AWS Site-to-Site VPN provides secure and private connectivity between your on-premises network and your AWS VPCs.
AWS Site-to-Site VPN establishes a secure connection between on-premises equipment and your VPCs. It allows you to create hardware virtual private network connections between your corporate data center and your VPC to leverage the AWS cloud as an extension of your corporate data center.
The Virtual Private Gateway (VGW) is the AWS side of a VPN connection. It is the VPN concentrator on the Amazon side of the VPN connection.
The Customer Gateway is the on-premises device or software used for a VPN connection. It is a physical device or software application on the customer side of the VPN connection.
A VPN connection is a dual tunnel connection, providing built-in redundancy. Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. If you wanted to take advantage of that dual tunnel connection and dual tunnel traffic, you can attach another customer gateway, ensuring redundancy and preventing a single point of failure.
Technical Specs: Dual tunnel connection; Each tunnel uses a unique VPG public IP; Can use two Customer Gateways for redundancy.
AWS VPN CloudHub offers a way to simplify VPN network topology for connecting multiple sites.
VPN CloudHub is a service that allows you to connect multiple sites, each with its own VPN connection, together, helping to simplify your network by aggregating VPN connections and allowing for direct communication between different sites.
Purpose
VPN CloudHub is useful if you have multiple sites and you want to connect them together. It helps to simplify your network by aggregating VPN connections, allowing for direct communication between different sites.
Use Cases:
- Connecting multiple sites with VPN connections
- Aggregating VPN connections from different customer sites all over the world.
Operating Model
It operates on a hub and spoke model, similar to VPC peering. In the case of VPN CloudHub, the hub is the AWS VPN CloudHub, and the spokes are the different customer sites.
Use Cases:
- Simplifying network topology for multi-site connectivity
Cost and Management
It is low cost and easy to manage, making it a cost-effective solution for connecting multiple sites together. It is also easy to set up and manage.
Security and Traffic
It operates over the public internet, but all traffic between the customer gateway and the AWS VPN CloudHub is encrypted, ensuring that your data is protected.
security:
all traffic between the customer gateway and the AWS VPN CloudHub is encrypted
Configuration Requirement
You must use a unique Border Gateway Protocol (BGP) Autonomous System Number (ASN) for each customer gateway.
requirement:
unique Border Gateway Protocol (BGP) Autonomous System Number (ASN) for each customer gateway
AWS provides various configurations for Site-to-Site VPN connections to suit different networking needs.
Examples of Site-to-Site VPN connections include: Single Site-to-Site VPN connection; Single Site-to-Site VPN connection with a Transit Gateway; Multiple Site-to-Site VPN connections; Multiple Site-to-Site VPN connections with a Transit Gateway; Site-to-Site VPN connection with AWS Direct Connect; Private IP Site-to-Site VPN connection with AWS Direct Connect.
Site-to-Site VPN can be combined with other AWS networking and data transfer services for enhanced functionality and secure hybrid architectures.
This combination leverages the benefits of AWS Direct Connect for low latency and a VPN for redundancy or geographically dispersed locations. A VPN can be run over a Direct Connect connection for added security.
AWS Transit Gateway acts as a central hub to connect VPCs and on-premises networks in a hub-and-spoke model. It works with Direct Connect and VPN connections, allowing transitive peering between thousands of VPCs and on-premise data centers.
VPC Flow Logs capture information about the IP traffic flowing through network interfaces within your VPC, including traffic over a VPN connection between AWS and an on-premises data center. This data is crucial for identifying network connectivity issues.
Technical Specs: Captures information about IP traffic; Can be published to CloudWatch Logs, S3, or Kinesis Data Firehose.
AWS DataSync is an online data transfer service. While Direct Connect or Site-to-Site VPN is not strictly required for DataSync, it is recommended for better performance, security, and predictability when transferring large datasets between on-premises and AWS.