Scribd Logo
Upload

Welcome to Scribd!

  • Overview of AWS VPN Tunnels

    Uploaded by

    shubh240184
    2 views6 pages

    Original Title

    87. Overview of AWS VPN Tunnels

    Copyright

    © © All Rights Reserved

    Available Formats

    TXT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    2 views6 pages

    Overview of AWS VPN Tunnels

    Uploaded by

    shubh240184

    Copyright:

    © All Rights Reserved
    Download as TXT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    -: Hey, everyone and welcome back.

    In today's video will be discussing

    about the site to site tunnel.

    Now, a site to site VPN tunnel allows two

    networking domains to communicate securely

    between each other over an untrusted network like internet.

    Now, within the name itself, you have site to site.

    So basically there are two sites which are available here.

    Now these two sites can be two different locations

    from which you want to communicate securely.

    So it can be between an EC2 instance and the data center.

    It can be between the two different VPCs.

    It can be between AWS and Azure or any other locations.

    Now do remember here that site to site tunnel basically

    is referred as S2S also.

    So in case if you hear about S2S

    it basically means site to site.

    Now once the tunnel is established,

    So let's assume that you have the EC2 instance.

    So this acts as a VPN termination.

    And here you have the data center.

    So there is a VPN tunnel which is established over here.

    Now, one of the challenge

    that a organization might typically face

    in a site to site VPN is the high availability.

    So basically if you see over here

    there is a single tunnel endpoint on each of the site.

    So you have the EC2 instance which access

    a VPN termination point.

    And if this EC2 Instance goes down


    then the entire tunnel would break.

    Now, sometime back

    when AWS did not really have a inter-region VPC peering,

    site to site tunnel was pretty common.

    In fact, let's assume that you wanted to establish

    a tunnel between Singapore and Mumbai.

    VPC peering was not a option back then.

    So organization used to use site to site VPN tunnels

    pretty extensively.

    And also nowadays, if you see lot of organizations

    they are based on hybrid cloud or they are based

    on on-premise and AWS.

    So for such kind of a scenario

    having a site to site VPN tunnel is extremely important.

    So we were discussing about the availability challenges

    on how EC2 Instance if you're using it

    for the site to site.

    And if that EC2 Instance goes down

    then your entire VPN connection would break.

    So in order to overcome that,

    what organizations they typically do

    is they establish multiple tunnels.

    So here you see you have one tunnel.

    This is an active tunnel.

    And then you have one more tunnel.

    This is a passive tunnel.

    So if one tunnel goes down,

    then you can switch over to the passive tunnel

    for high availability.


    So here this is a sample diagram.

    So this is a tunnel

    established between Mumbai and North Virginia.

    Again, you can do this via VPC peering as well.

    But let's assume that this is AWS

    and on the right hand side you have Azure.

    Then you need to use a site to site VPN.

    Now, when it comes to the architecture of site to site VPN,

    there are certain key terminologies

    that you need to understand.

    The first one is the virtual private gateway

    and second is the customer gateway.

    Customer gateway is nothing

    but the VPN termination endpoint on the customer side.

    So this can be a firewall, this can be a server,

    which acts as an IPsec VPN tunnel termination endpoint,

    et cetera.

    Now on the AWS site, we make use of virtual private gateway.

    However, do remember that there is not a mandatory need

    to have a virtual private gateway.

    Virtual private gateway has its own advantage.

    Like we were discussing that here,

    if the EC2 Instance goes down

    then entire VPN tunnel that we have established over here,

    that will also break.

    So now what happens in virtual private gateway

    is that this virtual private gateway is highly available.

    So in order to understand this,

    let's take the example of this specific diagram.

    So here, a virtual private gateway


    has a built in high availability for a VPN connection.

    So basically what happens is that

    this virtual private gateway has two endpoint IP addresses

    and this endpoint IP address are located

    in a different availability zone.

    So you have the endpoint IP one here.

    You have the endpoint IP two here.

    So now what you do from your customer side,

    you establish two VPN tunnels.

    Now, two VPN tunnels would be

    for endpoint IP one and the endpoint IP two.

    And together they act as a single VPN connection.

    Now, do remember that even though

    you have a virtual private gateway

    if you implement this in your organization,

    specifically, if you are having

    multiple virtual private gateways

    and multiple VPN connections,

    there are a lot of instances

    where one of the endpoint goes down

    and then you have to switch to end point IP two.

    Now the great thing here is that the high availability

    is managed by the AWS.

    So we do not really have to worry about this

    but you will get into situations

    where you will see that one of the tunnel is down.

    However, if you have set up your VPN connection properly

    you do not really have to worry because high availability

    will be taken care.


    So this can be understood with the diagram over here.

    So this is one of the screenshot that I had taken

    from a different video.

    So here you see within the VPN connection.

    So this is a site to site tunnel

    and this tunnel has two IP addresses over here.

    The first IP address is 18.216.150.193

    and second is 18.220.211.76.

    So currently you see there is only one endpoint

    which has the status of up

    and second has the status of down.

    Ideally, if you're implementing it,

    make sure that both of them are up.

    That basically means that from your customer location

    you have two VPN tunnels which are established.

    So this was just for the representation

    of the two IP addresses

    associated with the endpoints

    for the virtual private gateway.

    So this is the high level overview about site to site tunnel

    and how exactly a virtual private gateway helps

    in establishing a highly available site to site tunnel

    at least from the AWS perspective.

    Now, if you, before we conclude,

    I just like to share is that

    although you have the high availability over here

    on the right hand side, you still have one router over here.

    Or it can be one server.

    And if this server goes down or if this router goes down,

    then again your tunnel breaks.


    However, for example,

    one of the primary things that you need to remember

    is on how you can achieve the high availability

    at least from the AWS side,

    which is achieved with the helper

    for virtual private gateway.

    So with this we'll conclude this video.

    I hope this video has been informative for you

    and I look forward to see you in the next video.

    You might also like