Site-to-Site VPN Setup
Information for your IT team
What We're Setting Up
An AWS Site-to-Site VPN connection — an encrypted IPsec tunnel between your router/firewall and our AWS environment. This gives our cloud-hosted Niagara supervisor direct, secure access to your BAS/Jace devices without exposing them to the public internet.
AWS creates two redundant tunnels for high availability. Your router only needs to terminate one, but both are available for failover.
What We Need From You
| Item | Details |
|---|---|
| Router/firewall public IP | The static public IP of the device that will terminate the VPN tunnel |
| Router/firewall vendor & model | e.g., Cisco ASA, Palo Alto, Fortinet, Juniper — AWS generates a config file for your specific device |
| BAS/Jace device subnet (CIDR) | The IP range where your Jace/BAS devices live (e.g., 10.80.252.64/27) |
Confirmation: no use of 172.16.2.0/23 |
Our cloud infrastructure uses 172.16.2.0/23 internally — please confirm your network does not use anything in this range to avoid routing conflicts |
What We Provide to You
Once we have the above, we'll send you:
- A downloadable VPN configuration file specific to your router vendor
- Our VPC CIDR (
172.16.2.0/23) — your router will need a route for this range pointing into the VPN tunnel - Two tunnel endpoint IPs (AWS side) for redundancy
What Your IT Team Configures
- Apply the VPN configuration to your router/firewall
- Add a route:
172.16.2.0/23→ VPN tunnel - Allow the following ports through the tunnel in your firewall:
| Port | Protocol | Purpose |
|---|---|---|
| 80 | TCP | HTTP (Jace web interface) |
| 443 | TCP | HTTPS |
| 1911 | TCP | Niagara Fox protocol |
| 3011 | TCP | Niagara workbench |
| 4911 | TCP | Niagara Fox (secure) |
| 5011 | TCP | Niagara platform |
| ICMP | — | Ping (connectivity testing) |
Questions?
Contact us at any time. Once we receive the information above, setup typically takes less than a day on our side. The remaining work is applying the config on your router.