⬡ Hub
Skip to content

AWS VPN (Site-to-Site VPN)

Detailed Content

AWS Site-to-Site VPN creates an encrypted connection between your Amazon Virtual Private Cloud (VPC) and your on-premises network. This allows you to securely extend your on-premises network into AWS, enabling hybrid cloud architectures. Traffic between your VPC and your on-premises network is encrypted as it travels over the public internet.

Core Concepts and Features

  • Customer Gateway (CGW): A resource that represents your customer gateway device or software application on your side of the Site-to-Site VPN connection. It provides the IP address of your on-premises VPN device.
  • Virtual Private Gateway (VGW): A virtual VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You attach a VGW to your VPC to enable VPN connectivity.
  • VPN Connection: The connection between your Customer Gateway and your Virtual Private Gateway. Each VPN connection consists of two redundant IPsec VPN tunnels for high availability.
  • VPN Tunnels: Each VPN connection provides two tunnels, each with a unique public IP address. This redundancy ensures that if one tunnel fails, traffic can automatically fail over to the other tunnel.
  • VPN CloudHub: A feature that allows you to connect multiple on-premises sites to a single Virtual Private Gateway. This enables secure communication between your remote sites over the AWS network, acting as a hub-and-spoke model.
  • Transit Gateway VPN: When using AWS Transit Gateway, you can create a VPN attachment to the Transit Gateway. This allows your on-premises network to connect to multiple VPCs that are also attached to the same Transit Gateway, simplifying network architecture in complex multi-VPC environments.
  • Encryption: All traffic traversing the VPN connection is encrypted using IPsec (Internet Protocol Security) for data confidentiality and integrity.
  • Routing: You can configure routing for your VPN connection using either static routes or Border Gateway Protocol (BGP) dynamic routing.
  • High Availability: Each VPN connection provides two tunnels to ensure redundancy. For even higher availability, you can set up multiple VPN connections to different VGWs or use multiple CGWs.

Use Cases

  • Hybrid Cloud Connectivity: Securely extend your on-premises network to AWS, allowing your on-premises applications to communicate with AWS resources (e.g., EC2 instances, RDS databases) as if they were in the same network.
  • Disaster Recovery: Establish a secure connection for replicating data from on-premises to AWS for disaster recovery purposes, or for failing over applications to AWS in case of an on-premises outage.
  • Data Migration: Transfer data securely between your on-premises data centers and AWS for large-scale data migrations.
  • Secure Remote Access: While not its primary purpose, Site-to-Site VPN can be part of a solution to provide secure remote access for users to internal AWS resources.
  • Inter-Office Connectivity: Use VPN CloudHub to connect multiple branch offices securely over the AWS network.
  • Multi-VPC Connectivity: When combined with AWS Transit Gateway, provide secure connectivity from on-premises to multiple VPCs across different AWS accounts and regions.

Interview Questions

Conceptual Questions

  1. What is AWS Site-to-Site VPN and what problem does it solve?
    • AWS Site-to-Site VPN creates an encrypted connection between your Amazon VPC and your on-premises network over the public internet. It solves the problem of securely extending your on-premises network into AWS, enabling hybrid cloud architectures for secure data transfer and communication.
  2. Explain the key components of a Site-to-Site VPN connection: Customer Gateway, Virtual Private Gateway, and VPN Connection.
    • Customer Gateway (CGW): Represents your on-premises VPN device or software.
    • Virtual Private Gateway (VGW): The VPN concentrator on the AWS side, attached to your VPC.
    • VPN Connection: The logical connection between your CGW and VGW, consisting of two redundant IPsec tunnels.
  3. Why does AWS provision two VPN tunnels for each Site-to-Site VPN connection?
    • AWS provisions two redundant VPN tunnels for each connection to ensure high availability and fault tolerance. If one tunnel fails (e.g., due to an internet path issue or device failure), traffic can automatically fail over to the other tunnel, maintaining connectivity.
  4. What is VPN CloudHub and when would you use it?
    • VPN CloudHub allows you to connect multiple on-premises sites to a single Virtual Private Gateway. This enables secure communication between your remote sites over the AWS network, acting as a hub-and-spoke model. It's useful for inter-office connectivity and simplifying network architecture for distributed on-premises locations.
  5. How does a Site-to-Site VPN connection differ from AWS Direct Connect? When would you choose one over the other?
    • Site-to-Site VPN: Encrypted connection over the public internet. Lower cost, quicker to set up, but performance can be variable due to internet reliance.
    • Direct Connect: Dedicated, private network connection. Higher bandwidth, lower latency, more consistent performance, but higher cost and longer setup time.
    • Choose VPN: For quick setup, lower cost, or less critical workloads. Choose Direct Connect: For critical applications, large data transfers, strict performance requirements, or compliance needs that prohibit public internet transit.

Scenario-Based Questions

  1. Your company has an on-premises data center and needs to securely connect it to an Amazon VPC to access applications running on EC2 instances. The connection needs to be encrypted, but cost is a primary concern, and you don't have strict latency requirements. How would you establish this connectivity?
    • I would establish an AWS Site-to-Site VPN connection. This creates an encrypted tunnel over the public internet between my on-premises Customer Gateway and a Virtual Private Gateway attached to my VPC. It's a cost-effective solution for secure connectivity, and since strict latency is not a concern, the variability of the internet is acceptable.
  2. You have multiple branch offices, each with its own local network. You want to enable secure communication between these branch offices over the AWS network, and also allow them to access resources in your central VPC. How would you design this network architecture?
    • I would use AWS VPN CloudHub. I would establish a Site-to-Site VPN connection from each branch office's Customer Gateway to a single Virtual Private Gateway attached to my central VPC. VPN CloudHub would then allow the branch offices to communicate with each other securely over the AWS network, and also access resources in the central VPC, creating a hub-and-spoke topology.
  3. Your organization has a complex multi-VPC environment across several AWS accounts, and you need to establish secure connectivity from your on-premises data center to all these VPCs. You want to simplify routing and avoid a mesh of VPN connections. How would you achieve this?
    • I would use AWS Transit Gateway with a VPN attachment. I would establish a Site-to-Site VPN connection from my on-premises Customer Gateway to a VPN attachment on the Transit Gateway. All my VPCs would then be attached to the same Transit Gateway. This centralizes the connectivity from on-premises to all VPCs, simplifying routing and management, and overcoming the limitations of traditional VGWs and VPC peering.

Coding/CLI Examples

Here are some common AWS VPN operations using the AWS CLI and Python (Boto3).

AWS CLI Examples

  1. Create a Customer Gateway: bash aws ec2 create-customer-gateway \ --type ipsec.1 \ --public-ip 203.0.113.12 \ --bgp-asn 65000 \ --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=MyOnPremCGW}]'

  2. Create a Virtual Private Gateway and attach it to a VPC: ```bash VPC_ID="vpc-0abcdef1234567890" # Replace with your VPC ID

    VGW_ID=$(aws ec2 create-vpn-gateway \ --type ipsec.1 \ --amazon-side-asn 64512 \ --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=MyVPCVGW}]' \ --query 'VpnGateway.VpnGatewayId' --output text) echo "Created VGW: $VGW_ID"

    aws ec2 attach-vpn-gateway \ --vpc-id $VPC_ID \ --vpn-gateway-id $VGW_ID echo "Attached VGW $VGW_ID to VPC $VPC_ID" ```

  3. Create a Site-to-Site VPN Connection: ```bash CGW_ID="cgw-0abcdef1234567890" # Replace with your Customer Gateway ID VGW_ID="vgw-0abcdef1234567890" # Replace with your Virtual Private Gateway ID

    aws ec2 create-vpn-connection \ --type ipsec.1 \ --customer-gateway-id $CGW_ID \ --vpn-gateway-id $VGW_ID \ --options "StaticRoutesOnly=true" \ --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=MySiteToSiteVPN}]' ```

  4. Create a Transit Gateway VPN Attachment: ```bash TGW_ID="tgw-0abcdef1234567890" # Replace with your Transit Gateway ID CGW_ID="cgw-0abcdef1234567890" # Replace with your Customer Gateway ID

    aws ec2 create-vpn-connection \ --type ipsec.1 \ --customer-gateway-id $CGW_ID \ --transit-gateway-id $TGW_ID \ --options "StaticRoutesOnly=true" \ --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=MyTGWVPN}]' ```

Python (Boto3) Examples

First, ensure you have Boto3 installed (pip install boto3) and your AWS credentials configured.

  1. Create a Customer Gateway: ```python import boto3

    ec2_client = boto3.client('ec2')

    customer_gateway_ip = "203.0.113.12" # REPLACE with your on-premises public IP bgp_asn = 65000 # Your on-premises BGP ASN

    try: response = ec2_client.create_customer_gateway( BgpAsn=bgp_asn, PublicIp=customer_gateway_ip, Type='ipsec.1', TagSpecifications=[ { 'ResourceType': 'customer-gateway', 'Tags': [ {'Key': 'Name', 'Value': 'MyBoto3CGW'} ] }, ] ) cgw_id = response['CustomerGateway']['CustomerGatewayId'] print(f"Created Customer Gateway: {cgw_id}") except Exception as e: print(f"Error creating Customer Gateway: {e}") ```

  2. Create a Virtual Private Gateway and attach to VPC: ```python import boto3

    ec2_client = boto3.client('ec2')

    vpc_id = "vpc-0abcdef1234567890" # REPLACE with your VPC ID

    try: response = ec2_client.create_vpn_gateway( Type='ipsec.1', AmazonSideAsn=64512, TagSpecifications=[ { 'ResourceType': 'vpn-gateway', 'Tags': [ {'Key': 'Name', 'Value': 'MyBoto3VGW'} ] }, ] ) vgw_id = response['VpnGateway']['VpnGatewayId'] print(f"Created Virtual Private Gateway: {vgw_id}")

    ec2_client.attach_vpn_gateway(VpcId=vpc_id, VpnGatewayId=vgw_id)
print(f"Attached VGW {vgw_id} to VPC {vpc_id}")

    except Exception as e: print(f"Error creating/attaching VGW: {e}") ```

  3. Create a Site-to-Site VPN Connection: ```python import boto3

    ec2_client = boto3.client('ec2')

    cgw_id = "cgw-0abcdef1234567890" # REPLACE with your Customer Gateway ID vgw_id = "vgw-0abcdef1234567890" # REPLACE with your Virtual Private Gateway ID

    try: response = ec2_client.create_vpn_connection( Type='ipsec.1', CustomerGatewayId=cgw_id, VpnGatewayId=vgw_id, Options={'StaticRoutesOnly': True}, TagSpecifications=[ { 'ResourceType': 'vpn-connection', 'Tags': [ {'Key': 'Name', 'Value': 'MyBoto3SiteToSiteVPN'} ] }, ] ) vpn_connection_id = response['VpnConnection']['VpnConnectionId'] print(f"Created VPN Connection: {vpn_connection_id}") except Exception as e: print(f"Error creating VPN Connection: {e}") ```