AWS Provides various options to connect your On-premise/Office network to the Virtual Private Cloud (VPC). We can choose the right one for our business operations. Available Options are
- AWS Managed VPN
- Customer Managed Software VPN
- AWS Direct Connect
- AWS Direct Connect + VPN
- AWS VPN Cloud Hub
- Transit VPC
AWS Managed VPN
What AWS Managed IPsec VPN connection over your existing internet
When We need a secure tunneled connection to a VPC, Redundant link for Direct Connect or other VPC VPN
How
1. Create Customer Gateway
Name, Routing (Static/Dynamic), Internet-Routable IP address of your Gateway’s external Interface, ARN certificate if any
2. Virtual Private Gateway
Name and Select Amazon ASN or Custom ASN if any
3. Attach you VPG to VPC (Select, click Action and Attach)
4. Go to Create Site-Site VPN Connection and Create VPN Connection
Name: Name Tag
Target Gateway Type (Virtual Private Gateway / Transit Gateway)
Select Virtual Private Gateway
Select Customer Gateway
Routing Options Dynamic (Requires BGP) / Static
Tunnel inside Ip Version IPv6 or IPv4
Optional: Local CIDR
Optional: Remote CIDR
Tunnel Options: Customize tunnel inside CIDR and pre-shared keys for your VPN tunnels. Unspecified tunnel options will be randomly generated by Amazon
5. You can download sample configuration based on your customer gateway with the “Download Configuration” button
The advantage of Site to Site VPN is, it supports static routes or BGP peering and routing and the main disadvantage – dependent on your internet connection
Customer Managed Software VPN
What You create your own VPN using the VPN software like OpenVPN in one of the EC2 and create your own VPN endpoint.
When You want to use a VPN option not supported by AWS or you want to manage both ends of the VPN connection for compliance reasons
How Its same as we do the VPN configuration in our On-Premises setup, instead you do it on one of the EC2 instance with the available VPN AMIs or with OS AMIs and with your own VPN software.
The advantages with Customer managed VPN are flexibility and manageability and the main disadvantage is that you must design for any needed redundancy across the whole chain
AWS Direct Connect
What It’s the dedicated network connection over private lines straight into AWS backbone. It links your internal network to an AWS Direct connect location over a standard 1-gigabit or 10-gigabit Ethernet fiber-optic cable. You can connect to all your AWS resources in an AWS Region, transfer your business-critical data directly from your datacentre, office, or colocation environment into and from AWS, bypassing your Internet service provider and removing network congestion
When You require a separate big pipeline into AWS; lots of resources and services being provided on AWS to your corporate users. When you need to reduce your bandwidth commitment to your Internet Service Provider, all data transferred over your dedicated connection is charged at the reduced AWS DC transfer rates rather than internet data transfer rates. When you need a consistent network performance. When you need to establish private connectivity to multiple VPCs while maintaining network isolation. When VPN hardware support data transfer rates up to 4 Gbps with Direct Connect we can get from 1 Gbps to 10 Gbps connections and with multiple connections for more capacity.
How – Quick Steps:
1. Sign up for AWS
2. Request an AWS Direct Connect dedicated connection or accept a hosted connection
3: Download the LOA-CFA (Dedicated connection)
4. Create a virtual interface
5. Download the router configuration
6: Verify your virtual interface
7: Configure redundant connections (Recommended)
AWS Direct Connect Plus VPN
What IPsec VPN connection over private lines
When We want added security of encrypted tunnel over Direct Connect
How Create a VPN connection for your Direct Connect
AWS VPN Cloud Hub
What Connect locations in a hub and Spoke manner using AWS’s virtual Private Gateway
When Link remote offices for backup or primary WAN access to AWS resources and each other
AWS VPN Cloud Hub uses an Amazon VPC virtual private gateway with multiple customer gateways, each using unique BGP autonomous system numbers (ASNs). Your gateways advertise the appropriate routes (BGP prefixes) over their VPN connections. It supports BGP routes to direct traffic (Ex: You can use MPLS first then Cloud Hub VPN as backup and it depends on internet connection; No inherent redundancy
Transit VPC
What Common strategy for connecting geographically disperse VPCs and locations in order to create a global network transit center
When Locations and VPC-deployed assets across multiple regions that need to communicate with one another
Ultimate flexibility and manageability but also AWS-managed VPN hub-and-spoke between VPCs. You must design for any needed redundancy across the whole chain. Providers like Cisco, Juniper Networks and Riverbed have offerings which work with their equipment and AWS VPC