Overview
AWS Site-to-Site VPN provides a secure IPSec connection between an on-premises network and an AWS VPC over the public internet.
Itβs often used in hybrid cloud architectures or as a backup to AWS Direct Connect.
Key Components
- Customer Gateway (CGW) β The on-premises VPN endpoint (hardware appliance or software).
- Virtual Private Gateway (VGW) β The AWS VPN concentrator attached to the VPC.
- Site-to-Site VPN Connection β The encrypted IPSec tunnel between CGW and VGW.
VPC Layout Example
- Public Subnet
- Connected to Internet Gateway
- Public EC2 instances
- Security Groups, NACLs, and public route table
- Private Subnet
- Private EC2 instances
- Routes outbound internet traffic via NAT Gateway in the public subnet
- Can access AWS services via VPC Endpoints
- Can be monitored via VPC Flow Logs
Core Components in Detail
Virtual Private Gateway (VGW)
- AWS-managed VPN endpoint.
- Attach to the target VPC.
- Supports custom ASN for BGP routing.
Customer Gateway (CGW)
- On-premises VPN device or software.
- Must have a public IP address (or be behind a NAT device with NAT-T enabled).
Routing
- Enable Route Propagation on the route tables associated with subnets that will use the VPN.
- This allows routes learned via BGP from the VGW to be automatically added.
Security Groups & NACLs
- Security Groups: Allow specific protocols (e.g., ICMP, TCP) from on-prem CIDR.
- NACLs: Ensure inbound and outbound rules allow the traffic (stateless, so both directions must be configured).
Use Cases
- Extend on-prem network to AWS securely.
- Hybrid workloads (e.g., DR, data sync).
- Private access to AWS services without traversing the public internet.
Exam Tips
- NAT-T is required if the CGW is behind NAT.
- Route Propagation must be enabled for dynamic routing.
- For static routing, manually add on-prem CIDRs to route tables.
- AWS Site-to-Site VPN supports two tunnels for redundancy (BGP or static).
- If you need consistent, lower-latency private connectivity, consider Direct Connect; VPN can be used as a failover.