VPC VPN Connections
- VPC VPN connections are used to extend on-premise data centers to AWS
- VPC VPN connections provide secure IPSec connections from on-premise computers/services to AWS
- AWS hardware VPN
- Connectivity can be established by creating an IPSec, hardware VPN connection between the VPC and the remote network.
- On the AWS side of the VPN connection, a Virtual Private Gateway (VGW) provides two VPN endpoints for automatic failover.
- On customer side a customer gateway (CGW) needs to be configured, which is the physical device or software application on the remote side of the VPN connection
- AWS Direct Connect
- AWS Direct Connect provides a dedicated private connection from a remote network to your VPC.
- Direct Connect can be combined with an AWS hardware VPN connection to create an IPsec-encrypted connection
- AWS VPN CloudHub
- For more than one remote network for e.g. multiple branch offices, multiple AWS hardware VPN connections can be created via the VPC to enable communication between these networks
- Software VPN
- VPN connection can be setup by running a software VPN like OpenVPN appliance on an EC2 instance in the VPC
- AWS does not provide or maintain software VPN appliances; however, there are range of products provided by partners and open source communities
Hardware VPN Connection
VPN Components
- Virtual Private Gateway - VGW
- A virtual private gateway is the VPN concentrator on the AWS side of the VPN connection
- Customer Gateway - CGW
- A customer gateway is a physical device or software application on customer side of the VPN connection.
- When a VPN connection is created, the VPN tunnel comes up when traffic is generated from the remote side of the VPN connection.
- VGW is not the initiator; CGW must initiate the tunnels
- If the VPN connection experiences a period of idle time, usually 10 seconds, depending on the configuration, the tunnel may go down. To prevent this, a network monitoring tool to generate keepalive pings; for e.g. by using IP SLA.
VPN Configuration
- VPC has an attached virtual private gateway, and the remote network includes a customer gateway, which must be configured to enable the
VPN connection. - Routing must be setup so that any traffic from the VPC bound for the remote network is routed to the virtual private gateway.
- Each VPN has two tunnels associated with it that can be configured on the customer router, as is not single point of failure
- Multiple VPN connections to a single VPC can be created, and a second CGW can be configured to create a redundant connection to the same external location or to create VPN connections to multiple geographic locations.
VPN Routing Options
- For a VPN connection, the route table for the subnets should be updated with the type of routing (static of dynamic) that you plan to use.
- Route tables determine where network traffic is directed. Traffic destined for the VPN connections must be routed to the virtual private gateway.
- Type of routing can depend on the make and model of your VPN devices.
- Static Routing
- If your device does not support BGP, specify static routing.
- Using static routing, the routes (IP prefixes) can be specified that should be communicated to the virtual private gateway.
- Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.
- BGP dynamic routing
- If the VPN device supports Border Gateway Protocol (BGP), specify dynamic routing with the VPN connection.
- When using a BGP device, static routes need not be specified to the VPN connection because the device uses BGP for auto discovery and to advertise its routes to the virtual private gateway.
- BGP-capable devices are recommended as the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down.
- Static Routing
- Only IP prefixes known to the virtual private gateway, either through BGP advertisement or static route entry, can receive traffic from your VPC.
- Virtual private gateway does not route any other traffic destined outside of the advertised BGP, static route entries, or its attached VPC CIDR.
VPN Connection Redundancy
- A VPN connection is used to connect the customer network to a VPC.
- Each VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable, with each tunnel using a unique virtual private gateway public IP address.
- Both tunnels should be configured for redundancy.
- When one tunnel becomes unavailable, for e.g. down for maintenance, network traffic is automatically routed to the available tunnel for that specific VPN connection.
- To protect against a loss of connectivity in case the customer gateway becomes unavailable, a second VPN connection can be setup to the VPC and virtual private gateway by using a second customer gateway.
- Customer gateway IP address for the second VPN connection must be publicly accessible.
- By using redundant VPN connections and CGWs, maintenance on one of the customer gateways can be performed while traffic continues to flow over the second customer gateway's VPN connection.
- Dynamically routed VPN connections using the Border Gateway Protocol (BGP) are recommended, if available, to exchange routing information between the customer gateways and the virtual private gateways.
- Statically routed VPN connections require static routes for the network to be entered on the customer gateway side.
- BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs.
VPN CloudHub
- VPN CloudHub can be used to provide secure communication between sites, if you have multiple VPN connections
- VPN CloudHub operates on a simple hub-and-spoke model that can be used with or without a VPC.
- Design is suitable for customers with multiple branch offices and existing
Internet connections who'd like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices
- VPN CloudHub architecture with blue dashed lines indicates network
traffic between remote sites being routed over their VPN connections. - AWS VPN CloudHub requires a virtual private gateway with multiple customer gateways.
- Each customer gateway must use a unique Border Gateway Protocol (BGP) Autonomous System Number (ASN)
- Customer gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.
- Routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites.
- Routes for each spoke must have unique ASNs and the sites must not have overlapping IP ranges.
- Each site can also send and receive data from the VPC as if they were using a standard VPN connection.
- Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub.
- To configure the AWS VPN CloudHub,
- multiple customer gateways can be created, each with the unique public IP address of the gateway and the ASN.
- a VPN connection can be created from each customer gateway to a common virtual private gateway.
- each VPN connection must advertise its specific BGP routes. This is done using the network statements in the VPN configuration files for the VPN connection.
