AWS Site-to-Site VPN Connections - Deep Dive & Hands-On.
Focus:
- Designed for DevOps / Cloud / DevSecOps engineers.
Scope:
- The concept of Site-to-Site VPN Connection,
- Core Components,
- Tunnel Architecture,
- Routing Options,
- Data Flow,
- Configuration Steps,
- Monitoring & Logging (services & Fonctions),
- Common Use Cases,
- Advanced Options,
- Security Considerations,
- Troubleshooting Guide (Symptoms, Common Causes & checks),
- Best Practices,
- Visual Architecture,
- Project: Hands-On.
1. The concept of AWS Site-to-Site VPN Connection
- An AWS Site-to-Site VPN Connection securely connects twtech on-premises network (or another cloud environment) to twtech Amazon VPC over the public Internet using IPSec (Internet Protocol Security) with encryption.
Site-to-Site VPN Connection allows:
- Private communication between on-prem and AWS.
- Hybrid workloads (e.g., Active Directory, backup, or analytics).
- A failover path to AWS Direct Connect.
2. Core Components
|
Component |
Description |
|
Customer Gateway (CGW) |
The on-premises VPN endpoint
(physical device or software). |
|
Virtual Private Gateway (VGW) |
The AWS-managed VPN concentrator
attached to twtech VPC. |
|
VPN Connection |
The logical IPSec link between Customer Gateway (CGW) and Virtual Private Gateway (VGW) — consists of two tunnels for High Availability (HA). |
|
Transit Gateway (TGW) |
A scalable hub that can aggregate
multiple VPNs, VPCs, and Direct Connect (DX) links. |
3. Tunnel Architecture
- Each VPN Connection includes two redundant IPSec tunnels for high availability:
- Terminate in separate AWS Availability
Zones.
- Each tunnel uses a different IP endpoint and encryption key.
- Only one tunnel is typically active, while the other serves as standby.
Protocols used:
- IKEv1 / IKEv2 for key exchange.
- ESP (Encapsulating Security Payload) for encryption.
- UDP ports 500 (IKE) and 4500 (NAT-T).
4. Routing Options
- AWS VPN supports two routing modes:
A. Static Routing
- Manually define prefixes for on-prem and AWS.
- Configured directly in the VPN Connection.
- Simpler but less fault-tolerant.
- Use case: Small, predictable networks.
B. Dynamic
Routing (BGP)
- AWS advertises VPC CIDRs via BGP.
- CGW advertises on-prem prefixes back to AWS.
- Enables automatic failover and route learning.
- Use case: Scalable, multi-site, or production networks.
5. Data Flow
6. Configuration Steps
Step 1 — Create a
Virtual Private Gateway
- In AWS Console → VPC → “Virtual Private
Gateway”.
- Attach it to the target VPC.
Step 2 — Define
the Customer Gateway
- Specify:
- Static IP of on-prem router.
- BGP ASN (if using dynamic routing).
- Routing type.
Step 3 — Create
the VPN Connection
- Choose VGW + CGW.
- Select BGP or static routing.
- Download AWS VPN configuration file (vendor-specific).
Step 4 —
Configure On-Prem Router
- Apply configuration (IPSec parameters, pre-shared keys, routes).
Step 5 — Update
VPC Route Tables
- Add on-prem CIDRs, next hop → VGW.
7.
Monitoring & Logging (services & Fonctions)
|
Service |
Function |
|
Amazon CloudWatch |
Tunnel metrics (UP/DOWN, bytes
in/out). |
|
CloudWatch Alarms |
Notify on tunnel failure. |
|
VPC Flow Logs |
Capture network traffic logs for VPN
interfaces. |
|
AWS Config |
Track VPN configuration drift. |
|
CloudTrail |
Log all configuration API calls. |
8. Common Use Cases
- Hybrid Cloud Connectivity
- Extend data centers to AWS securely.
- Direct Connect Backup
- VPN serves as an encrypted fallback if
DX fails.
- Multi-Region or Multi-Cloud Connectivity
- Connect multiple on-prem or GCP/Azure
locations to AWS.
- Branch Office Connectivity
- Each site maintains a VPN to the hub
TGW/VGW.
9. Advanced Options
Transit Gateway VPN
- Scales beyond a single VPC.
- Acts as a hub for multiple VPCs and on-prem connections.
- Simplifies route management across environments.
Accelerated VPN
- Uses AWS Global Accelerator edge network for lower latency and better performance.
VPN over Direct Connect (DX + VPN)
- Encrypt Direct Connect traffic with a VPN
overlay.
- Common for compliance requirements (e.g., HIPAA, PCI DSS)
10. Security
Considerations
- Enforce strong encryption (AES-256, SHA-2).
- Rotate pre-shared keys periodically.
- Use BGP MD5 authentication.
- Implement Security Groups + NACLs to restrict traffic.
- Enable end-to-end encryption even over VPN for sensitive workloads.
11. Troubleshooting Guide (Symptoms, Common Causes & checks)
|
Symptom |
Common Cause |
Check |
|
Tunnel Down |
Incorrect IKE parameters / PSK. |
Compare device config with AWS file |
|
No Route |
Missing static route or BGP prefix. |
Check VPC Route Table & BGP
session |
|
Only One Tunnel Active |
Redundancy misconfigured. |
Verify both tunnels are defined |
|
Slow Throughput |
MTU or Internet path issues. |
Tune MTU to 1436, verify no
fragmentation |
|
BGP Not Established |
ASN mismatch / Port blocked. |
Confirm firewall and routing
settings |
12. Best Practices
- Configure both tunnels in
production.
- Use BGP for route learning and failover.
- Enable CloudWatch alarms for TunnelState metrics.
- Store VPN configs in AWS Systems Manager Parameter Store.
- Automate provisioning via Terraform / CloudFormation / CDK.
- For large-scale designs, prefer Transit Gateway VPN attachments.
13. Visual Architecture
Project:
Hands-On
- How twtech uses Site-to-Site VPN Connections (within it VPC network) to:
- securely connects twtech on-premises network (or other cloud environment),
- to twtech Amazon VPC with IPSec (Internet Protocol Security) via encrypted public Internet.
Search for AWS service: VPC
- From
VPC console, navigate to: Virtual
Private network (VPN) / Customer gateways
- Create
customer gateways: to
host on-premises
Step-2:
- twtech creates the Virtul Private Gatewasys: VGW
Create
a Private Virtual Gateway: VGW
Step-3:
- twtech creates a site-to-site VPN connection:
Create VPN Connections:
Create site-to-site VPN connection:
NB:
- For twtech to establish connectection between Customer gateways (CGW) and Virtual Private Gateways (VGW), twtech must create a site-to-site VPN connection (S2S VPN).
- This works only in a hybrid environment, where On-premises and cloud Services Co-exist.
No comments:
Post a Comment