Sunday, November 9, 2025

AWS VPN CloudHub | Overview.


twtech Overview of AWS VPN CloudHub.

Scope:

  •        Architecture,
  •        Components,
  •        Routing behavior,
  •        Use cases.

 Breakdown:

  •        Overview of AWS VPN CloudHub,
  •        Core Architecture,
  •        Key Components,
  •        Routing Behavior,
  •        Security and Encryption,
  •        Monitoring and Visibility,
  •        Integration with Other AWS Services,
  •        Use Cases,
  •        Sample Configuration,
  •        Comparison: CloudHub vs Transit Gateway,
  •        Diagram Suggestion.

Overview of AWS VPN CloudHub

  •        AWS VPN CloudHub enables twtech to connect multiple on-premises sites (branch offices) to each other via AWS, using a hub-and-spoke topology over AWS’s Virtual Private Gateway (VGW).
  •        AWS VPN CloudHub is built on AWS Site-to-Site VPN, and it allows secure communication between remote sites — even if they use different ISPs, without needing dedicated circuits or direct connections.

 Core Architecture

Topology:

NB:

  •        Each branch establishes a VPN tunnel to the same Virtual Private Gateway (VGW) attached to a single VPC.
  •        AWS automatically routes traffic between the VPN connections through the VGW — no need for a full mesh.

Key Components

Component

Description

VGW (Virtual Private Gateway)

Central AWS-managed VPN endpoint for your VPC.

Customer Gateway (CGW)

Logical representation of on-prem routers at each site.

VPN Connection

IPSec tunnel pair between each CGW and the VGW.

BGP (Border Gateway Protocol)

Used to dynamically advertise and learn routes between sites.

CloudWatch

Monitors tunnel health and latency.

Routing Behavior

1. Dynamic Routing (BGP)

  • Each branch advertises its on-prem CIDR to the VGW using BGP.
  • The VGW learns these routes and propagates them to other connected sites.
  • This enables automatic route sharing — branches can communicate without manual configuration.

2. Static Routing

  • If BGP isn’t supported, static routes can be defined.
  • However, CloudHub works best with BGP, as it allows automatic route exchange.

 Security and Encryption

  • Each VPN connection consists of two IPsec tunnels for redundancy.
  • Traffic between branches is encrypted end-to-end.
  • AWS manages the VGW, ensuring high availability and fault tolerance across AZs.

Monitoring and Visibility

Use Amazon CloudWatch to:

  • Monitor tunnel state (UP/DOWN) via metrics like TunnelState.
  • Track bytes in/out, tunnel latency, and packet drop rates.
  • Trigger SNS alerts for tunnel failure.

Optionally, integrate with:

  • AWS Transit Gateway Network Manager
  • AWS CloudTrail (for API tracking)
  • AWS VPC Flow Logs (for traffic auditing)

 Integration with Other AWS Services

Integration

Description

Transit Gateway

CloudHub functionality is superseded by TGW, which supports scalable multi-VPC, multi-site connectivity.

Direct Connect

Can coexist with VPN CloudHub for hybrid redundancy (active/passive or active/active).

CloudWatch Logs

Centralized logging of tunnel health and performance metrics.

Use Cases

    Multi-Branch Connectivity

Connect multiple branch offices securely via AWS, without direct VPNs between each site.

    Backup Network

Provide failover path between branches when MPLS or SD-WAN fails.

    Cloud Migration / Hybrid WAN

Gradual migration of branch connectivity into AWS cloud backbone.

    Quick Global Expansion

Deploy secure WAN connectivity quickly using AWS backbone, without physical links.

 Sample Configuration

Item

Example Value

VGW

Attached to VPC-A

Branch A

CGW-A (203.0.113.1)

Branch B

CGW-B (198.51.100.1)

Tunnel Encryption

AES-256

Routing

BGP (ASN 65001, 65002)

Advertised CIDRs

Branch A: 10.1.0.0/16, Branch B: 10.2.0.0/16

Result:

·       Traffic between 10.1.0.0/16 ↔ 10.2.0.0/16 flows securely via VGW.

 Comparison: CloudHub vs Transit Gateway

Feature

VPN CloudHub

Transit Gateway (TGW)

Connectivity Model

Hub-and-Spoke via VGW

Centralized hub for VPCs, VPNs, and Direct Connect

Scalability

Up to a few dozen sites

Thousands of attachments

Performance

VGW-limited (≈1.25 Gbps per tunnel)

TGW supports higher throughput

Routing Control

Basic BGP

Advanced route domains (route tables)

Ideal For

Simpler, smaller multi-branch networks

Complex, large-scale hybrid networks

 Diagram Suggestion

Title: AWS VPN CloudHub Architecture

Elements to include:

  • VGW in the center (hub)
  • Two or more on-prem CGWs (spokes)
  • Redundant VPN tunnels to VGW
  • BGP route exchange arrows between sites
  • CloudWatch monitoring lines
  • Optional Transit Gateway shown (gray/dashed) for evolution path


at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Amazon EventBridge | Overview.

Amazon EventBridge - Overview. Scope: Intro, Core Concepts, Key Benefits, Link to official documentation, Insights. Intro: Amazon EventBridg...