AWS Site-to-Site VPN - Overview.
Scope:
- Overview,
- Core Components & Description,
- VPN Tunnel Architecture that Each AWS VPN Connection provides,
- Routing Options,
- Option A: Static Routing,
- Option B: Dynamic Routing over Boarder Gateway Protocol (BGP),
- High-Level Architecture Flow,
- AWS Site-to-Site VPN Configuration Steps,
- Security Tools & Monitoring Purposes,
- Advanced Topics,
- Troubleshooting Checklist (Issues, Possible Causes & checks)
- Best Practices
- Link to official documentation,
- Insights.
1. Overview
- AWS Site-to-Site VPN securely connects twtech on-premises network or data center to its Amazon VPC using an IPSec VPN tunnel over the public Internet.
- It’s fully managed by AWS.
- It Provides encrypted connectivity between twtech data center and AWS.
- Its Commonly used for:
- Hybrid cloud connectivity (before or alongside Direct Connect)
- Secure private communication with AWS workloads
- Backup path to AWS Direct Connect (failover)
2. Core Components & Description
|
Component |
Description |
|
Customer Gateway (CGW) |
Represents twtech on-prem
router/firewall device or software appliance. |
|
Virtual Private
Gateway (VGW) |
AWS-side VPN concentrator attached
to twtech VPC. |
|
VPN Connection |
Logical connection that links CGW
and VGW; consists of two IPSec tunnels for redundancy. |
|
Route Tables |
Define which traffic is sent
through the VPN. |
|
BGP/Static Routing |
Used for dynamic or static route
advertisement between on-prem and AWS. |
3. VPN Tunnel Architecture that Each AWS VPN Connection provides:
- Two redundant IPSec tunnels.
- Each tunnel terminates on different AWS endpoints in distinct AZs.
- Only one is active (primary); the other is standby (for high availability).
Encryption:
- IPSec protocol (IKEv1 or IKEv2) → AES-128/256, SHA-1/2 for hashing.
Encapsulation:
- ESP (Encapsulating Security Payload) + UDP (ports 500/4500 for NAT-T).
4. Routing Options
Option A: Static Routing
- twtech
manually defines routes in the VPN connection.
- Simple but less flexible.
- Good for small or predictable networks.
Option B: Dynamic Routing over Boarder Gateway Protocol (BGP)
- AWS
advertises VPC CIDRs over Boarder Gateway Protocol (BGP).
- twtech CGW advertises on-prem prefixes.
- Enables automatic route failover between tunnels.
✅ Recommended
for:
- Multi-region
or multi-VPC deployments.
- Dynamic route management and failover.
5. High-Level Architecture
- Data travels encrypted through the Internet between CGW and VGW.
- AWS decrypts at virtual Private Gateway (VGW) and routes traffic to private subnets via route tables.
6. AWS Site-to-Site VPN Configuration Steps
Step 1: Create
a Virtual Private Gateway
- Attach to twtech target VPC.
Step 2: Create
a Customer Gateway
- Provide the on-prem router’s public IP, BGP ASN, and device type.
Step 3: Create
a VPN Connection
- Link CGW ↔ VGW.
- Download AWS-generated VPN configuration file (device-specific).
Step 4: Configure
the On-Prem Router
- Apply the IPSec/IKE/BGP parameters from the AWS file.
Step 5: Update
VPC Route Tables
- Add routes pointing to the VGW for on-prem CIDRs.
7. Security Tools & Monitoring Purposes
|
Tool |
Purpose |
|
CloudWatch |
Monitor VPN tunnel state (TunnelState = UP/DOWN). |
|
CloudTrail |
Log API calls for VPN events. |
|
VPC Flow Logs |
Inspect traffic passing through
the VPN. |
|
AWS Config |
Track compliance and configuration
drift. |
|
GuardDuty |
Detect anomalous traffic patterns
over VPN. |
8. Advanced Topics
a. VPN over Direct
Connect (DX)
- Combine DX + VPN to get DX + encryption.
- Called Direct Connect + VPN backup or DX with VPN overlay.
b. Transit Gateway (TGW) VPN
- Use TGW instead of VGW for hub-and-spoke
topologies.
- Supports scalable multi-VPC VPN design.
- Each TGW VPN also has two tunnels with BGP.
c. Accelerated VPN (Global Accelerator Integration)
- Reduces latency by routing through AWS Global Network edge locations.
9. Troubleshooting Checklist (Issues, Possible Causes & checks)
|
Issue |
Possible Cause |
Check |
|
Tunnel Down |
Incorrect IKE/PSK. |
Validate shared key and
parameters. |
|
One Tunnel Down |
Misconfigured secondary tunnel. |
Verify second tunnel config. |
|
No Route |
Missing route table entry. |
Check VPC route table → VGW. |
|
Latency |
Internet path issues. |
Use AWS Global Accelerator or DX. |
|
BGP not established |
ASN mismatch / port blocked. |
Confirm BGP config and firewall
rules. |
10. Best Practices for
- Always configure both
tunnels for redundancy.
- Prefer BGP for automatic route propagation.
- Use CloudWatch Alarms for tunnel state changes.
- Encrypt traffic end-to-end (VPN + TLS for application layer).
- For scalability, prefer Transit Gateway VPNs over multiple VGWs.
- Automate setup using Terraform, AWS CDK, or CloudFormation.
Link to official documentation
Insights:
- Virtual Private Gateway (VGW)
- Customer Gateway (CGW)
- Virtual Private Network (VPN)
No comments:
Post a Comment