AWS Site-to-Site and Client VPN
Learn how to connect your on-premises resources to your VPC using a Site-to-Site VPN connection and allow your clients to communicate with your resources using Client VPN.
AWS Site-to-Site VPN
AWS Site-to-Site (S2S) VPN is a connection between our on-premises resources and VPC on the cloud. It uses the public internet for communication, but the connection is secure and encrypted. Since it works on the public internet, data throughput and latency can vary depending on the internet.
AWS S2S VPN components
Let's look at the main components of establishing a S2S VPN connection between the VPC and the on-premises network.
Virtual private gateway (VGW): A concentrator on the AWS side of the connection that attaches to the VPC, allowing the resources to access the S2S VPN connection.
Transit gateway: A transit gateway can also be used in place of VGW. A transit gateway is a hub connecting multiple VPCs and routes traffic between them.
Customer gateway (CGW): An AWS resource created within our AWS account that points to the customer gateway device configured in our on-premises network.
Customer gateway device: A physical device or software on the on-premises network.
How Site-to-Site VPN connection works
The very first thing required to set up S2S VPN is to configure VGW inside our VPC, then we set up CGW in our AWS account and point it to the customer gateway device residing in our network. CGW initiates a secure VPC connection between the VPC and the on-premises network.
Consider a scenario where a network administrator has to connect VPC and the organization’s data center. The network administrator will create a VGW and CGW and then will create the S2S VPN connection.
In the illustration above, a virtual private gateway creates a Site-2-Site VPN connection with the customer gateway that points toward the customer gateway device of the organization’s data center.
Different ways to create S2S VPN connection
When connecting the VGW with our network, we need to consider the following points:
If the customer gateway is public, meaning it has a public IP address, then the public IP of the CGW will be used for the connection.
CGW can also be private, meaning that the private IP address is assigned to the CGW, and the CGW is behind the NAT-T device. In this case, the public IP of the NAT device is used.
Note: Even if all the configurations mentioned above are fine, we won’t be able to create a connection until we enable the route propagation in your VPC.
AWS Site-to-Site VPC doesn’t support IPv6 traffic and MTU on the virtual private network.
AWS Client VPN
AWS Client VPN is a client-based managed service that allows us to connect to the VPN connection securely. It connects the client computer to the AWS resources in a VPC and resources from our on-premises network. Since AWS Client VPN connects the resources using a virtual private network, it is encrypted end-to-end.
Consider the same scenario we discussed earlier and a S2S VPN connection is already established; now we want to connect the clients to our network (AWS + data center).
The illustration above shows that the client is accessing the VPC and on-premises resources over the public internet using the Client VPN.
Get hands-on with 1300+ tech skills courses.