Configuration on the Firewall

As part of the process to create a new VPN connection, an Address Object representing the VPC is added and can be viewed in SonicOS on the Address Objects page. Navigate to OBJECT | Match Objects > Addresses. The convention used to name the object combines the AWS IDs of the VPN connection and the VPC itself. The Address Object is a network type, with the network being that of the remote VPC.

Two VPN policies are also created, showing that AWS uses two VPNs per VPN connection to provide redundancy for a failover mechanism. Navigate to NETWORK | IPSec VPN > Rules and Settings. The VPN policy names used on the firewall are based on the AWS ID for the connection along with a suffix to differentiate between the two policies.

Matching the two VPN policies, two tunnel interfaces are created. Navigate to NETWORK | System > Interfaces. They also use a naming convention based on the ID of the VPN Connection.

Similarly, two route policies are created, both using the Address Object representing the VPC as their destination. Navigate to NETWORK | System > Dynamic Routing. Each one uses a different tunnel interface.