VPC VPN Connections
VPC can be connected to Remote networks by using a VPN connection
- AWS hardware VPN
- Connectivity can be established by creating an IPsec, hardware VPN connection between the VPC and the remote network.
- On the AWS side of the VPN connection, a virtual private gateway (VGW) provides two VPN endpoints for automatic failover.
- On customer side a customer gateway (CGW) needs to be configured, which is the physical device or software application on the remote side of the VPN connection
- AWS Direct Connect
- AWS Direct Connect provides a dedicated private connection from a remote network to your VPC.
- Direct Connect can be combined with an AWS hardware VPN connection to create an IPsec-encrypted connection
- AWS VPN CloudHub
- For more than one remote network for e.g. multiple branch offices, multiple AWS hardware VPN connections can be created via the VPC to enable communication between these networks
- Software VPN
- VPN connection can be created to the remote network by using an Amazon EC2 instance in the VPC that’s running a software VPN appliance.
- AWS does not provide or maintain software VPN appliances; however, there are range of products provided by partners and open source communities
Hardware VPN Connection
- Virtual Private Gateway
- A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection
- A VPC can only have one attached virtual private gateway
- Customer Gateway
- A customer gateway is a physical device or software application on customer side of the VPN connection.
- When a VPN connection is created, the VPN tunnel comes up when traffic is generated from the remote side of the VPN connection.
- Virtual private gateway is not the initiator; the customer gateway must initiate the tunnels.
- If the VPN connection experiences a period of idle time, usually 10 seconds, depending on the configuration, the tunnel may go down. To prevent this, a network monitoring tool to generate keepalive pings; for e.g. by using IP SLA.
- VPC has an attached virtual private gateway, and the remote network includes a customer gateway, which must be configured to enable the
- Routing must be setup so that any traffic from the VPC bound for the remote network is routed to the virtual private gateway.
- Multiple VPN connections to a single VPC can be created, and a second customer gateway can be configured to create a redundant connection to the same external location or to create VPN connections to multiple geographic locations.
VPN Routing Options
- For a VPN connection, the route table for the subnets should be updated with the type of routing (static of dynamic) that you plan to use.
- Route tables determine where network traffic is directed. Traffic destined for the VPN connections must be routed to the virtual private gateway.
- Type of routing that you select can depend on the make and model of your VPN devices.
- BGP dynamic routing
- If the VPN device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your VPN connection.
- When using a BGP device, static routes need not be specified to the VPN connection because the device uses BGP to advertise its routes to the virtual private gateway.
- BGP-capable devices are recommended as the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down.
- Static Routing
- If your device does not support BGP, specify static routing.
- Using static routing, the routes (IP prefixes) can be specified that should be communicated to the virtual private gateway.
- Devices that don’t support BGP may also perform health checks to assist failover to the second tunnel when needed.
- Only IP prefixes known to the virtual private gateway, either through BGP advertisement or static route entry, can receive traffic from your VPC.
- Virtual private gateway does not route any other traffic destined outside of the advertised BGP, static route entries, or its attached VPC CIDR.
VPN Connection Redundancy
- A VPN connection is used to connect the customer network to a VPC.
- Each VPN connection has two tunnels to help ensure connectivity in case one of the VPN connections becomes unavailable, with each tunnel using a unique virtual private gateway public IP address.
- Both tunnels should be configured for redundancy.
- When one tunnel becomes unavailable, for e.g. down for maintenance, network traffic is automatically routed to the available tunnel for that specific VPN connection.
- To protect against a loss of connectivity in case the customer gateway becomes unavailable, a second VPN connection can be setup to the VPC and virtual private gateway by using a second customer gateway.
- The customer gateway IP address for the second VPN connection must be publicly accessible.
- By using redundant VPN connections and customer gateways, maintenance on one of the customer gateways can be performed while traffic continues to flow over the second customer gateway’s VPN connection.
- Dynamically routed VPN connections use the Border Gateway Protocol (BGP) are recommended, if available, to exchange routing information between the customer gateways and the virtual private gateways.
- Statically routed VPN connections require static routes for the network to be entered on the customer gateway side.
- BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs.
- VPN CloudHub can be used to provide secure communication between sites, if you have multiple VPN connections
- VPN CloudHub operates on a simple hub-and-spoke model that can be used with or without a VPC.
- Design is suitable for customers with multiple branch offices and existing
Internet connections who’d like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices
- VPN CloudHub architecture with blue dashed lines indicates network
traffic between remote sites being routed over their VPN connections.
- AWS VPN CloudHub requires a virtual private gateway with multiple customer gateways.
- Each customer gateway can either have a unique or same Border Gateway Protocol (BGP) Autonomous System Number (ASN)
- Customer gateways advertise the appropriate routes (BGP prefixes) over their VPN connections.
- Routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites.
- Routes for each spoke must have unique ASNs and the sites must not have overlapping IP ranges.
- Each site can also send and receive data from the VPC as if they were using a standard VPN connection.
- Sites that use AWS Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub.
- To configure the AWS VPN CloudHub,
- multiple customer gateways can be created, each with the unique public IP address of the gateway and the ASN.
- a VPN connection can be created from each customer gateway to a common virtual private gateway.
- each VPN connection must advertise its specific BGP routes. This is done using the network statements in the VPN configuration files for the VPN connection.
Sample Exam Questions
- Questions are collected from Internet and the answers are marked as per my knowledge and understanding (which might differ with yours).
- AWS services are updated everyday and both the answers and questions might be outdated soon, so research accordingly.
- AWS exam questions are not updated to keep up the pace with AWS updates, so even if the underlying feature has changed the question might not be updated
- Open to further feedback, discussion and correction.
- You have in total 5 offices, and the entire employee related information is stored under AWS VPC instances. Now all the offices want to connect the instances in VPC using VPN. Which of the below help you to implement this?
- you can have redundant customer gateways between your data center and your VPC
- you can have multiple locations connected to the AWS VPN CloudHub
- You have to define 5 different static IP addresses in route table.
- 1 and 2
- 1,2 and 3
- You have in total 15 offices, and the entire employee related information is stored under AWS VPC instances. Now all the offices want to connect the instances in VPC using VPN. What problem do you see in this scenario?
- You can not create more than 1 VPN connections with single VPC (Can be created)
- You can not create more than 10 VPN connections with single VPC (soft limit can be extended)
- When you create multiple VPN connections, the virtual private gateway can not sends network traffic to the appropriate VPN connection using statically assigned routes. (Can route the traffic to correct connection)
- Statically assigned routes cannot be configured in case of more than 1 VPN with virtual private gateway. (can be configured)
- None of above