Hybrid Environments

VPN

Essentials

Enables the ability to extend a network from one geographic location to another geographic location
Traffic traverses the Internet
Essentially "extending" the on-premise network to the cloud, or the cloud to on-premise
For AWS, this allows us to communicate with all resources (like an EC2 instance) internally without the need for public IP addresses and an internet gateway.
It also provides an additional level of security by ensuring that traffic sent using the VPN is encrypted
VPN connection has two parallel routes (IPsec tunnels) for redundancy
Only one Virtual Private Gateway can be attached to a VPC (just like only one IGW can be attached to a VPC)
A VPC can have one VPG and an IGW at the same time

Internet Protocol Security (IPSec)

Suite of secure network protocols for IPv4 (layer 3)
Provides Mutual Authentication
Provides Encryption - negotiation of keys

Customer Gateways

A physical or software application at the on-premise location that acts as the "connector" to the VPN connection
The customer gateway component is where you configure the public IP (internet routable static IP) address of the physical device or software application at the on-premise location.
Static Routing - you define routes
Dynamic Routing - routes automatically propagate, automatic failover
- Border Gateway Protocol (BGP)
- Autonomous System Number (ASN)

VPN Connection

Actual link between the VPG and the Customer Gateway
This is setup and managed by AWS
Each uses two IPsec tunnels for redundancy

Virtual Private Gateway (VPG)

A virtual private gateway acts as the "connector" on the VPC (AWS) side of the VPN connection
The VPG is connected to the VPC
Target for Route Tables
Cloud Hub - multiple customer networks
Note: Both a VPG and a Customer Gateway are required for a VPN

Router

AWS has no concept of physically setting up and managing routers
That being said, route tables are part of a "router" assigned to your machine
When a VPN is set up, the route table (for the subnet you wish to extend) must include routes for the on-premise network that are used by the VPN, and point them to the VPG. Choose route propagation for BGP to automatically add the routes.

PreviousHighly Available & Fault Tolerant VPCs NextVPC Peering

Last updated 6 years ago

Was this helpful?

VPN

Essentials

Enables the ability to extend a network from one geographic location to another geographic location

Traffic traverses the Internet

Essentially "extending" the on-premise network to the cloud, or the cloud to on-premise

For AWS, this allows us to communicate with all resources (like an EC2 instance) internally without the need for public IP addresses and an internet gateway.

It also provides an additional level of security by ensuring that traffic sent using the VPN is encrypted

VPN connection has two parallel routes (IPsec tunnels) for redundancy

Only one Virtual Private Gateway can be attached to a VPC (just like only one IGW can be attached to a VPC)

A VPC can have one VPG and an IGW at the same time

Internet Protocol Security (IPSec)

Suite of secure network protocols for IPv4 (layer 3)

Provides Mutual Authentication

Provides Encryption - negotiation of keys

Customer Gateways

A physical or software application at the on-premise location that acts as the "connector" to the VPN connection

The customer gateway component is where you configure the public IP (internet routable static IP) address of the physical device or software application at the on-premise location.

Static Routing - you define routes

Dynamic Routing - routes automatically propagate, automatic failover

Border Gateway Protocol (BGP)
Autonomous System Number (ASN)

VPN Connection

Actual link between the VPG and the Customer Gateway

This is setup and managed by AWS

Each uses two IPsec tunnels for redundancy

Virtual Private Gateway (VPG)

A virtual private gateway acts as the "connector" on the VPC (AWS) side of the VPN connection

The VPG is connected to the VPC

Target for Route Tables

Cloud Hub - multiple customer networks

Note: Both a VPG and a Customer Gateway are required for a VPN

Router

AWS has no concept of physically setting up and managing routers

That being said, route tables are part of a "router" assigned to your machine

When a VPN is set up, the route table (for the subnet you wish to extend) must include routes for the on-premise network that are used by the VPN, and point them to the VPG. Choose route propagation for BGP to automatically add the routes.