5. Amazon Virtual Private Cloud (VPC)

VPC Peering

AWS Privatelink

VPC Endpoints

Difference between VPC Peering, PrivateLink, and VPC Endpoints

AWS Managed VPN

AWS VPN CloudHub

AWS Direct Connect (DX)

VPC Flow Logs

Misc

Explore

AWS Managed VPN

Last edited 52 days ago by Kirtan Chavda

What is AWS Client VPN?

AWS Client VPN is a managed client-based VPN service that enables you to securely access AWS resources and resources in your on-premises network.

Components

The following are the key components for using AWS Client VPN.

Client VPN endpoint — Your Client VPN administrator creates and configures a Client VPN endpoint in AWS. Your administrator controls which networks and resources you can access when you establish a VPN connection.

VPN client application — The software application that you use to connect to the Client VPN endpoint and establish a secure VPN connection.

Client VPN endpoint configuration file — A configuration file that's provided to you by your Client VPN administrator. The file includes information about the Client VPN endpoint and the certificates required to establish a VPN connection. You load this file into your chosen VPN client application.

⁠

What is AWS Client VPN? - AWS Client VPN⁠

⁠

What is AWS Site-to-Site VPN?

By default, instances that you launch into an Amazon VPC can't communicate with your own (remote) network. You can enable access to your remote network from your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and configuring routing to pass traffic through the connection.

Although the term VPN connection is a general term, in this documentation, a VPN connection refers to the connection between your VPC and your own on-premises network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN connections.

Concepts

The following are the key concepts for Site-to-Site VPN:

VPN connection: A secure connection between your on-premises equipment and your VPCs.

VPN tunnel: An encrypted link where data can pass from the customer network to or from AWS.

Each VPN connection includes two VPN tunnels which you can simultaneously use for high availability.

Customer gateway: An AWS resource which provides information to AWS about your customer gateway device.

Customer gateway device: A physical device or software application on your side of the Site-to-Site VPN connection.

Target gateway: A generic term for the VPN endpoint on the Amazon side of the Site-to-Site VPN connection.

Virtual private gateway: A virtual private gateway is the VPN endpoint on the Amazon side of your Site-to-Site VPN connection that can be attached to a single VPC.

Transit gateway: A transit hub that can be used to interconnect multiple VPCs and on-premises networks, and as a VPN endpoint for the Amazon side of the Site-to-Site VPN connection.

⁠

What is AWS Site-to-Site VPN? - AWS Site-to-Site VPN⁠

⁠

You cannot use a NAT gateway in AWS for clients coming in via a VPN.

For route propagation you need to point your VPN-only subnet’s route tables at the VGW.

Must define the IP prefixes that can send/receive traffic through the VGW.

VGW does not route traffic destined outside of the received BGP advertisements, static route entries, or its attached VPC CIDR.

Cannot access Elastic IPs on your VPC via the VPN – Elastic IPs can only be connected to via the Internet.

⁠

Difference

Client VPN

Use Case: Client VPN is designed to provide secure, remote access for individual users (clients) to AWS resources and on-premises networks.

Users: Individual clients (e.g., employees, contractors) who need to securely connect to the network from remote locations.

Connection Type: Each user sets up a VPN client on their device to establish a secure connection to the AWS VPN endpoint.

Authentication: Supports a variety of authentication methods including Active Directory, Certificate-based authentication, and multi-factor authentication (MFA).

Configuration: Users need to install VPN client software and configure it with the necessary credentials and server information provided by the AWS Client VPN endpoint.

Scalability: Scales with the number of individual connections, suitable for environments where multiple remote users need access.

Example Scenario: Employees working from home who need secure access to company resources hosted on AWS.

Site-to-Site VPN

Use Case: Site-to-Site VPN is designed to establish a secure connection between an entire on-premises network and an AWS VPC.

Users: Entire networks or sites, typically used by businesses to connect their on-premises data centers or branch offices to AWS.

Connection Type: A VPN gateway is set up on both the on-premises network and the AWS VPC to create a secure tunnel between the two networks.

Authentication: Uses IPsec (Internet Protocol Security) with pre-shared keys or certificates for authentication.

Configuration: Requires setting up a VPN gateway on both ends (AWS and on-premises) and configuring routing rules to direct traffic through the VPN tunnel.

Scalability: Suitable for connecting multiple sites or entire networks, though it requires managing and maintaining VPN gateways.

Example Scenario: A company with multiple branch offices needing to securely connect to their AWS VPC to access resources or integrate applications.

What is AWS Client VPN?

Components

What is AWS Site-to-Site VPN?

Want to print your doc?
This is not the way.

Try clicking the ⋯ next to your doc name or using a keyboard shortcut (

CtrlP

) instead.