AWS Site-to-Site VPN Connection and Distrubution over AWS Transit Gateway.

Ahmet Ozan GAZİ — Tue, 24 Jun 2025 11:40:03 +0000

AWS Site-to-Site VPN and Transit Gateway Cross-Account Routing

Introduction

In enterprise cloud infrastructures, establishing secure and scalable network connections between different AWS accounts and VPCs (Virtual Private Cloud) is of critical importance. AWS provides powerful services such as Site-to-Site VPN and Transit Gateway to meet this need. In this article, we will explain step by step how to route network traffic between multiple AWS accounts using Site-to-Site VPN and Transit Gateway.

1. Basic Concepts

Site-to-Site VPN

AWS Site-to-Site VPN creates an encrypted tunnel between your on-premises data center and your AWS VPC. This enables secure data transmission between your on-premises network and cloud environment.

Transit Gateway

AWS Transit Gateway allows you to connect multiple VPCs and on-premises networks through a central hub. This structure simplifies network management and increases scalability.

2. Scenario and Architecture Definition

Account A: Main AWS account connected to on-premises data center.
Account B and C: VPCs located in different AWS accounts.
Objective: Provide secure and centralized access from on-premises data center to VPCs in Account B and C.

3. Step-by-Step Setup

3.1. Creating Transit Gateway (Account A)

Sign in to AWS Management Console with Account A.
Follow the steps: VPC Dashboard > Transit Gateways > Create Transit Gateway.
Give the Transit Gateway a meaningful name and configure necessary settings.
Note the Transit Gateway ID.

3.2. Creating Transit Gateway Attachments

a) Connecting Account A's VPC to Transit Gateway

Create a new attachment from the Transit Gateway Attachments section in VPC Dashboard.
Select the relevant VPC in Account A and connect it to the Transit Gateway.

b) Creating VPC Attachments in Other Accounts (B and C)

In Account B and C, enable Transit Gateway sharing through Resource Access Manager (RAM).
Share the Transit Gateway from Account A.
In Account B and C, connect their own VPCs to the Transit Gateway using the shared Transit Gateway.

3.3. Site-to-Site VPN Setup

Create Customer Gateway and Virtual Private Gateway in Account A.
Create Site-to-Site VPN Connection and enter your on-premises network information.
Connect the VPN connection to the Transit Gateway (create Attachment).

3.4. Route Table and Routing

Add routes to each VPC's route table to route traffic to other VPCs and on-premises network through the Transit Gateway.
Define rules in the Transit Gateway Route Table to route incoming traffic to the correct VPC or VPN.

3.5. Security Groups and NACLs

Configure security groups and network access control lists (NACL) to allow relevant ports and protocols.

4. Testing and Validation

Test the connection by pinging or SSH connecting to resources (e.g., EC2) in Account B and C from the on-premises network.
Monitor traffic using AWS VPC Flow Logs and CloudWatch.

5. Best Practices

Segment Transit Gateway Route Tables to ensure network isolation.
Securely manage resource sharing with IAM and RAM.
Use two tunnels for high availability in VPN connections.

Conclusion

With AWS Site-to-Site VPN and Transit Gateway, you can establish a centralized, secure, and scalable network architecture between different AWS accounts and on-premises networks. This structure greatly simplifies network management in large-scale and multi-account architectures.

MFA AWS VIA TERMINAL

Ahmet Ozan GAZİ — Mon, 20 May 2024 10:48:12 +0000

In today's digital landscape, securing access to cloud services is paramount, particularly as cyber threats become increasingly sophisticated. Amazon Web Services (AWS), a leading cloud service provider, offers robust security features to protect sensitive data and infrastructure. One essential security measure is Multi-Factor Authentication (MFA), which enhances the traditional username and password login process by requiring an additional verification step. This essay will explore the process of configuring and using MFA to access AWS from a local terminal, highlighting the steps involved, the benefits of this security approach, and practical tips for seamless integration. By implementing MFA, users can significantly bolster their security posture, ensuring that access to their AWS environments is both secure and efficient.
In this article I want draw your attention to some point which we can make it happen with ease. First of all we need to do some configuration like installing necessary packages such as os, subprocess, pyotp, json, base64, binascli, configparser, dotenv. These packages are prerequisites for making the scripts work .
As a next step we need to define the environment variables which we'll us it in our bash scripts. To do seo we create a .env file to keep all of our environmental variables to call them in the cli commands.

When configuring Multi-Factor Authentication (MFA) to securely access Amazon Web Services (AWS) from a local terminal, one of the crucial steps involves creating a .env file. This file, short for "environment variables," is essential for securely storing and managing sensitive information, such as AWS access keys, secret keys, and MFA device serial numbers. By using a .env file, users can avoid hard-coding these credentials directly into their scripts or applications, which enhances security and simplifies configuration management. The .env file should be placed in the root directory of the project and structured in a way that each variable is declared on a new line.
When it comes to creating a script for all of these configuration, naturally we need to acquire a snappy script which includes as follows,
1- Imports and Environment Setup:

Imports the necessary modules.
Loads environment variables from the .env file.

2- Configuration Reading:

Reads AWS credentials from the specified source profile in the AWS credentials file.

3-Validation:

Verifies that the TOTP secret is valid and base32 encoded.

4- MFA Token Generation:

Generates a current MFA token using the TOTP secret.

5- Session Token Retrieval:

Uses AWS STS to obtain a session token with the MFA token.

6- Credentials Update:

Updates the AWS credentials file with the temporary session credentials.

Additionally, ensure the ~/.aws/profile under the $HOME directory is correctly configured for your AWS CLI.

Here is the one example for script that we may use;
aws-login.py

import os
import subprocess
import pyotp
import json
import base64
import binascii
import configparser
from dotenv import load_dotenv

# Load environment variables from .env file
load_dotenv()

# Retrieve variables from the environment
mfa_serial_number = os.getenv('MFA_SERIAL_NUMBER')
totp_secret = os.getenv('TOTP_SECRET')
source_profile = os.getenv('SOURCE_PROFILE', 'dev-mfa')
aws_profile = os.getenv('AWS_PROFILE', 'default')

# Read credentials from the source profile
config = configparser.ConfigParser()
credentials_file_path = os.path.expanduser('~/.aws/credentials')
config.read(credentials_file_path)

if source_profile not in config:
    print(f"Profile '{source_profile}' not found in {credentials_file_path}.")
    exit(1)

aws_access_key_id = config[source_profile].get('aws_access_key_id')
aws_secret_access_key = config[source_profile].get('aws_secret_access_key')

if not aws_access_key_id or not aws_secret_access_key:
    print(f"Missing credentials in profile '{source_profile}'.")
    exit(1)

# Ensure TOTP secret is base32 encoded
try:
    base64.b32decode(totp_secret, casefold=True)
except binascii.Error:
    print("The provided TOTP secret is not valid base32 encoded. Please check the secret.")
    exit(1)

# Generate MFA token
totp = pyotp.TOTP(totp_secret)
mfa_token = totp.now()

# Get temporary session token using MFA
try:
    response = subprocess.check_output([
        'aws', 'sts', 'get-session-token',
        '--serial-number', mfa_serial_number,
        '--token-code', mfa_token,
        '--output', 'json',
        '--profile', source_profile
    ])
except subprocess.CalledProcessError as e:
    print(f"Error getting session token: {e}")
    exit(1)

# Parse the response
response_json = json.loads(response)
credentials = response_json['Credentials']

# Update the AWS credentials file with the temporary credentials
if aws_profile not in config.sections():
    config.add_section(aws_profile)

config[aws_profile]['aws_access_key_id'] = credentials['AccessKeyId']
config[aws_profile]['aws_secret_access_key'] = credentials['SecretAccessKey']
config[aws_profile]['aws_session_token'] = credentials['SessionToken']

with open(credentials_file_path, 'w') as configfile:
    config.write(configfile)

print(f"🙌🏻 Welcome to Starlet Technologies AWS Cloud Services. All logins and acitivities are monitoring and recording.")
print("⏰ Your AWS CLi session will expire at:", credentials['Expiration'])

## Verify the identity of the temporary credentials
#try:
#    identity = subprocess.check_output(['aws', 'sts', 'get-caller-identity', '--profile', aws_profile])
#    print("Current Identity:", identity.decode('utf-8'))
#except subprocess.CalledProcessError as e:
#    print(f"Error verifying identity: {e}")
#    exit(1)
#
## Attempt to list S3 buckets
#try:
#    s3_buckets = subprocess.check_output(['aws', 's3', 'ls', '--profile', aws_profile])
#    print("S3 Buckets:", s3_buckets.decode('utf-8'))
#except subprocess.CalledProcessError as e:
#    print(f"Error listing S3 buckets: {e}")
#    exit(1)

In order to make above script run, we use

python aws-login.py

As a expected output we can see ;

For the troubleshooting purposes we recommend you to check if you have registered profile under ~/.aws/credentials file.

DEV Community: Ahmet Ozan GAZİ