VPN

Introduction

  • Connection for on-premise to VPC. Not for VPC to VPC.

Site to Site VPN (AWS managed VPN)

  • On-premise

    • Setup a software / hardware VPN appliance to on-premise network

    • The on-premise VPN should be accessible with a public IP

  • AWS side

    • Setup a Virtual Private Gateway (VGW), not IGW. And attach to the VPC (1 VPC can only attach utmost 1 VGW)

    • Setup Customer Gateway to point the on-premise VPN appliance

  • 2 VPN connections (tunnels) are created for redundancy, encrypted with IPSec for one Site to Site VPN

  • Can have another Site to Site VPN with a different Customer Gateway to connect to the same VGW for HA

  • Can optionally accelerate it with Global Accelerator (for worldwide networks)

Site to Site VPN

Route Propagation in Site-to-site VPN

Route Propagation in Site-to-site VPN
  • Routing Options:

    • Static Routing:

      • Create static route in corporate data center for 10.0.0.1/24 through the CGW

      • Create static route in AWS for 10.3.0.0/20 through VGW

    • Dynamic Routing (BGP):

      • Like GPS navigator, the best route is determined by different factors, such as traffic congestion, roads temporarily closed for maintenance, etc. The path is calculated dynamically depending on the situation of the network nodes.

      • Uses BGP (Border Gateway Protocol) to share routes automatically (eBGP for internet)

      • No need to update Routing Tables

      • Just need to specify the ASN (Autonomous System Number) of the CGW and VGW

      • It's optional for VPN. (But required for Direct Connect)

Site to Site VPN and Internet access

Site to Site Internet Access with NAT Gateway / NAT Instance
Site to Site Internet Access with on-premise NAT

AWS VPN CloudHub

  • Usage:

    • Can connect up to 10 Customer Gateways for each Virtual Private Gateway (VGW)

    • Low cost hub-and-spoke model for connectivity between locations

  • Can be a failover connection between locations.

CloudHub

AWS Client VPN

  • Connect from your computer with OpenVPN to your private network in AWS and on-premise

Non-AWS Software VPN

  • Can setup your own software VPN, but have to manage everything including bandwidth, redendancy, etc.

Non-AWS Software VPN

VPN to multiple VPC

  • For VPN-based customers, AWS recommends creating a separate VPN connection for each customer VPC.

  • Direct Connect is recommended

VPN to multiplc VPC

Last updated

Was this helpful?