Task Statement 1.5: Design a routing strategy and connectivity architecture between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
1. What is Encapsulation and Why It Matters
Encapsulation is a method used in networking to wrap data inside a packet or frame so it can be transported across networks that may not natively support the original protocol. Think of it as putting a letter (your data) inside an envelope (a packet) so it can travel securely through different networks.
In AWS hybrid architectures, encapsulation is crucial when you want to connect on-premises networks to AWS because different networks might use different protocols, or the traffic might need to traverse the public internet securely.
Key points:
- Encapsulation allows tunneling, which means you can carry one protocol over another network protocol.
- Commonly used in VPNs, cloud connectivity, and multi-site network setups.
2. Generic Routing Encapsulation (GRE)
What GRE Does
- GRE is a tunneling protocol.
- It encapsulates one packet inside another packet, allowing you to send it over networks that normally wouldn’t support the original packet type.
- It does not encrypt traffic by itself; it only encapsulates it.
- Often used for connecting different network sites, including AWS VPCs to on-premises networks.
Key Features of GRE
- Protocol Support: Can carry any Layer 3 protocol, such as IPv4, IPv6, or even multicast.
- Point-to-Point Tunnels: Typically used to connect two sites (like an on-prem network and an AWS VPC).
- No Security: By default, GRE does not provide encryption, so traffic is visible if intercepted.
GRE in an AWS Environment
- AWS does not natively support GRE over VPN, but it can be implemented using virtual appliances (e.g., Cisco CSR, Fortinet, Palo Alto) in a VPC.
- Example use: You have two different networks using private IP ranges and want to route traffic between them over the internet without altering packet headers.
Advantages and Limitations
| Advantage | Limitation |
|---|---|
| Supports multiple protocols | No encryption on its own |
| Simple to set up for tunnel routing | Overhead increases packet size (adds GRE header) |
| Works with dynamic routing protocols like BGP | Needs additional security if over public networks |
3. IPsec (Internet Protocol Security)
What IPsec Does
- IPsec is a protocol suite for securing IP communications.
- It provides encryption, authentication, and integrity for packets.
- Unlike GRE, IPsec is security-focused, ensuring that data is not readable or tampered with while in transit.
Key Components of IPsec
- Authentication Header (AH): Ensures the data is from a trusted source.
- Encapsulating Security Payload (ESP): Encrypts the data so only the intended recipient can read it.
- Security Associations (SA): Rules that define how IPsec traffic is encrypted and authenticated between two endpoints.
IPsec in an AWS Environment
- AWS managed VPNs use IPsec to securely connect your on-premises network to a VPC.
- Virtual Private Gateway (VGW) on AWS side + Customer Gateway (CGW) on on-premises side.
- IPsec ensures that even if traffic traverses the public internet, it remains confidential and untampered.
- Can also be combined with GRE if you need protocol flexibility + encryption.
4. GRE vs IPsec
| Feature | GRE | IPsec |
|---|---|---|
| Encapsulation | Yes | Optional (ESP encapsulates traffic) |
| Encryption | No | Yes (ESP) |
| Authentication | No | Yes |
| Use case | Tunnel protocols not natively supported | Secure transmission over untrusted networks |
| AWS Support | Requires virtual appliances | AWS VPN supports it natively |
Tip for exams: Often AWS scenarios will ask “securely connect on-prem to AWS over the internet”, the answer is IPsec VPN. If they need to carry non-IP traffic or multicast, GRE over IPsec might be used.
5. Common Exam Scenarios
- Site-to-Site VPN: Use IPsec to encrypt traffic between your on-premises network and AWS VPC.
- Multiprotocol Traffic: Use GRE if your on-premises network uses protocols like IPv6 or multicast and you need to tunnel them to AWS.
- Combined Setup: GRE for encapsulation + IPsec for encryption is common in hybrid environments.
6. Key Points to Remember for the Exam
- GRE = Encapsulation, tunnels traffic, no encryption.
- IPsec = Encryption + authentication, secures traffic over untrusted networks.
- AWS managed VPN uses IPsec.
- GRE can be combined with IPsec for advanced scenarios.
- GRE allows dynamic routing protocols (like BGP) over non-IP-compatible networks.
- IPsec ensures data confidentiality, integrity, and authentication.
This covers everything you need to know for Task 1.5’s section on encapsulation and encryption for the AWS Certified Advanced Networking – Specialty exam.
