hands-on lab

VPN Connections with an Amazon VPC Using Dynamic Routing

Up to 2h 15m
Get guided in a real environmentPractice with a step-by-step scenario in a real, provisioned environment.
Learn and validateUse validations to check your solutions every step of the way.
See resultsTrack your knowledge and monitor your progress.


In this Lab, you will set up VPN connections with an Amazon Virtual Private Cloud (VPC) using dynamic routing as you make strides in migrating an on-premises application into the AWS cloud. You will configure the networking between your corporate network and an Amazon Virtual Private Cloud (VPC). The database (db) is hosted on-premises and the application is hosted in the cloud. As part of a real-world scenario, you will complete a design by fulfilling requirements.

Lab Objectives

Upon completion of this Lab you will be able to:

  • Connect on-premises networks to Amazon VPCs using Internet Protocol Security (IPSec) virtual private network (VPN) tunnels
  • Configure internal Border Gateway Protocol (BGP) on on-premises routers
  • Configure on-premises routers to connect to Amazon VPCs using BGP
  • Understand the differences between static and dynamic routing
  • Gain experience with multi-homed instances and understand some reasons for using them

Lab Prerequisites

You should be familiar with the following:

  • AWS networking concepts including VPCs, subnets, internet gateways, security groups, route tables, and Elastic IP addresses
  • AWS compute concepts including EC2 instances
  • Static routes in networks
  • Knowledge of routing protocols is beneficial, but not required

Lab Environment

Before completing the Lab instructions, the environment will look as follows:

After completing the Lab instructions, the environment should look similar to:


October 10th, 2023 - Resolved Node.js issue

May 9th, 2023 - Resolved an issue that would cause the lab setup to not complete on rare occasions

March 6th, 2023 - Updated instructions to add clarity about EC2 SSH

April 26th, 2022 - Modified the lab to use a Cloud Academy-provided VyOS routing configuration template after AWS removed Vyatta (VyOS-compatible) configuration from their available router configurations

March 31st, 2022 - Added SSH instructions for Windows users

February 3rd, 2022 - Updated the instructions and screenshots to reflect the latest UI.

September 30th, 2020 - Addressed an issue preventing downloading of the VPN configuration

August 31st, 2020 - Updated screenshot to match the new EC2 user interface

July 30th, 2020 - Fixed an issue preventing students from completing the Lab, updated instruction and screenshot.

January 10th, 2019 - Added a validation Lab Step to check the work you perform in the Lab

About the author

Logan Rakai, opens in a new tab
Lead Content Developer - Labs
Learning paths

Logan has been involved in software development and research since 2007 and has been in the cloud since 2012. He is an AWS Certified DevOps Engineer - Professional, AWS Certified Solutions Architect - Professional, Microsoft Certified Azure Solutions Architect Expert, MCSE: Cloud Platform and Infrastructure, Google Cloud Certified Associate Cloud Engineer, Certified Kubernetes Security Specialist (CKS), Certified Kubernetes Administrator (CKA), Certified Kubernetes Application Developer (CKAD), and Certified OpenStack Administrator (COA). He earned his Ph.D. studying design automation and enjoys all things tech.

LinkedIn, Twitter, GitHub

Covered topics

Lab steps

Logging In to the Amazon Web Services Console
Understanding the VPN Connection Scenario
Setting Up Multi-homed Router Instances
Configuring Internal BGP Between Border Routers
Creating Gateways and IPSec VPN Tunnels
Configuring External BGP Routing on Your Routers
Testing the Application Functionality Across Corporate and Cloud Networks