Site-to-Site VPN - Atlas Docs

## Site-to-Site VPN A Site-to-Site Virtual Private Network (VPN) establishes a secure, encrypted tunnel between your RunAtlas VPC and your local office, datacenter, or another cloud provider. This allows you to treat your RunAtlas resources as an extension of your existing network. ### Prerequisites - A [[VPC|VPC]] with at least one Tier/Subnet. - A **Public IP** attached to the VPC Gateway (Source NAT). - Access to configure your local router/firewall (e.g., Cisco ASA, Juniper SRX, PfSense, OpenVPN). ### Configuration Steps 1. **Enable VPN Gateway**: - Navigate to **Network > VPC**. - Select your VPC. - Click the **VPN Gateway** tab (or icon). - **Create/Enable**: This assigns the VPN service to the VPC's **Source NAT IP**. Note this public IP. 2. **Create Customer Gateway**: - Within the VPC view (or under **Network > VPN Customer Gateway** if available globally), click **Add Customer Gateway**. - **Name**: e.g., "Office-HQ-Router". - **Gateway**: The public IP of your office firewall. - **CIDR**: The IP range of your local network (e.g., `192.168.1.0/24`). - **IKE/ESP Policy**: Define your encryption (AES-256), hash (SHA-256), and DH Group (e.g., Group 14). 3. **Create VPN Connection**: - Navigate to **VPN Connections** (often a tab within the VPC or a sidebar item). - Click **Create VPN Connection**. - Select the **VPN Gateway** (your VPC) and the **Customer Gateway** (your office). - **Passive/Active**: Usually checks "Passive" if the office side initiates the connection. - **Preshared Key (PSK)**: Copy the generated key (or provide one). ### Local Configuration Example (Generic) On your firewall: - **Remote Gateway**: RunAtlas Public IP. - **Remote Subnet**: RunAtlas VPC CIDR (e.g., `10.0.0.0/16`). - **Local ID**: Your Firewall Public IP. - **Preshared Key**: The key generated above. - **Phase 1**: AES-256, SHA-256, DH2. Lifetime 28800. - **Phase 2**: AES-256, SHA-256, PFS (optional). Lifetime 3600. ### Verification Once configured on both sides: 1. Initiate traffic from your local network to an instance in the VPC. 2. Check the **Status** in the RunAtlas console (should turn **Green/Connected**). 3. Verify routing tables in your VPC route traffic destined for your office (`192.168.1.0/24`) through the VPN Gateway. ### Troubleshooting - **Check Logs**: Review firewall logs for Phase 1 (IKE) or Phase 2 (IPsec) negotiation errors. - **Mismatched Proposals**: Ensure encryption algorithms match exactly on both ends. - **Firewall Rules**: Verify UDP 500, UDP 4500, and ESP (Protocol 50) are allowed on both public IPs.