How to Configure AWS for a Super SIM VPN

Super SIM VPN is in Private Beta. Once you determine that a VPN connection is appropriate for your IoT use case, please reach out to your IoT sales specialist or email sales-wireless@twilio.com to learn more about the process of setting up your VPN connection.

Super SIM VPN (Virtual Private Network) establishes a secure private network between Twilio and your application data center, and ensures your Super SIM-connected devices use this private network for data communications.

Your application may exist within an Amazon Web Services (AWS) Virtual Private Cloud (VPC). You can connect your AWS-hosted application to a Super SIM VPN via an AWS Site-to-Site VPN. The following guide will walk you through this process using the AWS Console.

You should view this guide alongside How to Set Up and Use a Super SIM VPN, which details the overall VPN configuration process.

To connect a Twilio Super SIM VPN to your AWS resources there are several pieces of information you'll need to gather in order to create the new AWS objects you will need. Some of this data you need will come from the VPN setup questionnaire provided to you by Twilio. Other items will come from AWS. The steps below will guide you through the process.

The first piece of information you'll need is your AWS VPC CIDR (Classless Inter-Domain Routing) block. This will be something like 172.31.0.0/16, and you will have specified it when you created the VPC.

Open your AWS Console and navigate to VPC > Your VPCs. Select the VPC you wish to connect to the VPN.

In the AWS Console, navigate to VPC > Customer Gateways and click the Create customer gateway button at the upper right-hand side of the screen. You'll be prompted to provide the following values:

• Name: This is a tag used to reference this customer gateway. It's optional, but we recommend you provided a name, e.g., twilio-vpn-gateway-1, to make it easier to find in future.
  • Tip Include a number at the end of the name — you might need to add another VPN in the future.
• BGP ASN: You can use the default, 65000, or pick any value between 1 and 2147483647.
• IP address: Enter the Twilio VPN Gateway IP Address from the your VPN setup questionnaire (e.g. 208.78.112.57).
• Certificate ARN: This is not required, so please leave this field as it is.
• Device: This is a name for the Twilio VPN device. It's optional.
  • You can use: Twilio Juniper SRX 5400 #1.
  • Tip Include a number at the end of the name — you might need to add another VPN in the future.

When you've entered the required information and any optional values you want to provide, click Create customer gateway.

In the AWS Console, navigate to VPC > Virtual Private Gateways and click the Create virtual private gateway button at the upper right-hand side of the screen. You'll be prompted to provide the following values:

• Name: This is a tag used to reference this virtual private gateway. It's optional, but we recommend you provided a name, e.g., twilio-virtual-private-gateway-1, to make it easier to find in future.
  • Tip Include a number at the end of the name — you might need to add another VPN in the future.
• Autonomous System Number (ASN): Select the Amazon default ASN.

To complete this step, click Create virtual private gateway.

The final step establishes a new VPN connection based on the Customer Gateway and Virtual Private Gateway objects you've just created. Navigate to VPC > Site-to-Site VPN Connections. Click the Create VPN connection button at the upper right-hand side of the screen. Once again, you'll be prompted to enter a series of values:

• Name: This is a tag used to reference this virtual private gateway. It's optional, but we recommend you provided a name, e.g., twilio-vpn-1, to make it easier to find in future.
  • Tip Include a number at the end of the name — you might need to add another VPN in the future.
• Target Gateway Type: Select Virtual Private Gateway.
• Virtual Private Gateway: Choose the Virtual Private Gateway you created above by its name, e.g., twilio-virtual-private-gateway-1.
• Customer Gateway: Choose Existing.
• Customer Gateway ID: Choose the Customer Gateway you created above by its name, e.g., twilio-vpn-gateway-1.
• Routing Options: Choose Static.
  • Where it says "Be sure to specify any private networks behind your on-premises firewall", enter the Encryption Domain (CIDR) value from the VPN setup questionnaire. The default is 100.112.0.0/12.
• Local IPv4 Network CIDR: This is also the Encryption Domain (CIDR) value from the questionnaire.
• Remote IPv4 Network CIDR: This is your VPC IP Address CIDR. It is unique to your VPC, and is the value you retrieved from Step 1.
• Tunnel Options: Select Advanced Options then click Edit. Under DPD timeout action, select Restart.
  • This is the action to take when a Dead Peer Detection (DPD) timeout occurs. By default, when this happens the Internet Key Exchange (IKE) session is stopped, the tunnel goes down, and the routes are removed. However, you can instead specify that AWS must restart the IKE session after a DPD timeout, or that AWS must take no action when a DPD timeout occurs. We recommend you restart the connection.

Finally, click Create VPN connection.

Wait a moment while the new VPN connection state is Pending. When the state changes to Available, select the VPN connection then click on the Tunnel Details tab. You should see two tunnels, both with status Down. They are awaiting the connection to be made from the Twilio end.

Click Download Configuration at the top right of the page. Select the following values:

• Vendor: Juniper Networks, Inc.
• Platform: SRX Routers
• Software: JunOS 11.0+
  • Note This is the only value provided.
• IKE Version: ikev2

Click Download to save the configuration. Email it to Twilio, along with your completed VPN setup questionnaire.

You're now ready to continue with How to Set Up and Use a Super SIM VPN.