Network to AWS

Main Source: https://d1.awsstatic.com/whitepapers/aws-amazon-vpc-connectivity-options.pdf

Best Practices

  • Use non-overlapping IP ranges
  • Allocate a single, contiguous block for each VPC

AWS Managed VPN

  • includes automated multi-data center redundancy and failover
  • VGW represents 2 distinct VPN endpoints physically located in separate data center
  • dynamic and static routing options available
  • can use multiple user gateway connections
  • Does not support Path MTU Discovery
  • Statically assigned routes are preferred over BGP advertised routes in cases where identical routes exist in the virtual private gateway.
  • Note: If using BGP, both IPSec and BGP connections must be terminated on the same user gateway device, so it must be capable of terminating both IPSec and BGP connections.

Customer Gateway Requirements

  • The AWS endpoint is not the initiator; your customer gateway must initiate the tunnels.
  • Adjust maximum segments size at gateway before VPN tunnel
  • Reset the DF flag at CGW
  • Uses UDP port 500 and IP 50 (ESP)
  • NAT-T uses UDP 4500
  1. IKE Security Association using pre-shared keys (PSK)
  2. IPSec Security Association (SA) in Tunnel mode
    • Use AES 128 or 256-bit encryption
    • Use SHA-1 or 256 hashing
    • Use Diffie-Hellman Perfect Forward Secrecy
    • Use IPsec Dead Peer Detection - enables the VPN devices to rapidly identify when a network condition prevents delivery of packets across the internet
  3. Bind tunnel to logical interface - don’t do additional encapsulation - set to 1399 MTU
  4. (Optional) - Establish BGP peerings

AWS Direct Connect

  • DGW is globally available resource
  • You can create the Direct Connect gateway in any public region and access it from all other public regions.
  • 1 or 10 Gbps provisioned connections
  • More predictable network performance and reduced bandwidth costs
  • Supports BGP peering and routing policies

DC with VPN

  • provides IPsec-encrypted private connection
  • Combines AWS managed benefits of VPN solution with low latency, inceased bandwidth and more consistent benefits of AWS DC and end-to-end secure IPsec connection.

AWS VPN CloudHub

  • Single hub-and-spoke model with or without a VPC
  • Uses a VGW with multiple gateways each with unique BGP ASNs.
  • Using BGP sites can receive routing advertisements and communicate with each other
  • Each site must have unique ASNs and non-overlapping IP ranges

Software VPN

  • Customer manages both ends of the VPN connection
  • Introduces single point of failure

Transit VPC

  • Can build on the Software VPN design
  • Connects multiple, geographically diverse VPCs and remote newtworks
  • Simplifies management
  • Minimizes the number of connections required to connect multiple VPCs and remote networks
  • Direct routing between networks
  • Ability to implement more complex routing
  • Allows NAT
  • Allows additional network-level packet filtering or inspection

VPC-to-VPC Connectivity Options

VPC Peering

  • Doesn’t support transitive relationships
  • No single point of failure
  • No bandwidth bottleneck
  • Supports inter-region peering
  • No physical hardware

Software VPN

  • Recommended when you want to connect VPCs across multiple regions and manage both ends of the VPN connection
  • Uses an IGW attached to each VPC

Software-to-AWS managed VPN

  • This option is recommended when you want to connect VPCs across multiple AWS regions and would like to take advantage of the AWS managed VPN endpoint includingautomated multi-data center redundancy and failover built into the virtual private gateway side of the VPN connection.

AWS managed VPN

  • VPC-to-VPC routing managed by customers over the Internet
  • supports static routes and dynamic BGP peering and routing
  • Depends on Internet conditions
  • We recommend this approach when you want to take advantage of AWS managed VPN endpoints including the automated multi-data center redundancy and failover built into the AWS side of each VPN connection.
  • VGW supports multiple CGWs

AWS Direct Connect

  • Managed by customer
  • VPCs route back through DC on private lines
  • Reduced bandwidth cost
  • 1 or 10 Gb provisioned connections
  • Supports static and BGP
  • AWS provided
  • No single PoF
  • Only available in region
  • Security Groups can be used to manage these endpoints
  • Can be accessed from on-prem via AWS Direct Connect