3_Connecting Amazon VPC to On-Premises Network

Connecting VPC to On-Premises Networks

Site-to-Site VPN

  • Connects an Amazon Virtual Private Cloud (VPC) to an on-premises remote network.
  • By default, instances in a VPC cannot communicate with on-premises networks.
  • AWS Site-to-Site VPN establishes a secure connection between the on-premises environment and the VPC.
  • Utilizes Internet Protocol Security (IPSec) connections to create encrypted virtual private network (VPN) tunnels between two locations.

Cost

  • You are charged for each VPN hour that your VPN connection is provisioned and available.

Components and Traffic Flow

  1. Customer Gateway:
    • The on-premises side of the VPN connection.
    • Connects to a VPC customer gateway that you create in AWS.
  2. VPN Tunnels:
    • A Site-to-Site VPN connection provides two VPN tunnels.
    • One tunnel streams primary traffic, while the other provides redundancy.
  3. Route Tables:
    • Traffic flows from the VPN tunnels to the route tables.
  4. Virtual Private Gateway:
    • Connects to the route tables.
    • Provides access to your VPC.

AWS VPN Cloud Hub

  • Used for large corporate organizations with multiple on-premises network environments at different locations.
  • Facilitates primary or backup connectivity between these environments.
  • Operates on a hub-and-spoke model.
  • Can be used with or without Amazon VPC.
  • In this model, the virtual private gateway acts as a hub, connecting multiple on-premises networks.

AWS Global Accelerator

  • Use to accelerate Site-to-Site VPN connections due to potential network disruptions on the public internet.
  • The on-premises network has a VPN connection to Global Accelerator.
  • Global Accelerator connects to the AWS Transit Gateway through a Transit Gateway VPN attachment.
  • The Transit Gateway connects to the VPC through the Transit Gateway VPC attachment.

Transit Gateway for VPC Isolation

  • Organizations might require full on-premises network access to VPCs, while VPCs must be isolated from each other.
  • The transit gateway can be configured as multiple isolated routers.
  • Each transit gateway attachment is associated with a route table.
  • Attachments associated with one isolating route table can route packets to each other but cannot route packets to or receive packets from the attachments for another isolated router. This ensures VPC isolation.

Key Points

  • Site-to-Site VPN creates a secure connection between:
    • An on-premises customer gateway and an AWS virtual private gateway or transit gateway for VPC access.
  • Multiple on-premises networks can connect to a single virtual private gateway.
  • Use Global Accelerator to accelerate Site-to-Site VPN connections.
  • Configure multiple transit gateway routing tables to isolate VPCs while providing full VPN access.