Task Statement 4.3: Implement and maintain confidentiality of data andcommunications of the network.
📘AWS Certified Advanced Networking – Specialty
1. What “Data in Transit Encryption” Means
Data in transit means data moving across a network between systems. Examples in AWS include:
- Between an on-premises data center and AWS VPC
- Between two VPCs
- Between a user and an application hosted in AWS
- Between AWS services over public or private networks
Encryption in transit ensures that if someone captures network traffic, they cannot read or modify it.
In AWS networking, the most important encryption technologies you must know are:
- IPsec (Internet Protocol Security) – core VPN encryption method
- TLS (Transport Layer Security) – used for HTTPS and API communication
- MACsec (for some Direct Connect use cases) – link-layer encryption
- AWS-managed VPN encryption (built on IPsec)
For this exam section, the main focus is IPsec.
2. What is IPsec?
IPsec (Internet Protocol Security) is a framework of protocols used to:
- Encrypt IP packets
- Authenticate communication between network devices
- Ensure data integrity (no tampering)
- Prevent replay attacks (re-sending captured packets)
It works at the network layer (Layer 3) of the OSI model.
In AWS, IPsec is primarily used in:
- AWS Site-to-Site VPN
- Secure tunnels over the internet between:
- On-premises networks
- AWS VPCs
- Other cloud networks
3. Key Components of IPsec (Exam Important)
A. Security Associations (SA)
A Security Association (SA) defines how two endpoints will communicate securely.
It includes:
- Encryption algorithm (AES, etc.)
- Authentication method (HMAC)
- Keys used
- Lifetime of the tunnel
Each direction of communication uses a separate SA.
B. IKE (Internet Key Exchange)
IKE is used to:
- Negotiate IPsec parameters
- Exchange encryption keys securely
There are two versions:
IKEv1
- Older
- More complex (Phase 1 and Phase 2)
IKEv2 (recommended)
- Faster and more secure
- Better stability for VPN connections
- Used in modern AWS VPN setups
C. IPsec Protocols
IPsec uses two main protocols:
1. ESP (Encapsulating Security Payload)
- Provides:
- Encryption (confidentiality)
- Integrity
- Authentication
- Most commonly used in AWS VPNs
2. AH (Authentication Header)
- Provides:
- Integrity
- Authentication
- Does NOT provide encryption (rarely used today)
👉 In AWS, ESP is the standard
4. IPsec Modes (Important for Exams)
1. Tunnel Mode (Most Important in AWS)
- Entire original IP packet is encrypted
- A new IP header is added
- Used in:
- AWS Site-to-Site VPN
- VPC-to-VPC VPN tunnels
✔ This is the default mode for AWS VPN
2. Transport Mode
- Only the payload is encrypted
- Original IP header remains
- Mostly used for:
- Host-to-host communication (rare in AWS networking design)
5. Encryption Algorithms Used in IPsec
IPsec supports different cryptographic algorithms:
A. Encryption Algorithms (Confidentiality)
- AES-128
- AES-256 (commonly recommended in AWS)
B. Integrity Algorithms
- SHA-1 (older, not recommended)
- SHA-2 (SHA-256 preferred)
C. Key Exchange Algorithms
- Diffie-Hellman (DH groups)
- Used to securely generate shared keys
D. Perfect Forward Secrecy (PFS)
- Ensures new keys are generated for each session
- Prevents old sessions from being decrypted if a key is compromised
6. AWS Use of IPsec (Very Important for Exam)
A. AWS Site-to-Site VPN
This is the main real-world use case of IPsec in AWS.
How it works:
- Creates encrypted IPsec tunnels between:
- Customer gateway (on-premises)
- AWS Virtual Private Gateway (VGW) or Transit Gateway
Features:
- Uses IKEv2 + IPsec ESP
- Two tunnels for high availability
- Automatically encrypts traffic over the internet
B. AWS Transit Gateway VPN Attachments
- IPsec VPN can connect multiple VPCs and on-prem networks
- Centralized routing hub
C. VPN over Direct Connect (Important Exam Topic)
Even though Direct Connect is private, it is not encrypted by default.
So:
- IPsec VPN can be added over Direct Connect
- This adds encryption to private connectivity
Use case:
- Sensitive workloads requiring encryption even on private links
7. NAT Traversal (NAT-T)
In real networks, NAT devices may exist between VPN endpoints.
IPsec normally does not work well with NAT, so:
- NAT-T encapsulates IPsec packets inside UDP (port 4500)
- Allows VPNs to work behind NAT devices
AWS Site-to-Site VPN supports NAT-T automatically.
8. Common IPsec Flow (Simplified Exam View)
- VPN devices initiate connection
- IKE Phase 1:
- Establish secure control channel
- Authenticate peers
- IKE Phase 2:
- Create IPsec tunnel (ESP)
- Negotiate encryption algorithms
- Data transmission:
- Packets encrypted using ESP
- Sent over internet or network link
- Re-keying:
- New keys generated periodically
9. Security Benefits of IPsec in AWS
IPsec provides:
- Confidentiality → data is encrypted
- Integrity → data cannot be modified silently
- Authentication → verifies VPN endpoints
- Anti-replay protection → blocks duplicate packets
10. Common Exam Scenarios
You may see questions like:
Scenario 1:
“Securely connect on-premises network to AWS over the internet”
✔ Answer: AWS Site-to-Site VPN using IPsec
Scenario 2:
“Need encryption over Direct Connect”
✔ Answer:
- Direct Connect + IPsec VPN overlay
Scenario 3:
“Need secure multi-VPC connectivity”
✔ Answer:
- Transit Gateway + IPsec VPN attachments
11. Key Exam Takeaways
- IPsec is the primary encryption method for VPNs in AWS
- Works at Layer 3 (network layer)
- Uses ESP for encryption
- Uses IKE for key exchange
- AWS Site-to-Site VPN is built on IPsec
- Tunnel mode is used in AWS
- NAT-T enables IPsec over NAT networks
- Can be combined with Direct Connect for encryption
