Setup on AWS is described very well in the VPC User Guide. In short, you have to create a customer gateway, create a virtual private gateway, enable route propagation, and finally create the VPN connection. If your only intention is to connect one or more on-premise HSMs to the AWS VPC, you can rely on static routing and you do not need to enable inbound access in AWS. For static routing, enter the internal IP address or address prefix of your HSM(s) during VPN connection setup. For debugging purposes using the ping command, you might want to enable incoming ICMP in the VPC security group.