AWS Site-to-Site VPN

Crishantha Nanayakkara
4 min readAug 21, 2021

AWS Advanced Networking Series — Part 01

An Introduction

There are multiple ways you can connect your AWS infrastructure to an on-premise network. The Site-to-Site VPN connection is the more easier and cost effective way.

The Site-to-Site VPN Connection is a logical connection between AWS VPC and on-premise network, which is encrypted using IPSec and runs over the public Internet “in general”.

AWS Site-to-Site VPN connections are utilizing the public Internet to connect between AWS and on-premise networks “in general” due to the less cost. That does not mean that it cannot leverage any other connection options such as Direct Connect or Global Accelerated network.

Components

There are multiple components in a typical Site-to-Site VPN connection.

  1. Virtual Private Cloud (VPC)
  2. Virtual Private Gateway (VGW) — is a logical gateway object, which is a target of one or more Route Tables.
  3. Customer Gateway (CGW) — is a logical configuration on AWS, which represents the configurations of the physical on-premises router where VPN is connected to
  4. VPN Connection

Prerequisites

There are multiple per-requisites that you need to follow before make it work.

  1. Knowing the IP range / block of the AWS VPC
  2. Knowing the IP range / block of the on-premise network that you are going to connect
  3. IP address (public) of the physical public router(s) on the on-premise network (P.Note: There could be multiple routers, if you have more connections for fail-over — See Figure 01 for explanations)
  4. Create a Virtual Private Gateway (VPG) and attach it to the AWS VPC
  5. Create a Customer Gateway (s) for each fail-over on-premise VPN connections

Making the setup Highly Available (HA)

You can make a Site-to-Site VPN connection more Highly Available. This could be done at many levels (See Figure 1)

At the AWS level — Create two (or more) VPN Connections, each one represents a single on-premise IPSec connection. These VPN connection will create two (or more) VPN Endpoints (ENIs) to a single Customer Gateway (CGW) on the on-premise network. Each VPN Endpoint represents an Availability Zone of the AWS network, allowing to have fail-over on the AWS side.

At the on-premise level — This could be done using two (or more) Customer Gateways probably at two different locations physically. If one location goes off, other location can take the operations without any problem.

Figure 1 — Site-to-Site VPN with High Availability

Routing

There are two ways to do the routing in the Site-to-Site VPN connection

  1. Static Routing
  2. Dynamic Routing (using BGP)

Out of these two methods, it is quite easier to implement the static routing option. However, the more robust option is the dynamic routing primarily because of its ability to more robust in load balancing, auto scaling and network structures.

Routing Propagation

In order to implement dynamic routing, you need to implement the Route Propagation at the VPC router level. In addition to that, it is required to have the BGP support in the networks (at the physical router level) in order to have the router propagation feature.

With BGP, it it configured on both the on-premise and the AWS sides using Autonomous System Number (ASN). Network routing information is exchanged to both side using BGP.

Border Gateway Protocol (BGP): It is a standardized exterior gateway protocol designed to exchange routing and reach-ability information among Autonomous Systems (AS) on the Internet. BGP does make the Internet work by enabling data routing on the Internet. It is also known as the “path-vector” protocol as it exchanges the best path to a destination between peers. This path is called as the ASPATH (Autonomous System Path).

If not public Internet?

As explained before, a typical AWS Site-to-Site VPN connections are routed through the public Internet mainly because of its affordability. However, large enterprises, which can afford Direct Connect Connections can easily utilize the Direct Connect infrastructure for the Site-to-Site VPNs without any issue. However, the small and medium enterprises can go for another option (rather not using the public Internet) with a little bit of additional cost. The “Accelerated Site-to-Site VPN” is that option.

Accelerated Site-to-Site VPN

This feature was added in 2019 in order to accelerate Site-to-Site VPN. This uses the AWS Global Accelerator by intelligently routing traffic through the AWS Global Network and AWS edge locations.

With the Accelerated network, the on-premise CGW does communicate to the closest available Edge location with the Global Accelerator any-cast IP and there onward it utilizes the Global Accelerator dedicated network of AWS to reach the Transit Gateway.

It is required to note that, Accelerated connectivity is not supported by Virtual Private Gateways (VGWs) and it is only supported through Transit Gateways.

You can enable this feature while creating an AWS Site-to-Site VPN connection to an AWS Transit Gateway. Accelerated Site-to-Site VPN is available for Transit Gateways in multiple regions now [1].

By having this option, you will be charged only a fixed cost for the Global Accelerator and a variable cost for the data transfer usage.

References

  1. https://aws.amazon.com/about-aws/whats-new/2019/12/announcing-accelerated-site-to-site-vpn-for-improved-vpn-performance/
  2. https://aws.amazon.com/blogs/architecture/improve-vpn-network-performance-of-aws-hybrid-cloud-with-global-accelerator/

--

--

Crishantha Nanayakkara

Enterprise Architect, Consultant @ FAO (UN), Former CTO, ICTA Sri Lanka