AWS Site-to-Site VPN
Site-to-Site VPN is one of the connectivity options that connect your on-premise to Amazon VPC without a public network. Site-to-Site VPN supports IPsec VPN connection (IPsec means a set of communication rules or protocols to set up a secure connection). The maximum throughput of a Site-to-Site VPN is 1.25 Gbps. In this topic, We see the following chapters
⁕ VPN connection concepts
⁕ How does the tunnel work?
⁕ How does the AWS Site-to-Site VPN work?
⁕ Architecture of Site-to-Site VPN connections
⁕ Site-to-Site VPN features & Limitations
- VPN Connection concepts:
VPN connection is used for secure communication from on-premise to VPC.
VPN tunnel is the encrypted path so data can transfer securely. Each VPN connection has 2 tunnels for high availability.
Virtual Private gateway is the entry point of the Amazon-side VPN connection.
The customer gateway is the entry point of the customer-side VPN connection.
The customer gateway device is a physical or software appliance that your system administrator manages on behalf of your site VPN connection.
The Transit gateway is used to interconnect multiple VPCs with on-premise. It acts as a VPN endpoint for Amazon site-to-site VPN connection.
Direct Connect gateway is used to connect the Direct Connect location to the region.
gateway is used to connect two networks using different protocols. It acts as an entry and exit point of the network.
IKE v2 (Internet Key Exchange version 2) is a protocol used to set up the fastest and most secure communication channel between two virtual networks.
2. How does the tunnel work?
The above diagram indicates that a VPN connection uses 2 tunnels for data transfer. Each tunnel terminates in a different availability zone to increase availability. Traffic from on-premise to AWS VPC uses both tunnels. Traffic from AWS VPC to on-premise uses one of the tunnels, If there is a failure on the AWS side, it switches to a second tunnel to avoid the Interruption of the VPN connection.
Tunnel options for Site-to-Site VPN connection by DPD and IKE initiate
Dead Peer Detection is used to detect unreachable Internet Key Exchange peers. The default value is 30 seconds. You can specify 30 seconds or higher. DPD has the following timeout actions namely Clear, None, and Restart. Clear means Ending the IKE session by clearing the routes and stopping the VPN tunnel. It happens when the DPD timeout occurs also it is the default action. None means it takes no action when the DPD timeout occurs. Restart means restarting the IKE session after the DPD timeout.
IKE initiate: To implement the new tunnel for a new VPN connection (or) modified VPN connection you must initiate the IKE negotiation process. You can specify the AWS to do the IKE negotiation process. By default, it is done by you. You can modify the tunnel options, but the connectivity is interrupted for up to several minutes. Be ensure that you are planned and prepared for the expected downtime when you modify the tunnel option.
VPN tunnel authenticate options
VPN tunnel uses 2 options for authentication. The first one is Pre-shared keys a default authenticate option to create a Site-to-Site VPN tunnel and Private Certificate from AWS private CA.
Types of Routing in AWS Site-to-Site VPN
The Routing determines the path between one (or) more networks and stores the information in the routing table.
Static Routing (or) non-adaptive routing is a single route where traffic is to the destination. It is a simple process and manually adds the route in the routing table. It uses less bandwidth and is suitable for smaller networks.
Dynamic Routing (or) adaptive routing creates multiple routes where traffic is to the destination so that it takes the best route among these. It is a complex process and dynamically adds the route in the routing table. It uses more bandwidth and is suitable for larger networks. It requires BGP (Border Gateway Protocol) that is used to exchange the routes and determine the best routing between Autonomous Systems. Autonomous System Numbers are used to control routing within their networks and exchange routing information with other ISPs. You can use both public ASN and private ASN. The default ASN is 65000.
3. How does the AWS Site-to-Site VPN work?
Traditional Site-to-Site VPN works to access the company network remotely from anywhere. The data is passed from your location to your destination over the public internet. The data is encrypted and gives complete security and privacy while the data is in transit. Even if the data is hacked by someone it becomes useless to them.
It works with the following components namely Virtual private gateway, transit gateway, customer gateway device, and customer gateway. It consists of 2 tunnels. One(VPG or TG) on the AWS side and the other(CG) on the on-premise side.
Using a virtual private gateway: In this, we see the diagram of a single Site-to-Site VPN connection using the virtual private gateway. So it is also called a single VPN connection.
Using a Transit gateway: In this, we see the diagram of a single Site-to-Site VPN connection using the Transit gateway. So it is also called a single VPN connection. The Transit gateway is used to interconnect multiple VPCs with on-premise.
Using a Customer Gateway and Customer Gateway Device: The customer gateway is the entry point of the customer-side VPN connection. The customer gateway device is a physical or software appliance. Your system administrator configures it on behalf of your site VPN connection. The two lines represent the VPN connection between your customer gateway and AWS Virtual private gateway. If there is a failure on the AWS side, it switches to a second tunnel to avoid the Interruption of the VPN connection.
4. Architecture of Site-to-Site VPN Connections:
• Multiple Site-to-Site VPN connections with Virtual private gateway
• Multiple Site-to-Site VPN connections with Transit gateway
• Private IP site-to-site VPN connection with Direct Connect
This Direct Connect gateway is used to connect the Direct Connect location to the AWS region. if the user has an on-premise network in India whereas a Direct Connect location in Singapore and VPC Region in America means, First the user sends the data from on-premise to the Direct Connect location, and then the data is sent from the Direct Connect location to the VPC Region. So it has a secure and private connection with less bandwidth.
• Multiple Site-to-Site VPN connections with VPN CloudHub
VPN CloudHub is used to connect multiple Site-to-Site VPN connections to Amazon VPC. Consider the scenario, your head office is located in America, and Branch offices in India, Singapore, and Australia. You can communicate with your head office along with other branch offices simultaneously using VPN CloudHub.
5. Site-to-Site VPN features & Limitations
The Site-to-Site VPN features are IKE v2 (Internet Key Exchange version 2). NAT traversal is to allow multiple devices connected to the network over the internet or LAN. It assigns a single IP address to multiple devices. The re-usable IP address for your customer gateways. CloudWatch metrics for logs. Configurable tunnel options. Additional Encryption options; including AES 256-bit encryption, SHA-2 hashing, and additional Diffie-Hellman groups. 4-byte ASN for Virtual Private Gateway and 2-byte ASN for Customer Gateway. Obtain a private certificate from Amazon Private CA.
The Site-to-Site VPN limitations are that IPv6 traffic is not supported for VPN connections on a virtual private gateway. An AWS VPN connection does not support Path MTU Discovery.
To protect against a loss of connectivity in case your customer gateway becomes unavailable, you can set up a second Site-to-Site VPN connection.
Accelerated Site-to-Site VPN connection
AWS Global Accelerator improves the performance of your application. It is used to route traffic from on-premise to the AWS edge location close to the end user. Site-to-Site VPN connection on Transit gateway only supports global accelerator. It offers two tunnels for high availability. It supports both TCP and UDP protocols. It supports IPV4 traffic for all endpoints and IPV6 for Application Load Balancer endpoints. When you create an accelerated connection, the cloud service provider creates and manages two accelerators for you. You are charged for data transfer cost for each accelerator and hourly basis for use. Note: By default, Enable Acceleration is disabled or set to be false. If you want to use AWS Global Accelerator set the enable acceleration to be true.
Thanks for reading!
Last Updated: 07-Jan-2024