Securing External AWS Network Connections: VPN & Direct Connect

Learning Objectives

After studying this guide, you will be able to:

• Differentiate between AWS Site-to-Site VPN and AWS Direct Connect based on cost, security, and performance.
• Identify the roles of the Virtual Private Gateway (VPG) and Customer Gateway (CGW).
• Select the appropriate Direct Connect Virtual Interface (VIF) for specific traffic types.
• Explain the purpose and architecture of AWS Transit Gateway in a hybrid environment.
• Implement best practices for avoiding network configuration pitfalls, such as IP address overlapping.

Key Terms & Glossary

• Virtual Private Gateway (VPG): The VPN endpoint on the Amazon VPC side of a Site-to-Site VPN connection.
• Customer Gateway (CGW): A physical device or software application on your side (on-premises) of a Site-to-Site VPN connection.
• IPsec (Internet Protocol Security): A protocol suite for securing IP communications by authenticating and encrypting each IP packet of a communication session.
• Direct Connect Gateway: A globally available resource used to connect a single Direct Connect connection to multiple VPCs or Transit Gateways across different regions.
• BGP (Border Gateway Protocol): The standard routing protocol used to exchange routing and reachability information between autonomous systems on the internet.

The "Big Idea"

Connecting an on-premises data center to the AWS Cloud effectively turns the cloud into an extension of your local network. This "Hybrid Cloud" model allows for seamless data migration, disaster recovery, and burst capacity, provided the connection is established through secure, high-performance channels like encrypted VPNs or dedicated private lines (Direct Connect).

Formula / Concept Box

Hierarchical Outline

• I. AWS Site-to-Site VPN
  • A. Components
    • 1. Virtual Private Gateway (VPG): Attached to the VPC.
    • 1. Customer Gateway (CGW): Defined in AWS to represent the on-prem router.
  • B. Redundancy: Every VPN connection includes two tunnels for high availability.
  • C. Routing: Supports both Static and Dynamic (BGP) routing.
• II. AWS Direct Connect (DX)
  • A. Connection Types: 1 Gbps, 10 Gbps, or 100 Gbps dedicated ports.
  • B. Virtual Interfaces (VIFs)
    • 1. Private VIF: Access private resources (EC2, RDS) in one VPC.
    • 1. Public VIF: Access public AWS endpoints (S3, DynamoDB) via private line.
    • 1. Transit VIF: Connect to a Transit Gateway.
• III. AWS Transit Gateway
  • A. Hub-and-Spoke: Connects thousands of VPCs and on-prem networks.
  • B. Transitive Routing: Removes the need for complex mesh peering.

Visual Anchors

VPN Architecture Flow

Hybrid Connectivity Comparison

\begin{tikzpicture}[scale=0.8, every node/.style={transform shape}] \draw[thick, fill=blue!10] (0,0) rectangle (3,2) node[pos=.5, align=center] {On-Premises\Data Center}; \draw[thick, fill=orange!10] (8,0) rectangle (11,2) node[pos=.5, align=center] {AWS Cloud$VPC)}; \draw[ultra thick, gray, dashed] (3,1.5) -- (8,1.5) node[midway, above, black] {Public Internet}; \draw[ultra thick, red] (3,1.2) -- (8,1.2) node[midway, below] {VPN (Encrypted)}; \draw[ultra thick, green!60!black] (3,0.5) -- (8,0.5) node[midway, below] {Direct Connect (Dedicated)}; \node at (5.5, -0.5) {\small \textit{Note: VPN can act as a backup to Direct Connect}}; \end{tikzpicture}

Definition-Example Pairs

• Transitive Routing: The ability for traffic to pass through one VPC to reach another.
  • Example: If VPC A is connected to VPC B, and VPC B is connected to On-Prem, VPC A cannot talk to On-Prem unless you use a Transit Gateway or specific appliance; VPCs do not support native transitive routing.
• Route Propagation: Automatically adding VPN or Direct Connect routes to your VPC route table.
  • Example: Enabling propagation on a VPC route table so that when the VPN comes up, the on-premises network range (e.g., 10.1.0.0/16) is automatically added with the VPG as the target.

Worked Examples

Scenario 1: Cost-Effective Backup

Problem: A company uses a 1 Gbps Direct Connect for its daily operations but needs a cost-effective failover solution should the physical line be cut. Solution: Implement an AWS Site-to-Site VPN. While it has lower performance and relies on the public internet, it serves as an excellent, low-cost backup to the primary Direct Connect line.

Scenario 2: Connecting to S3 over Private Line

Problem: A security-conscious financial firm wants to access their S3 buckets from their office without the traffic ever touching the public internet. Solution: Use AWS Direct Connect with a Public VIF. This allows the on-premises network to reach AWS public services (like S3) over the dedicated physical connection rather than the internet.

Checkpoint Questions

1. Why does AWS provide two tunnels for every Site-to-Site VPN connection?
2. True or False: Direct Connect traffic is encrypted by default as it travels from your data center to AWS.
3. Which AWS resource must be attached to a VPC before a VPN connection can be established?
4. You need to connect 50 different VPCs to your on-premises data center. What is the most scalable service to use?
5. What happens if your on-premises network CIDR block overlaps with your AWS VPC CIDR block?

▶Click to see Answers

1. For high availability/failover on the AWS side.
2. False. It is a private connection, but encryption (like TLS or IPsec) must be added at higher layers if required.
3. Virtual Private Gateway (VPG).
4. AWS Transit Gateway.
5. Connection will fail or routing will be unpredictable; IP ranges must be unique in hybrid networking.