Task Statement 2.1: Implement routing and connectivity between on-premises networks and the AWS Cloud.
📘AWS Certified Advanced Networking – Specialty
1. What is a VPN?
A VPN (Virtual Private Network) creates a secure, encrypted connection between:
- An on-premises network (data center, office network)
- And an AWS VPC (Virtual Private Cloud)
It uses the public internet, but ensures:
- Data is encrypted
- Communication is private and secure
2. AWS VPN Types
In AWS, VPN connectivity is mainly implemented using:
1. Site-to-Site VPN
- Connects on-premises network ↔ AWS VPC
- Uses a Customer Gateway (CGW) on your side
- Uses a Virtual Private Gateway (VGW) or Transit Gateway (TGW) on AWS side
2. Client VPN
- Connects individual users/devices ↔ AWS VPC
- Useful for remote workers accessing AWS resources securely
3. Key Components of AWS VPN
Customer Gateway (CGW)
- Represents your on-premises VPN device
- Could be:
- Physical firewall
- Router
- Software VPN appliance
Virtual Private Gateway (VGW)
- Attached to a single VPC
- Acts as the AWS-side VPN endpoint
Transit Gateway (TGW)
- Used for large-scale, multi-VPC connectivity
- Supports VPN connections as well
VPN Connection
- Logical connection between CGW and VGW/TGW
- Contains:
- 2 tunnels (for high availability)
4. How AWS Site-to-Site VPN Works
- You configure:
- CGW (your network)
- VGW or TGW (AWS)
- AWS creates:
- Two IPsec tunnels
- Traffic flows:
- Encrypted through one tunnel
- Second tunnel acts as failover
- Routing is configured using:
- Static routing
- or Dynamic routing (BGP)
5. VPN Security (VERY IMPORTANT FOR EXAM)
AWS VPN uses IPsec (Internet Protocol Security).
Key Security Features
1. Encryption
- Data is encrypted using:
- AES-128 / AES-256
- Protects data from being read on the internet
2. Authentication
- Uses:
- Pre-Shared Key (PSK)
- Ensures both sides are trusted
3. Integrity
- Uses hashing algorithms:
- SHA-1 / SHA-2
- Ensures data is not modified in transit
4. IPsec Tunnels
Each VPN connection has:
- 2 tunnels
- Each tunnel:
- Separate endpoint
- Independent encryption
IPsec Phases (Exam Concept)
Phase 1 (IKE)
- Establishes secure channel
- Authenticates peers
Phase 2
- Negotiates encryption for data traffic
Perfect Forward Secrecy (PFS)
- Generates new encryption keys periodically
- Improves security
6. High Availability in AWS VPN
AWS automatically provides:
- Two tunnels per VPN connection
- Each tunnel goes to different AWS endpoints
Behavior:
- One tunnel = active
- Second tunnel = standby
- Failover happens automatically
7. Routing in VPN
Static Routing
- Manually define routes
- Simple but not scalable
Dynamic Routing (BGP)
- Uses Border Gateway Protocol
- Automatically exchanges routes
- Preferred for:
- Large networks
- Failover handling
8. Performance of VPN
Limitations:
- VPN runs over the internet
- Performance depends on:
- Latency
- Internet congestion
- Distance
Typical characteristics:
- Throughput: up to ~1.25 Gbps per tunnel (best case)
- Higher latency than private connections
9. Accelerated VPN (Important Topic)
What is Accelerated VPN?
Accelerated Site-to-Site VPN improves performance by using:
👉 AWS Global Network instead of public internet
How it Works
- Traffic enters AWS through:
- Nearest AWS Edge Location
- Then travels through:
- AWS private backbone network
- Finally reaches:
- AWS region
Benefits
1. Lower Latency
- Traffic avoids congested public internet paths
2. Improved Performance
- More stable throughput
3. Better Reliability
- Uses AWS global infrastructure
When to Use Accelerated VPN
Use when:
- Long-distance connections
- Unstable internet paths
- Need better performance but:
- Cannot use Direct Connect
Comparison: Regular VPN vs Accelerated VPN
| Feature | Regular VPN | Accelerated VPN |
|---|---|---|
| Network Path | Public internet | AWS global backbone |
| Latency | Higher | Lower |
| Stability | Variable | More stable |
| Cost | Lower | Higher |
10. VPN vs AWS Direct Connect (Exam Tip)
| Feature | VPN | Direct Connect |
|---|---|---|
| Network | Internet | Private connection |
| Security | Encrypted | Not encrypted (by default) |
| Cost | Lower | Higher |
| Performance | Variable | Consistent |
| Setup Time | Fast | Slow |
Important Exam Insight
- VPN is often used:
- As primary connection for small setups
- Or as backup for Direct Connect
11. Monitoring and Troubleshooting VPN
Key tools:
Amazon CloudWatch
- Monitor tunnel status
- Metrics:
- TunnelState
- TunnelDataIn/Out
VPC Flow Logs
- Analyze traffic
Logs & Alerts
- Detect:
- Tunnel down
- Packet drops
12. Common Exam Scenarios
Scenario 1:
Need secure connection quickly
👉 Use:
- Site-to-Site VPN
Scenario 2:
Need better performance over long distance
👉 Use:
- Accelerated VPN
Scenario 3:
Enterprise network with multiple VPCs
👉 Use:
- Transit Gateway + VPN
Scenario 4:
Highly available hybrid connectivity
👉 Use:
- VPN (2 tunnels) + BGP
13. Key Exam Tips (VERY IMPORTANT)
- Always remember:
- VPN = encrypted over internet
- Direct Connect = private but not encrypted
- Accelerated VPN:
- Uses AWS global backbone
- Improves latency and stability
- Each VPN connection:
- Has 2 tunnels
- Prefer:
- BGP over static routing
- Security:
- Based on IPsec
14. Quick Summary
- VPN connects on-premises ↔ AWS securely
- Uses IPsec encryption
- Provides:
- Confidentiality
- Integrity
- Authentication
- Comes with:
- 2 tunnels for high availability
- Routing:
- Static or BGP (preferred)
- Accelerated VPN:
- Uses AWS backbone
- Improves performance
