AWS Certified Advanced Networking Specialty Notes - VPC Connectivity Options

Network to AWS

includes automated multi-data center redundancy and failover
VGW represents 2 distinct VPN endpoints physically located in separate data center
dynamic and static routing options available
can use multiple user gateway connections
Does not support Path MTU Discovery
Statically assigned routes are preferred over BGP advertised routes in cases where identical routes exist in the virtual private gateway.
Note: If using BGP, both IPSec and BGP connections must be terminated on the same user gateway device, so it must be capable of terminating both IPSec and BGP connections.

The AWS endpoint is not the initiator; your customer gateway must initiate the tunnels.
Adjust maximum segments size at gateway before VPN tunnel
Reset the DF flag at CGW
Uses UDP port 500 and IP 50 (ESP)
NAT-T uses UDP 4500

IKE Security Association using pre-shared keys (PSK)
IPSec Security Association (SA) in Tunnel mode
- Use AES 128 or 256-bit encryption
- Use SHA-1 or 256 hashing
- Use Diffie-Hellman Perfect Forward Secrecy
- Use IPsec Dead Peer Detection - enables the VPN devices to rapidly identify when a network condition prevents delivery of packets across the internet
Bind tunnel to logical interface - don’t do additional encapsulation - set to 1399 MTU
(Optional) - Establish BGP peerings

DGW is globally available resource
You can create the Direct Connect gateway in any public region and access it from all other public regions.
1 or 10 Gbps provisioned connections
More predictable network performance and reduced bandwidth costs
Supports BGP peering and routing policies

provides IPsec-encrypted private connection
Combines AWS managed benefits of VPN solution with low latency, inceased bandwidth and more consistent benefits of AWS DC and end-to-end secure IPsec connection.

Single hub-and-spoke model with or without a VPC
Uses a VGW with multiple gateways each with unique BGP ASNs.
Using BGP sites can receive routing advertisements and communicate with each other
Each site must have unique ASNs and non-overlapping IP ranges

Can build on the Software VPN design
Connects multiple, geographically diverse VPCs and remote newtworks
Simplifies management
Minimizes the number of connections required to connect multiple VPCs and remote networks
Direct routing between networks
Ability to implement more complex routing
Allows NAT
Allows additional network-level packet filtering or inspection

Recommended when you want to connect VPCs across multiple regions and manage both ends of the VPN connection
Uses an IGW attached to each VPC

This option is recommended when you want to connect VPCs across multiple AWS regions and would like to take advantage of the AWS managed VPN endpoint includingautomated multi-data center redundancy and failover built into the virtual private gateway side of the VPN connection.

VPC-to-VPC routing managed by customers over the Internet
supports static routes and dynamic BGP peering and routing
Depends on Internet conditions
We recommend this approach when you want to take advantage of AWS managed VPN endpoints including the automated multi-data center redundancy and failover built into the AWS side of each VPN connection.
VGW supports multiple CGWs