VPC VPN connections are used to extend on-premise data centers to AWS
VPC VPN connections provide secure IPSec connections from on-premise computers/services to AWS
AWS hardware VPN
Connectivity can be established by creating an IPSec, hardware VPN connection between the VPC and the remote network.
On the AWS side of the VPN connection, a Virtual Private Gateway (VGW) provides two VPN endpoints for automatic failover.
On customer side a customer gateway (CGW) needs to be configured, which is the physical device or software application on the remote side of the VPN connection
AWS Direct Connect
AWS Direct Connect provides a dedicated private connection from a remote network to your VPC.
Direct Connect can be combined with an AWS hardware VPN connection to create an IPsec-encrypted connection
AWS VPN CloudHub
For more than one remote network for e.g. multiple branch offices, multiple AWS hardware VPN connections can be created via the VPC to enable communication between these networks
VPN connection can be setup by running a software VPN like OpenVPN appliance on an EC2 instance in the VPC
AWS does not provide or maintain software VPN appliances; however, there are range of products provided by partners and open source communities
Hardware VPN Connection
Virtual Private Gateway - VGW
A virtual private gateway is the VPN concentrator on the AWS side of the VPN connection
Customer Gateway - CGW
A customer gateway is a physical device or software application on customer side of the VPN connection.
When a VPN connection is created, the VPN tunnel comes up when traffic is generated from the remote side of the VPN connection.
VGW is not the initiator; CGW must initiate the tunnels
If the VPN connection experiences a period of idle time, usually 10 seconds, depending on the configuration, the tunnel may go down. To prevent this, a network monitoring tool to generate keepalive pings; for e.g. by using IP SLA.
VPC has an attached virtual private gateway, and the remote network includes a customer gateway, which must be configured to enable the
Routing must be setup so that any traffic from the VPC bound for the remote network is routed to the virtual private gateway.
Each VPN has two tunnels associated with it that can be configured on the customer router, as is not single point of failure
Multiple VPN connections to a single VPC can be created, and a second CGW can be configured to create a redundant connection to the same external location or to create VPN connections to multiple geographic locations.
VPN Routing Options
For a VPN connection, the route table for the subnets should be updated with the type of routing (static of dynamic) that you plan to use.
Route tables determine where network traffic is directed. Traffic destined for the VPN connections must be routed to the virtual private gateway.
Type of routing can depend on the make and model of your VPN devices.
If your device does not support BGP, specify static routing.
Using static routing, the routes (IP prefixes) can be specified that should be communicated to the virtual private gateway.
Devices that don't support BGP may also perform health checks to assist failover to the second tunnel when needed.
BGP dynamic routing
If the VPN device supports Border Gateway Protocol (BGP), specify dynamic routing with the VPN connection.
When using a BGP device, static routes need not be specified to the VPN connection because the device uses BGP for auto discovery and to advertise its routes to the virtual private gateway.
BGP-capable devices are recommended as the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down.
Only IP prefixes known to the virtual private gateway, either through BGP advertisement or static route entry, can receive traffic from your VPC.
Virtual private gateway does not route any other traffic destined outside of the advertised BGP, static route entries, or its attached VPC CIDR.
VPN Connection Redundancy
A VPN connection is used to connect the customer network to a VPC.
Each VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable, with each tunnel using a unique virtual private gateway public IP address.
Both tunnels should be configured for redundancy.
When one tunnel becomes unavailable, for e.g. down for maintenance, network traffic is automatically routed to the available tunnel for that specific VPN connection.
To protect against a loss of connectivity in case the customer gateway becomes unavailable, a second VPN connection can be setup to the VPC and virtual private gateway by using a second customer gateway.
Customer gateway IP address for the second VPN connection must be publicly accessible.
By using redundant VPN connections and CGWs, maintenance on one of the customer gateways can be performed while traffic continues to flow over the second customer gateway's VPN connection.
Dynamically routed VPN connections using the Border Gateway Protocol (BGP) are recommended, if available, to exchange routing information between the customer gateways and the virtual private gateways.
Statically routed VPN connections require static routes for the network to be entered on the customer gateway side.
BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs.
VPN CloudHub can be used to provide secure communication between sites, if you have multiple VPN connections
VPN CloudHub operates on a simple hub-and-spoke model that can be used with or without a VPC.
Design is suitable for customers with multiple branch offices and existing
Internet connections who'd like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices
VPN CloudHub architecture with blue dashed lines indicates network
traffic between remote sites being routed over their VPN connections.
AWS VPN CloudHub requires a virtual private gateway with multiple customer gateways.
Each customer gateway must use a unique Border Gateway Protocol (BGP) Autonomous System Number (ASN)
Customer gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.
Routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites.
Routes for each spoke must have unique ASNs and the sites must not have overlapping IP ranges.
Each site can also send and receive data from the VPC as if they were using a standard VPN connection.
Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub.
To configure the AWS VPN CloudHub,
multiple customer gateways can be created, each with the unique public IP address of the gateway and the ASN.
a VPN connection can be created from each customer gateway to a common virtual private gateway.
each VPN connection must advertise its specific BGP routes. This is done using the network statements in the VPN configuration files for the VPN connection.