AWS Redundant Tunnels - Transit Gateway
  • 23 Oct 2023
  • 4 Minutes to read
  • Contributors

    AWS Redundant Tunnels - Transit Gateway

      Article Summary


      This guide will lead you through establishing redundant VPN tunnels between your Perimeter 81 network and your AWS Transit Gateway environment. Creating multiple tunnels helps ensure a higher availability of your network connections.

      Breakdown of topics

      1. Pre-requisites
      2. Configuration Steps
      3. Verifying the Setup
      4. Troubleshooting
      5. Support Contacts


      To successfully follow this guide, you should have:

      1. An active Perimeter 81 account and network.
      2. The Perimeter 81 app is installed on your devices.
      3. An active AWS account with the necessary permissions.

      Configuration Steps

      Create Perimeter81  Gateways

      1. Your Perimeter81 Network must have at least two different gateways in the same network, as listed below.
      Important notes
      • These gateways can be deployed in two separate Regions for comprehensive ISP redundancy. 
      • The network can be scaled up, and adding another region should not affect the connection.

      Create a Transit Gateway on AWS

      • You can skip this step if you already have a Transit Gateway in your AWS region.
      1. Under TRANSIT GATEWAYS, click Transit Gateway and then Create a Transit Gateway.
      2. Create a Transit Gateway with Default Settings
      3. Navigate to Transit Gateway Attachments under VPC, and create a Transit Gateway Attachment for your VPC.

      Create two Site-to-Site VPN connections

      1.  In your AWS VPC, under VIRTUAL PRIVATE NETWORK(VPN), Click Site-to-Site VPN Connections, then Create VPN Connection. 
      2. Under Target Transit Gateway, select the Transit Gateway we created previously, and for Customer Gateway, choose New.
        Under IP Address, enter the first Perimeter81 Gateway IP. Routing is Dynamic (BGP).
        The BGP AS Number is the ASN you plan to use for the Perimeter81 Network; the default is 64512.

      3. Make sure your naming convention makes sense so you can locate and discern between the connections later.
      4. Navigate to Transit Gateway attachments under TRANSIT GATEWAYS and find the Transit Gateway Attachment you just created- rename it to something that makes sense to you, like the screenshot below:
      5. Navigate back to Site-to-Site VPN Connections and select the VPN connection that got created, then click Download Configuration.
      6. Be sure to choose Generic under Vendor and Ikev2 for Ike Version.
      7. Download and rename the file Tunnel1.txt.
      8. Repeat steps 1-6 for the other Site-to-Site Tunnel. This time, use the Second Perimeter81 Gateway IP.
      9. Rename the second file you downloaded Tunnel2.txt.
      10. Make sure to change the naming convention under Transit Gateway attachments for this site as well:

        VPC Attachment
        To access your VPC through the redundant connection, you must have a VPC Attachment connected to the Transit gateway.

      Creating the High Availability Perimeter81 Tunnel

      1. In Your Perimeter 81 Admin console, Navigate to your network.
      2. Click "..." next to one of the gateways and select Add Tunnel.
      3. Choose IPSEC Site-2-Site Tunnel, then Continue.
      4. Select Redundant Tunnels, and afterward, click Continue.
      5. Select a logical name for your Tunnel, 
        • For example, if your Transit gateway is located in the US-East region of AWS, you could name the tunnel "USEast." If this is your Staging environment, call it "Staging."
      6. Copy the values for the first Tunnel from Tunnel1.txt:
        • Shared Secret: Pre-Shared Key
        • Perimeter 81 gateway Internal IP: Inside IP Addresses of Customer Gateway.
        • Remote Public IP & Remote ID: Outside IP Addresses of Virtual Private Gateway.
        • Remote Gateway internal IP: Inside IP Addresses of Virtual Private Gateway. The IP on the AWS side has a subnet (/30) that should be discarded when pasting.
        • Remote Gateway ASN: BGP Configuration Options of Virtual Private Gateway ASN from the file.
        • On Perimeter 81, your Tunnel page should look like this:
      7. Repeat step 5 for the second Tunnel, this time using the values from Tunnel2.txt.
      8. Under Shared Settings, you'll want to select Any( for both sides. ASN number should be the same for the Perimeter81 side as the Customer Gateway ASN you configured on AWS.
      9. Under Advanced Settings, match the following:
      10.  Click Add Tunnel.

      Creating Static Routes

      1. Navigate to VPC -> Select the corresponding VPC attached to the Transit Gateway -> Select the Main Route Table for the VPC.
      2.  Edit the main Route Table for the VPC and add the subnet mask of your Perimeter 81 network as the destination with the Transit Gateway as the target (Route for reverse traffic).
        • Please note that this might not be the Main Route Table for the VPC; In that case, you will need to locate each subnet associated with the VPC and add the reverse route for the Perimeter81 internal subnet range.
      3. Navigate back to your Perimeter 81 network and add the route to the corresponding subnet in AWS.
        You'll want to select "..." next to your network and then Routes Table.
      4. Once completed, select "Apply Configuration" and let the route changes propagate on the Perimeter 81 side.

        Verifying the Setup

        Once set up, your redundant tunnels should be active. To confirm, go to your Perimeter 81 dashboard, find the tunnels you started, and ensure their status shows "Up". Connect to your network with the Perimeter 81 agent and try accessing resources in your AWS environment.


        If you encounter issues during or after the setup, try reviewing your settings to ensure everything matches the instructions. In particular, check the IP addresses and other details you entered during setup. If issues persist, please consult our dedicated support.

        Support Contacts

        If you have any difficulties or questions, don't hesitate to contact Perimeter 81's support team. We offer 24/7 chat support on our website at, or you can email us at [email protected]. We're here to assist you and ensure your VPN tunnel setup is a success.

      Was this article helpful?