Site to Site VPN, Virtual Private Gateway & Customer Gateway

Summary of Site-to-Site VPN in AWS

Site-to-Site VPN allows you to connect your Virtual Private Cloud (VPC) in AWS to your corporate data center in a secure and private manner over the public internet. This connection is encrypted, ensuring data security despite the public transmission.

Key Components:

Customer Gateway (CGW): Located on the corporate data center side, this can be a software or physical device. AWS has tested a variety of devices for compatibility.
Virtual Private Gateway (VGW): Situated on the AWS side, attached to the VPC. It acts as a VPN concentrator for the VPN connection. Users can customize the Autonomous System Number (ASN) if required.

Setup Process:

Determine the IP Address for CGW:
- If the CGW is publicly accessible, use its public IP.
- If the CGW is private, it may be behind a NAT device with Network Address Translation Traversal (NAT-T) enabled. Use the public IP of the NAT device in this case.
Enable Route Propagation: For the site-to-site VPN connection to function, route propagation must be enabled within your VPC subnets.
Security Group Configuration for EC2: Ensure the Inbound rules for the security group allow ICMP protocol to enable pinging EC2 instances from the corporate network.

Untitled

Advanced Feature: AWS VPN CloudHub

Use Case: For organizations with multiple customer networks or data centers, AWS VPN CloudHub facilitates secure communication between these sites over the public internet using encrypted VPN connections.
Configuration: Establish multiple site-to-site VPN connections on the same VGW, enable dynamic routing, and configure your route tables for inter-site communication.

Untitled

Exam Tips:

Remember the importance of IP addressing for the CGW, whether it's public or behind a NAT device.
Understand the necessity of enabling route propagation for VPN functionality.
Know the requirement for ICMP protocol allowance in security groups for pinging EC2 instances from on-premises networks.
Familiarize yourself with AWS VPN CloudHub for connecting multiple customer networks securely.