As of 1.1.6 and newer it is now very easy to connect an Amazon VPC to a ZeroTier virtual network. These instructions are for Amazon VPC and EC2 but they could easily be adapted to work with Azure, Google Compute, or any other cloud or VPS service with private cloud network features.
This provides an easy way to implement a hybrid cloud, remotely access a VPC for development purposes, etc. and is generally both cheaper and more powerful than Amazon's dedicated tunneling and VPN services.
Basic Configuration Steps
This guide assumes that you've already created an Amazon VPC and you want to make it accessible from a ZeroTier virtual network and vice-versa. You'll need version 1.1.6 or newer on all your nodes for this to work, or at least on those that you want to be able to access the VPC.
It also assumes that your VPC's IP address scheme does not conflict with the one you use in your ZeroTier network. If it does we recommend renumbering one or the other. If you can't do that you'll need to delve into some advanced
iptables usage to implement weird bidirectional NAT hacks.
1. CREATE AN EC2 INSTANCE TO ACT AS A GATEWAY
ZeroTier doesn't require much CPU or memory. Unless you're planning on pumping a lot of data a
t2.nano instance is typically sufficient. You can use any Linux distribution. This guide assumes the CentOS-derived Amazon AMI.
This instance should have an external IP address assigned to it and it should have a security group that allows bidirectional UDP traffic on port 9993 at a minimum. We recommend allowing all UDP traffic since ZeroTier can bind to other ports as well. Allowing direct traffic will greatly improve performance.
2. DISABLE SOURCE/DEST CHECK ON YOUR GATEWAY INSTANCE
In the console this is found under Actions->Networking-> Change Source/Dest Check. This can also be done via the AWS API or command line tools.
This allows your gateway instance to use IPs on your VPC other than just the one it's assigned, such as the ones on your ZeroTier network that it will be routing to/from.
3. ENABLE IPV4 IP FORWARDING ON YOUR GATEWAY INSTANCE
/etc/sysctl.conf and set
net.ipv4.ip_forward = 1
You will also want to go ahead and enable it for the current running instance:
sysctl -w net.ipv4.conf.all.forwarding=1
On the default Amazon AMI instance forwarding is globally allowed if enabled. That's fine for testing but for production we recommend using
iptablesrules to constrain forwarding to designated IP address ranges. That's beyond the scope of this guide but there's a lot of material out there on how to do this.
4. INSTALL ZEROTIER ONE ON YOUR GATEWAY AND JOIN YOUR VIRTUAL NETWORK
On your gateway:
curl https://install.zerotier.com | bash sudo zerotier-cli join <your 16-digit network ID>
(If curl|bash makes you itch see our download page for a GPG-verified option.)
Now go to ZeroTier Central (or your own controller's API) and authorize the gateway on your virtual network. Hit refresh until it gets an IP address (or assign it one if you're managing them manually) and then ping it to make sure it's working.
If you can ping your new VPC gateway from hosts on your ZeroTier virtual network, you are almost done!
5. TELL YOUR ZEROTIER NETWORK HOW TO REACH YOUR VPC
In ZeroTier Central (or via your own controller's API) add a route to your VPC's IP address range via your gateway's ZeroTier-side IP address (not its VPC-side IP).
Our VPC is 10.10.6.0/24, our ZeroTier network is 10.6.4.0/22, and our VPC gateway host is 10.6.6.115, so we added a route to 10.10.6.0/24 via 10.6.6.115.
It may take a minute or two for this route to become available on ZeroTier nodes.
6. TELL YOUR VPC HOW TO REACH YOUR ZEROTIER NETWORK
Devices in your VPC will now need a route to your ZeroTier network by way of your gateway instance. Get the Amazon instance ID of your gateway (ours is
i-92f96a4f) and in your VPC configuration's "Route Tables" section edit your VPC's routing table(s) and add a route to your ZeroTier network via this instance.
For our test we added a route to
7. TEST IT!
On a ZeroTier network connected host try pinging some internal IPs in your VPC, and vice versa. If everything above worked you should be able to do so. Try a
traceroute and you should see a one-hop route via your gateway.
Redundancy and Fail-Over
Since ZeroTier addresses are portable it would not be terribly hard to back up your gateway's configuration and
identity.secret file and re-provision it with the same ZeroTier address if it goes down. Doing so is beyond the scope of this guide but there are many AWS management suites out there that can help.