Site To Site Vpn
Connecting to your remote network with AWS Site-to-Site VPN
Section titled “Connecting to your remote network with AWS Site-to-Site VPN”AWS Site-to-Site VPN Overview
Section titled “AWS Site-to-Site VPN Overview”AWS Site-to-Site VPN creates secure connection between on-premises customer gateway and AWS virtual private gateway (or transit gateway) for VPC access.
Key Features
Section titled “Key Features”- Creates two encrypted IPsec VPN tunnels for each connection across multiple Availability Zones
- Uses internet protocol security (IPsec) connections to create encrypted virtual private network tunnels
- VPN tunnel: Encrypted link where data passes from customer network to/from AWS over public internet
- Can be set up relatively quickly and available in hours
- Charges for each VPN connection-hour that connection is provisioned and available
Connection Components
Section titled “Connection Components”- Customer gateway: On-premises side of connection
- Virtual private gateway: AWS side of connection
- Alternative: Create Site-to-Site VPN connection as attachment on transit gateway
High Availability
Section titled “High Availability”Site-to-Site VPN connection provides two VPN tunnels across multiple Availability Zones for simultaneous use:
- Stream primary traffic through first tunnel
- Use second tunnel for redundancy
- If one tunnel goes down, traffic still delivered to VPC
Creating Site-to-Site VPN Connection
Section titled “Creating Site-to-Site VPN Connection”-
Create VPC customer gateway
- Represents customer gateway device in on-premises network
- Device can be physical device or software application
- Assign Border Gateway Protocol (BGP) Autonomous System Number (ASN) if device supports BGP
-
Create virtual private gateway
- Specify custom private BGP ASN or use Amazon default ASN
- ASN must be different from customer gateway ASN
- Alternative: Use Transit Gateway instead of virtual private gateway
-
Configure routing
- Configure route table to include VPN connection routes pointing to virtual private gateway
- Can activate route propagation for automatic Site-to-Site VPN route propagation
- Each VPN connection tunnel routed to different Availability Zone for high availability
-
Update security groups
- Allow SSH, RDP, ICMP, or other desired protocols access from on-premises network
-
Create Site-to-Site VPN connection
- Contains customer gateway, virtual private gateway, and VPN connection
- Two tunnels connecting to separate Availability Zones
- Uses internet connectivity - not guaranteed to be available
-
Download configuration file
- Use to configure customer gateway device
- AWS provides required connection and tunnel configuration information
Routing Options
Section titled “Routing Options”- Use if device supports BGP
- Uses BGP to advertise routes to virtual private gateway
- Recommended: BGP offers robust health checks for failover assistance
- Use if device does not support BGP
- Requires specifying routes with IP prefixes for network communication to virtual private gateway
AWS VPN CloudHub
Section titled “AWS VPN CloudHub”For multiple on-premises network environments requiring connectivity to each other, use AWS VPN CloudHub for centralized hub connectivity.
Architecture
Section titled “Architecture”- Simple hub-and-spoke model - can use with or without Amazon VPC service
- Uses virtual private gateway with multiple customer gateways
- Each customer gateway uses unique BGP ASNs
- Customer gateways advertise appropriate routes over VPN connections
- Routing advertisements received and re-advertised to each BGP peer
Use Case
Section titled “Use Case”Large corporate organizations with multiple on-premises networks at different physical locations needing primary or backup connectivity between environments.
Accelerating Site-to-Site VPN Connections
Section titled “Accelerating Site-to-Site VPN Connections”Because public internet traffic can have network disruptions, use AWS Global Accelerator to accelerate Site-to-Site VPN connection.
How Acceleration Works
Section titled “How Acceleration Works”- Accelerated VPN connection uses Global Accelerator to route traffic from on-premises network to AWS edge location closest to customer gateway device
- Network traffic uses AWS backbone infrastructure to efficiently route from edge location to transit gateway
- Provides better response times
Architecture Flow
Section titled “Architecture Flow”On-premises network → VPN connection → Global Accelerator → Transit Gateway (via transit gateway VPN attachment) → VPC (via Transit Gateway VPC attachment)
Isolating VPCs with Transit Gateway
Section titled “Isolating VPCs with Transit Gateway”Configure transit gateway as multiple isolated routers to provide on-premises full access to VPCs while keeping VPCs isolated from each other.
Multiple Route Table Configuration
Section titled “Multiple Route Table Configuration”- Create multiple route tables for one transit gateway
- Each transit gateway attachment associated with specific route table
- Attachments in one isolated routing table can route to each other but cannot route to attachments in another isolated router
Example Isolation Setup
Section titled “Example Isolation Setup”- Transit gateway VPN route table: Associated with transit gateway VPN attachment
- Transit gateway VPC route table: Associated with transit gateway VPC attachments
- VPC-to-VPC traffic blocked because no route exists in transit gateway VPC route table
- On-premises to VPC traffic flows normally through appropriate route tables
This architecture provides flexibility for cases where routes and attachments might change while maintaining security isolation between VPCs.
Site-to-Site VPN provides secure, encrypted connectivity between on-premises environments and AWS using internet-based tunnels, with options for acceleration and advanced routing configurations to meet various enterprise networking requirements.