EMnify offers the possibility to setup an IPsec to keep all data communication between your application server and our mobile core private. Thanks to the EMnify CloudConnect you can create an IPsec in a few easy steps.
1. IPsec configuration on EMnify side
1.1 EUI configuration
To create an IPsec, click on link symbol on the top right corner of the EMnify portal and scroll down to the option "Cloud Connect".
Click on "+create"
Fill out the form:
Enter the requested information:
- Enter a name of your choice;
- Choose the region to which you would like to connect to. Make sure you select the same region in your Service Profile;
- Enter your VPN Public IP;
- Add up to 3 CIDRs used in your VPC. Select the CIDRs to which data will be sent to. Note that the CIDRs must be valid RFC 1918 private address prefixes and the ranges must be between /32 and /22. The default /16 CIDR will be declined. If the CIDR is already taken on our side, a warning will be displayed when you try to validate the TGW because AWS TGW does not support overlapping IP addresses;
- PSK will be created automatically;
- Select Dynamic VPN if you want to use BGP features; (for this step, just select the checkbox "Dynamic VPN" in the CloudConnect UI, configure the BGP ASN of your side and follow the instructions here: https://docs.aws.amazon.com/vpn/latest/s2svpn/cgw-dynamic-routing-examples.html) Note: CloudConnect side is using the AWS default ASN 64512
- Add a description of your choice.
On the next screen, a summary of your configuration is available.
Make sure everything is correct and click on "create attachment". If the entered CIDR is not correct or not available, a warning will be displayed:
In this case, enter a new CIDR and repeat the same process. Once the setup is complete, the status of the VPN will be "pending" until the automatic IPsec creation on our side is complete. Once the status is "not connected", you can display the VPN configuration which you need to apply on your side.
NOTE: Once the attachment is created, you will be billed in the end of the month for 150 EUR as notified when creating the CloudConnect request
1.2. EMnify firewall rule configuration
The firewall configuration on the EMnify side is not automatically done yet. Please make a screenshot of the VPN configuration available in the CloudConnect part once the configuration is available, send the file to firstname.lastname@example.org and request them to finalize the IPsec configuration. In the email to support, please precise your organization ID. This can take up to 4 weeks.
1.3. IP range configuration
All IP ranges assigned to the customer's account need to be configured on the EMnify side. By default, each account has a /24 range. Inform EMnify via ticket when a new range is manually added to your account. Send an email to email@example.com stating which new range should be configured for your IPsec.
2. IPsec configuration on Customer's side
Two tunnels have been created. This is thought for redundancy. We advise you to configure both on your side as well but this is optional.
To handle the configuration, you can use the help available on the amazon knowledge base: https://docs.aws.amazon.com/vpc/latest/adminguide/Welcome.html. Simply select the gateway device you are using and apply the configuration.
2.2. Firewall rules (incoming traffic)
Traffic coming from EMnify endpoint IP addresses need to be allowed on the customer's side. This can be done by enabling our complete IP range or only the ranges assigned to your EMnify account:
- If you can, allow traffic from the following ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14. You will then be sure that traffic from your endpoints will be allowed
- If you have overlapping rules, you can allow only the IP ranges assigned to your account. In this case, you need to update your configuration each time a new IP range is assigned to your account.
2.3. Routing tables (outgoing traffic)
The routing table also needs to be updated as all traffic going to EMnify IP ranges need to go through the IPsec. Here as well two solutions are possible:
- If you can, send all traffic to the following ranges 100.64.0.0/10, 10.192.0.0/12, 10.4.0.0/14 through the IPSec.
- If you have overlapping rules, you can configure only IP ranges assigned to your account. In this case, you need to update your configuration each time a new IP range is assigned to your account.