Many enterprises on their journey to the cloud require consistent and highly secure connectivity among their existing data center, their staff, and AWS environments. In this session, we walk through the different architecture options for establishing this connectivity using AWS VPN solutions. With each option, we evaluate the considerations and discuss risk, performance, high availability, encryption, and cost.

2. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS VPN Solutions
Kaartik Viswanath
Senior Manager
EC2 Networking
N E T 3 0 4
Tom Adamski
Specialist Solutions Architect
Networking

3. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Am I in the right session?

4. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
What we will cover in the session

5. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

6. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Frequently asked questions

7. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Site-to-Site VPN
• Fully managed and highly available VPN termination
endpoints at AWS end
• Two VPN tunnels per one VPN connection
• IPSec Site-to-Site tunnel with AES-256, SHA-2, and latest DH groups
• Support for NAT-T
• Charged per hour per VPN connection

8. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Site-to-Site VPN setup options
Static
• Policy or route-based
• Static routing
• Pre-shared key
Dynamic
• Route-based only
• Dynamic routing (BGP)
• Pre-shared key

9. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
Tunnel establishment—Static & dynamic

10. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
Tunnel establishment—Static & dynamic

11. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
• 1 unique security association (SA) pair per tunnel
• 1 inbound and 1 outbound
• 2 unique pairs for 2 tunnels-4 SAs
Tunnel establishment—Static & dynamic

12. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Static Site-to-Site VPN-policy-based
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
10.0.0.0 /16 192.168.0.0/16
10.0.0.0 /16 192.168.0.0/16
10.0.0.0 /16 192.168.0.0/16
10.0.0.0 /16 192.168.0.0/16

13. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Static Site-to-Site VPN-policy-based
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
10.0.0.0 /16 ANY
10.0.0.0 /16 ANY
10.0.0.0 /16 ANY
10.0.0.0 /16 ANY
• Consolidate ACLs to cover all IPs
• Filter to block unwanted traffic

14. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Dynamic Site-to-Site VPN-route-based
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y Tunnel 2
IP 169.254.169.5 /30
BGP AS 64512
Tunnel 2
IP 169.254.169.5 /30
BGP AS 65000
Tunnel 1
IP 169.254.169.2 /30
BGP AS 65000
Tunnel 1
IP 169.254.169.1 /30
BGP AS 64512

15. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
Traffic flow—To AWS

16. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
Traffic flow—From AWS

17. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding resilient connections
10.0.0.0 /16
VGW
54.x.x.x
52.y.y.y
54.a.a.a
52.z.z.z
CORP

18. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding resilient connections—Traffic flow
10.0.0.0 /16
VGW
54.x.x.x
52.y.y.y
54.a.a.a
52.z.z.z
CORP

19. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding resilient connections—Traffic flow
10.0.0.0 /16
VGW
54.x.x.x
52.y.y.y
54.a.a.a
52.z.z.z
CORP

20. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding resilient connections
10.0.0.0 /16
VGW
CORP
10.1.0.0 /16
VGW

21. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Adding resilient connections
CORP

22. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

23. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resilient connections
CORP

24. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Resilient connections
CORP
Cost dimensions:

25. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC
CORP
• Amazon Elastic Compute Cloud (Amazon EC2)-based routers/firewalls

26. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC CORP
CORP

27. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC CORP
CORP
Cost dimensions:
Cost dimensions:
Cost dimensions:

28. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
AWS Transit Gateway
CORP
NEW

29. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway—Site-to-Site VPN traffic flow
CORP

30. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway—Site-to-Site VPN traffic flow
CORP

31. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit Gateway
CORP
Cost dimensions:
Cost dimensions:

32. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
Transit VPC to AWS Transit Gateway migration

33. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

34. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

35. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

36. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

37. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

38. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

39. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

40. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

41. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

42. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

43. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Transit VPC to AWS Transit Gateway migration
CORP

44. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
AWS Site-to-Site VPN over AWS Direct Connect
Internet

45. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
AWS Site-to-Site VPN over AWS Direct Connect
AWS Direct Connect
location
Internet

46. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
AWS Site-to-Site VPN over AWS Direct Connect
AWS Direct Connect
location
Internet

47. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
10.0.0.0 /16 192.168.0.0 /16
VGW CGW
54.x.x.x
52.y.y.y
Public IP
AWS Site-to-Site VPN over AWS Direct Connect
Direct Connect
Location
Internet
Cost dimensions:

48. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
192.168.0.0 /16
CGW
54.x.x.x
52.y.y.y
Public IP
AWS Site-to-Site VPN over AWS Direct Connect
AWS Direct Connect
Location
Internet
Transit
Gateway

49. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Recap

50. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.

51. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
192.168.0.0 /16
CGW
10.0.0.0 /16
VGW
AWS VPN

52. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Introducing AWS Client VPN
• AWS managed client-based VPN service
• Secure access to any resource in AWS and on-
premises from anywhere using OpenVPN clients
• Seamlessly integrate with existing infrastructure, like
Amazon Virtual Private Cloud (Amazon VPC), AWS
Directory Services

53. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Architecture
End-user(s)
AWS services (like
Amazon S3, Amazon
DynamoDB)CORP
VGW
On-prem Internet
IGW
VPC
peering
VPC Subnet

54. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Features—Authentication & authorization
End-user(s)
AWS services (like
Amazon S3,
DynamoDB)
CORP
VGW
On-prem Internet
IGW
VPC
peering
VPC Subnet

55. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Features—Connectivity
End-user(s)
AWS services (like
Amazon S3,
DynamoDB)
CORP
VGW
On-prem Internet
IGW
VPC
peering
VPC Subnet

56. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Features—Manageability & clients
End-user(s)
AWS services (like
Amazon S3,
DynamoDB)
CORP
VGW
On-prem Internet
IGW
VPC
peering
VPC Subnet

57. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setup—1. Create Client VPN Endpoint
Endpoint Status
• Pending-Associate

58. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setup—2. Associate Client VPN Endpoint to your network
Endpoint Status
• Available
10.1.0.0 /16
Client VPN Endpoint Route Table
Destination Target
10.1.0.0/16 VPC Subnet
APP
10.1.0.50
End-users can now establish the VPN session
VPC Subnet

59. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setup—3. Configure authorization rules
Endpoint Status
• Available
10.1.0.0 /16
Client VPN Endpoint Route Table
Destination Target
10.1.0.0/16 VPC Subnet
APP
10.1.0.50
End-users can now access resources in VPC
Authorization rule
• Rule to allow access VPC CIDR
VPC Subnet

60. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setup—4. Enable connectivity to other networks
VPC Subnet
Endpoint Status
• Available
10.1.0.0 /16
Client VPN Endpoint Route Table
Destination Target
10.1.0.0/16 VPC Subnet
172.31.0.0/16 VPC Subnet
198.1.0.0/16 VPC Subnet
0.0.0.0/0 VPC Subnet
APP
10.1.0.50
End-users can now access resources located Anywhere!!!
Authorization rule
• Rule to allow access VPC CIDR
• Rule to allow destination CIDR
VPC
peering
172.31.0.0 /16
CORP
VGW
On-prem
198.1.0.0 /16
AWS services (like
Amazon S3,
DynamoDB)
Internet
IGW

61. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Setup—Summary
• Step 1: Create Client VPN Endpoint
• Step 2: Enable VPN connectivity for
end-users
• Step 3: Enable end-user access to
workloads
• Optional Step 4: Enable network
connectivity to access other networks
End-user(s)
AWS services (like
Amazon S3,
DynamoDB)
CORP
VGW
On-prem Internet
IGW
VPC
peering
VPC Subnet

62. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
CORP
192.168.0.0 /16
CGW
10.0.0.0 /16
VGW
AWS VPN options
10.0.0.0 /16
AWS services (like Amazon
S3, DynamoDB)
On-prem
Internet
CORP

63. Thank you!
© 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.
Kaartik Viswanath
Senior Manager
EC2 Networking
Tom Adamski
Specialist Solutions Architect
Networking

64. © 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved.