Site-to-Site VPN Connections | Deep Dive & Hands-On.

Here’s twtech deep dive into AWS Site-to-Site VPN connections.

View:

•        Designed for DevOps / Cloud / DevSecOps engineers who want to understand :
•        Architecture,
•        Routing,
•        Redundancy,
•       Integration with hybrid and multi-cloud setups.

Breakdown:

•        The concept: Site-to-Site VPN Connection,
•        Core Components,
•        Tunnel Architecture,
•        Routing Options,
•        Data Flow,
•        Configuration Steps,
•        Monitoring & Logging,
•        Common Use Cases,
•        Advanced Options,
•        Security Considerations,
•        Troubleshooting Guide,
•        Best Practices,
•        Visual Architecture.

1. The concept: Site-to-Site VPN Connection

• An AWS Site-to-Site VPN Connection securely connects twtech on-premises network (or another cloud environment) to twtech Amazon VPC over the public Internet using IPSec (Internet Protocol Security) encryption.

It allows:

• Private communication between on-prem and AWS.
• Hybrid workloads (e.g., Active Directory, backup, or analytics).
• A failover path to AWS Direct Connect.

 2. Core Components

Component	Description
Customer Gateway (CGW)	The on-premises VPN endpoint (physical device or software).
Virtual Private Gateway (VGW)	The AWS-managed VPN concentrator attached to twtech VPC.
VPN Connection	The logical IPSec link between CGW and VGW — consists of two tunnels for HA.
Transit Gateway (TGW)	A scalable hub that can aggregate multiple VPNs, VPCs, and DX links.

 3. Tunnel Architecture

• Each VPN Connection includes two redundant IPSec tunnels for high availability:
• Terminate in separate AWS Availability Zones.
• Each tunnel uses a different IP endpoint and encryption key.
• Only one tunnel is typically active, while the other serves as standby.

Protocols used:

• IKEv1 / IKEv2 for key exchange.
• ESP (Encapsulating Security Payload) for encryption.
• UDP ports 500 (IKE) and 4500 (NAT-T).

 4. Routing Options

• AWS VPN supports two routing modes:

a. Static Routing

• Manually define prefixes for on-prem and AWS.
• Configured directly in the VPN Connection.
• Simpler but less fault-tolerant.
• Use case: Small, predictable networks.

b. Dynamic Routing (BGP)

• AWS advertises VPC CIDRs via BGP.
• CGW advertises on-prem prefixes back to AWS.
• Enables automatic failover and route learning.
• Use case: Scalable, multi-site, or production networks.

 5. Data Flow

 6. Configuration Steps

Step 1 — Create a Virtual Private Gateway

• In AWS Console → VPC → “Virtual Private Gateway”.
• Attach it to the target VPC.

Step 2 — Define the Customer Gateway

• Specify:
• Static IP of on-prem router.
• BGP ASN (if using dynamic routing).
• Routing type.

Step 3 — Create the VPN Connection

• Choose VGW + CGW.
• Select BGP or static routing.
• Download AWS VPN configuration file (vendor-specific).

Step 4 — Configure On-Prem Router

• Apply configuration (IPSec parameters, pre-shared keys, routes).

Step 5 — Update VPC Route Tables

• Add on-prem CIDRs, next hop → VGW.

7. Monitoring & Logging

Service	Function
Amazon CloudWatch	Tunnel metrics (UP/DOWN, bytes in/out).
CloudWatch Alarms	Notify on tunnel failure.
VPC Flow Logs	Capture network traffic logs for VPN interfaces.
AWS Config	Track VPN configuration drift.
CloudTrail	Log all configuration API calls.

 8. Common Use Cases

1. Hybrid Cloud Connectivity
• Extend data centers to AWS securely.
2. Direct Connect Backup
• VPN serves as an encrypted fallback if DX fails.
3. Multi-Region or Multi-Cloud Connectivity
• Connect multiple on-prem or GCP/Azure locations to AWS.
4. Branch Office Connectivity
• Each site maintains a VPN to the hub TGW/VGW.

 9. Advanced Options

 Transit Gateway VPN

• Scales beyond a single VPC.
• Acts as a hub for multiple VPCs and on-prem connections.
• Simplifies route management across environments.

 Accelerated VPN

• Uses AWS Global Accelerator edge network for lower latency and better performance.

 VPN over Direct Connect (DX + VPN)

• Encrypt Direct Connect traffic with a VPN overlay.
• Common for compliance requirements (e.g., HIPAA, PCI DSS)

 10. Security Considerations

• Enforce strong encryption (AES-256, SHA-2).
• Rotate pre-shared keys periodically.
• Use BGP MD5 authentication.
• Implement Security Groups + NACLs to restrict traffic.
• Enable end-to-end encryption even over VPN for sensitive workloads.

 11. Troubleshooting Guide

Symptom	Common Cause	Check
Tunnel Down	Incorrect IKE parameters / PSK.	Compare device config with AWS file
No Route	Missing static route or BGP prefix.	Check VPC Route Table & BGP session
Only One Tunnel Active	Redundancy misconfigured.	Verify both tunnels are defined
Slow Throughput	MTU or Internet path issues.	Tune MTU to 1436, verify no fragmentation
BGP Not Established	ASN mismatch / Port blocked.	Confirm firewall and routing settings

 12. Best Practices

• Configure both tunnels in production.
• Use BGP for route learning and failover.
• Enable CloudWatch alarms for TunnelState metrics.
• Store VPN configs in AWS Systems Manager Parameter Store.
• Automate provisioning via Terraform / CloudFormation / CDK.
• For large-scale designs, prefer Transit Gateway VPN attachments.

 13. Visual Architecture

Project: Hands-On

How twtech uses Site-to-Site VPN Connections in it network to securely connects twtech on-premises network (or another cloud environment) to twtech Amazon VPC over the public Internet using IPSec (Internet Protocol Security) encryption.

Search for AWS service: VPC

From VPC console, navigate to: Virtual Private network (VPN) / Customer gateways

Create customer gateways: to host on-premises

How twtech create  Virtul Private Gatewasys: VGW

 

Create a Private Virtual Gateway: VGW

How twtech creates a site-to-site VPN connection:

Create VPN Connections:

Create site-to-site VPN connection:

NB:

For twtech to connect Customer gateways (CGW) and Virtual Private Gateways (VGW), it needs to create a site-to-site VPN connection (S2S VPN)