AWS VPN connections can be used to connect on-premises data centers with AWS.
VPN connections allow secure IPSec connections between your AWS resources and the data center or branch office.
AWS Site to-Site VPN, AWS Hardware VPN, or AWS Managed VPNConnectivity are possible by setting up an IPSec or hardware VPN connection between the VPCs and the remote network.
A Virtual Private Gateway (VGW), which is located on the AWS VPN connection, provides two VPN endpoints that can be used for automatic failover.
A customer gateway (CGW), which is the physical device or the software application on the remote end of the VPN connection, must be configured on the customer side.
AWS Client VPNAWS VPN Client VPN is a managed client-based VPN service that allows secure access to AWS resources as well as resources in the on-premises network.
AWS VPN CloudHubFor multiple remote networks, e.g. Multiple branch offices can be connected to multiple AWS VPN CloudHub networks via the VPC. This allows for communication between these networks.
AWS Software VPNA VPN connection to remote network can be made by using an EC2 instance within the VPC that is running a third party software VPN appliance.
AWS does not offer or maintain third-party VPN appliances. However, AWS partners and open source communities provide a variety of products.
AWS Direct Connect offers a dedicated private connection between your VPC and a remote network. Direct Connect can be combined to create an IPsec encrypted connection using an AWS hardware VPN connection.VPN ComponentsVirtual private Gateway – VGWA Virtual private gateway is the VPN concentrator for the AWS VPN connection
Customer Gateway – CGWA customer portal is a physical device on the customer’s side of the VPN connection.
The VPN tunnel is created when traffic is generated from remote sides of the VPN connection.
VGW is not by default the initiator. CGW must create traffic and initiate the Internet Key Exchange negotiation process to bring up the tunnels.
The tunnel could be affected if the VPN connection is disconnected for more than 10 seconds depending on the configuration. A network monitoring tool can be used to generate keepalive packets. IP SLA.
Transit GatewayA transit gateway can be used to connect VPCs and on premises networks.
Site-to-Site VPN connections on transit gateways can support either IPv4 or IPv6 traffic within the VPN tunnels.
VPN Routing Options
You should update the route table for VPN connections with the type (static or dynamic), of routing you intend to use.
Route tables are used to determine the direction of network traffic. Traffic to VPN connections must be routed through route tables to the virtual private gateway.
The type of routing depends on the make/model of the CGW device. Static RoutingIf your device doesn’t support BGP, you can specify static routing.
Static routing allows you to specify the routes (IP prefixes), that should be communicated with the virtual private gateway.
Devices that do not support BGP may perform health checks to aid failover to the second tunnel if necessary.
BGP dynamic routingIf your VPN device supports Border Gateway Protocol, (BGP), you can specify dynamic routing with your VPN connection.
Static routes are not required to be specified to a VPN connection when using a BGP device. This is because the device uses BGP to auto-discover and advertise its routes to virtual private gateways.
BGP-capable devices should be recommended, as the BGP protocol provides robust liveness detection checks that can assist failover of the second VPN tunnel in the event of the first tunnel going down.
Only IP prefixes are known to the virtual privacy gateway