There are two ways of approaching this challenge. (#1) running MikroTik virtual appliance (CHR) in AWS (#2) using Virtual Private Gateway, a “cloud-native” networking solution provided by AWS. Each solution has its own benefits.
Let’s get my hands dirty with deep dive (?) networking. My ultimate favorite upcoming exam is AWS Certified Advanced Networking – Specialty Certification | AWS Certification | AWS (amazon.com) can’t wait to get there…
On-premises physical MikroTik hardware (or virtualized CHR) running RouterOS
This is what I have at home and use to connect to multiple clouds. It worked very nice with Azure, now connecting with AWS. Will find the way to GCP as well.
Actually, you can buy three (3) pieces of this lovely router for the price of the AWS Advanced Networking exam 🙂
This is a customer gateway device that supports IPSEC based VPN tunnels. Works very nicely with public clouds and is widely used in home/lab environments for testing purposes.
MikroTik can handle production workloads as well, they offer enterprise-scale devices as well. An example is below: Amazon.com: Mikrotik CCR1036-8G-2S+ 36 core CPU, Cloud Core Router, 8x Gigabit ports, 2x SFP+ ports, Color touchscreen LCD, 4GB. : Electronics
If you fail the Networking Speciality exam two (2) times, you are nearly here with investments 🙂
(#1) MikroTik Cloud Hosted Router (CHR) on AWS t2.micro (Free Tier) instance
If you go in this direction, you are going to deploy a tiny t2.micro instance (this is AWS Free Tier item, 750 hours/month of free usage) to run MikroTik RouterOS.
This virtual appliance (instance) will work just like your on-premises MikroTik, same OS, same commands. When you configure Site2Site VPN, you do the same method as connecting 2 on-premises datacenters. Learn more here: Manual:Interface/SSTP – MikroTik Wiki
Obviously, this is recommended by MikroTik since you need to purchase another Mikrotik CHR license and bring it to the Cloud. Mikrotik CHR BYOL license is fairly priced, $45 (one-time payment) for the 1Gbit connection. Learn more about Mikrotik licensing here Manual:CHR – MikroTik Wiki
In order to deploy this solution, visit AWS Marketplace: Cloud Hosted Router (amazon.com)
Use AWS Pricing Calculator select EC2 and find out t2.micro cost.
Default 30GB for Linux root disk is overkill for MikroTik, I tried with 1GB EBS (VM disk), estimated price is 5.36 USD/mo (as of today). Quite good.
(#2) Using Virtual Private Gateway – this is a “cloud-native” networking solution provided by AWS
If you go in this direction, you are going to use an AWS managed service to terminate the VPN tunnel in AWS from your local MikroTik box.
The clear benefit is you do not need to manage MikroTik on AWS, and AWS Virtual Private Gateway is supported by many other appliances, including cross-cloud configurations to Azure or GCP.
When it comes to the configuration steps, I am building on others to get my LAB connected.
It is a great idea to have reusable RouterOS scripts to get the configuration done, but unfortunately, someone needs to maintain scripts and provide community support and that’s always hard (for free).
AWS Site-to-Site VPN – User Guide (amazon.com)
What is AWS Site-to-Site VPN? – AWS Site-to-Site VPN (amazon.com)
AWS Site-to-Site VPN with MikroTik (RouterOS) | by Danny Rehelis | Medium (November 2020: I will try this)
GitHub – smartupio/aws-vpn-mikrotik: Shell script to transform a Generic AWS VPN configuration guide to MikroTik specific set up commands that can be copy pasted into a mikrotik console to set up the customer end of the connection. (July 2017: not sure if it still works)
Amazon AWS VPN — A Working Configuration Example and Bug – MikroTik (August 2014: what bug, hopefully not the case anymore)
Updating your Mikrotik to 6.44.3
This AWS article is about the supported customer gateway devices. Mikrotik is listed:
Your customer gateway device – AWS Site-to-Site VPN (amazon.com)
Officially Azure does not support MikroTik, however, it works very nicely with zero issues; we configured it multiples times when building Azure-based labs. Very similar config to AWS.
About VPN devices for connections – Azure VPN Gateway | Microsoft Docs
At Microsoft, Synology (for example MR2200ac) is a promising alternative solution for home labs How do I set up Site-to-Site VPN between my Synology Router and Microsoft Azure? – Synology Knowledge Center
At GCP I liked the idea of connecting AWS or Azure sites.
Using third-party VPNs with Cloud VPN | Google Cloud
To grab the images, go to the MikroTik archives page or use the links below (they point to the MikroTik website).
