admin portal.
Destination:
100.80.0.0/12→ Domain Routing Subnet Target: Transit GatewayNote
This is the default Domain Routing Subnet value. You can configure this under Settings → WPC in the CloudConnexa admin portal.
Click Save changes.
Configure the public subnet route table
This route table is used by resources that can access the internet directly.
Navigate to Route tables.
Select the route table associated with your public subnet.
Click Edit routes.
Ensure the following routes are present:
Destination:
100.96.0.0/11→ WPC Subnet Target: Transit GatewayNote
This is the default WPC Subnet value. You can configure this under Settings → WPC in the CloudConnexa admin portal.
Destination:
100.80.0.0/12→ Domain Routing Subnet Target: Transit GatewayNote
This is the default Domain Routing Subnet value. You can configure this under Settings → WPC in the CloudConnexa admin portal.
Click Save changes.
Tip
The public subnet typically has a route to an Internet Gateway for internet access. You don't need to modify this configuration for CloudConnexa connectivity.
3.6 Configure Transit Gateway route table
Navigate to Transit gateway route tables.
Click on the route table for your new transit gateway.
Click the Routes tab.
Create the following static routes:
0.0.0.0/0(default route, points to the VPC resource)100.96.0.0/11(WPC subnet, points to the VPN resource)100.80.0.0/12(Domain routing subnet, points to the VPN resource)
3.7 Download the AWS configuration file
Navigate to Site-to-Site VPN connections.
Select your new VPN connection.
Click Download configuration.
Select Generic for the customer gateway device.
Download the file.
Important
To properly load the download configuration screen from the AWS Management Console, ensure that your IAM role or user has permission for the following Amazon EC2 APIs:
GetVpnConnectionDeviceTypesandGetVpnConnectionDeviceSampleConfiguration.
🔐 Step 4: Configure the Network Connector (CloudConnexa)
In this step, configure the IPsec tunnels on the CloudConnexa side using the AWS configuration.
CloudConnexa supports two tunnels for high availability. You can configure them manually or upload the AWS configuration file.
4.1 Configure CloudConnexa tunnel
Return to the CloudConnexa network wizard configuration.
Select the Authentication Method:
Shared Secret: Specify the pre-shared keys (PSK) in each tunnel configuration in the next step.
Certificate-based: Upload certificates to apply to all tunnel connectors, and enter the passphrase.
If you select Shared Secret, you can proceed to option 1 and upload an AWS configuration file. For Certificate-based, proceed to option 2 to configure tunnels manually.
Click Upload Generic Configuration File.
Select the configuration file downloaded from AWS.
CloudConnexa automatically populates the tunnel settings.
Note
AWS creates two tunnels by default. CloudConnexa creates two corresponding Connectors.
If you prefer, you can configure each tunnel manually using the values provided by AWS.
Expand Tunnel 1.
Enter the following:
Remote Site Public IPv4 Address: Enter the AWS tunnel endpoint IP address (from AWS configuration, Tunnel 1).
Pre-shared Key (PSK): Enter the pre-shared key provided by AWS.
Important
You must specify a pre-shared key for each tunnel configuration.
(Optional) Configure advanced settings: Expand Advanced Configuration to customize IPsec parameters:
IKE Version: Select the version: IKEv1 or IKEv2.
Tip
If using IKEv2 and only GCM encryption algorithms (AES-128-GCM-16 and/or AES-256-GCM-16), the integrity algorithm and a DH group are optional in phase 2.
For non-GCM encryption algorithms, an integrity algorithm and a DH group are required. The default values are applied automatically.
Phase 1 settings:
Setting
Description
Encryption Algorithm
Select one or more supported encryption algorithms.
Integrity Algorithm
Select a supported integrity algorithm.
Diffie-Hellman Group
Select a DH group supported by your device.
Lifetime (sec)
Enter a value between 901 and 86400.
Phase 2 settings:
Setting
Description
Encryption Algorithm
Select one or more supported encryption algorithms.
Integrity Algorithm
Select a supported integrity algorithm.
Diffie-Hellman Group
Select a DH group supported by your device.
Lifetime (sec)
Enter a value between 900 and 28800.
IKE rekey settings:
Setting
Description
Rekey Margin Time (sec)
Value between 60 and half of Phase 2 lifetime.
Rekey Fuzz (%)
Value between 0 and 100.
Replay Window Size (packets)
Value between 64 and 2048.
Connection behavior:
Setting
Description
Startup Action
Defines how the tunnel is initiated.
CloudConnexa Connection Restoration
Controls whether the tunnel automatically reconnects if interrupted:
Defaults to Yes when Startup Action = Start.
Automatically set to No when Startup Action = Attach and can't be changed.
AWS-specific note
When you set AWS connectors to Attach for the Startup Action, CloudConnexa doesn't initiate the tunnel.
(Optional but recommended) Expand Tunnel 2 and repeat the same configuration steps using AWS Tunnel 2 values.
Tip
Using both tunnels provides high availability and failover.
4.2 Verify connectivity
Click Test Connection 1.
CloudConnexa attempts to establish a connection to your AWS network.
Check the connection status:
Connected — The tunnel is successfully established.
Offline — The connection failed or hasn't been established yet.
Tip
If the connection status is Offline:
Click View Logs to review connection details.
Verify the following:
PSK or certificates match on both sides.
IPsec parameters (encryption, DH group, lifetimes) are aligned.
Firewall rules allow IPsec traffic.
The correct public IP address is configured.
Click Test Connection 2 (if configured).
Check the connection status:
Connected — The tunnel is successfully established.
Offline — The connection failed or hasn't been established yet.
Tip
If the connection status is Offline:
Click View Logs to review connection details.
Verify the following:
PSK or certificates match on both sides.
IPsec parameters (encryption, DH group, lifetimes) are aligned.
Firewall rules allow IPsec traffic.
The correct public IP address is configured.
CloudConnexa attempts to establish a connection to your AWS network.
🔐 Step 5: Complete the Setup (CloudConnexa)
Click Finish to complete the Network configuration.
Confirm that:
The Network is created.
The Connectors shows a Connected status.