Overview
AWS VPN CloudHub enables secure communication between multiple remote sites through AWS using multiple Site-to-Site VPN connections to the same Virtual Private Gateway (VGW).
It’s useful when you have multiple branch offices that need to communicate securely via a central hub in AWS.
Key Features
- Hub-and-spoke topology
- VGW is the hub
- Each Customer Gateway (CGW) is a spoke
- All traffic is encrypted and traverses the public internet
- Supports dynamic routing using BGP for automatic route exchange
- Can be used for primary connectivity or as a backup to other connections (e.g., Direct Connect)
- Cost-effective for multi-site connectivity without requiring direct site-to-site links between branches
Setup Steps
- Create multiple Site-to-Site VPN connections to the same VGW from different CGWs.
- Use BGP for dynamic route advertisement between all sites.
- Ensure route tables in AWS and on-premises are configured to allow traffic between the branch offices via the VGW.
- Test cross-site communication to confirm routing is correct.
Architecture Summary
- A single VPC hosting workloads in multiple Availability Zones
- One Virtual Private Gateway attached to the VPC
- Multiple Customer Gateways from different on-premises locations connected to the same VGW
- Branch A can communicate with Branch B through AWS without a direct link between them
Exam Tips
- Works only with dynamic routing (BGP) — static routes won’t allow automatic branch-to-branch connectivity
- AWS VPN CloudHub is not a separate service — it’s an architectural pattern using existing Site-to-Site VPN features
- All communication still happens over the public internet, but is encrypted with IPSec