This document describes four traffic encryption options when using AWS Direct Connect: 1) AWS Site-to-Site VPN to an Amazon VPC, 2) AWS Site-to-Site VPN to a Transit Gateway (Public VIF), 3) AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway, and 4) MACsec Security in AWS Direct Connect. It provides configuration steps for the first option of AWS Site-to-Site VPN to an Amazon VPC, which achieves encryption by combining the secure IPSec VPN tunnel with the low latency of AWS Direct Connect.
This document describes four traffic encryption options when using AWS Direct Connect: 1) AWS Site-to-Site VPN to an Amazon VPC, 2) AWS Site-to-Site VPN to a Transit Gateway (Public VIF), 3) AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway, and 4) MACsec Security in AWS Direct Connect. It provides configuration steps for the first option of AWS Site-to-Site VPN to an Amazon VPC, which achieves encryption by combining the secure IPSec VPN tunnel with the low latency of AWS Direct Connect.
This document describes four traffic encryption options when using AWS Direct Connect: 1) AWS Site-to-Site VPN to an Amazon VPC, 2) AWS Site-to-Site VPN to a Transit Gateway (Public VIF), 3) AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway, and 4) MACsec Security in AWS Direct Connect. It provides configuration steps for the first option of AWS Site-to-Site VPN to an Amazon VPC, which achieves encryption by combining the secure IPSec VPN tunnel with the low latency of AWS Direct Connect.
Traffic Encryption Options in 2. AWS Site-to-Site VPN to a Transit Gateway (Public VIF) AWS Direct Connect 3. AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway
Create an AWS Direct Connect connection. For dedicated connections, set up a cross-connect This method achieves traffic encryption by combining the benefits of the end-to-end secure IPSec connection, with between the AWS device and your device (or partner device) at the location. For hosted connections, you low latency and consistent network experience of AWS Direct Connect when reaching resources in your Amazon VPC. must accept the hosted connection before you can use it. Once the connection is established, create an AWS 2 Direct Connect public virtual interface (VIF) over the AWS Region AWS Direct Connect existing connection. Configure your customer public VIF gateway to bring up the VIF. Once the border gateway protocol (BGP) peer on the VPC AWS Site-to-Site VPN 3 VIF is established, AWS advertises its public IP range 10.0.0.0/16 to the customer gateway device over the public VIF.
Subnet route Create an AWS Site-to-Site VPN to the virtual
Availability Zone 1 4 private gateway associated to the virtual private workload subnet 1 Destination Target cloud (VPC). AWS provides two AWS VPN endpoints 10.0.0.0/24 attached to the virtual private gateway, which have 10.0.0.0/16 local corporate network public IP addresses that are reachable over the public E 192.168.0.0/16 vgw-id 192.168.0.0/16 VIF. Configure your customer gateway with the VPN AWS Direct Connect location 5 parameters to bring up the AWS Site-to-Site VPN connection. Amazon EC2 instance Sample traffic flow C B A client located in the corporate network needs to A A reach the IP address of an Amazon EC2 instance in Direct the VPC, so the traffic is routed through the D Connect customer gateway (CGW). Availability Zone 2 virtual private AWS customer or customer gateway device partner device gateway The customer gateway determines that the best workload subnet 2 B route to the VPC is through the AWS Site-to-Site 10.0.1.0/24 VPN tunnel. The traffic is then encrypted based on cryptographic parameters for the IPSec tunnel, with the destination of the encrypted packet being the Site-to-Site VPN endpoint public IP address. Subnet route The customer gateway determines that the best EC2 instances Destination Target C route to the AWS VPN endpoint public IP address 10.0.0.0/16 local is through the Direct Connect public VIF.
192.168.0.0/16 vgw-id The AWS VPN endpoint receives the encrypted
AWS Site-to-Site VPN to AWS Transit Gateway (Public VIF) 1
Create an AWS Direct Connect connection. For dedicated connections, proceed to set up a cross- This method achieves traffic encryption by combining the benefits of the end-to-end secure IPSec connection, with the low latency connect between the AWS device and your device and consistent network experience of AWS Direct Connect when reaching resources in your Amazon VPCs through AWS Transit (or partner device) at the location. For hosted connections, you must accept the connection Gateway. This approach is suitable for customers that need to reach multiple VPCs in their AWS environment. before you can use it. Once the connection is established, create an AWS 2 Direct Connect public virtual interface. Configure AWS Region Spoke VPC A route AWS Direct Connect your customer gateway to bring up the VIF. public VIF Once the BGP peer on the VIF is established, AWS spoke VPC A Destination Target 3 advertises its public IP range to the customer 10.0.0.0/16 10.0.0.0/16 local AWS Site-to-Site VPN gateway device over the public VIF. Availability Zone A Create an AWS Site-to-Site VPN and choose your 0.0.0.0/0 tgw-id 4 workload subnet AWS Transit Gateway instance as the VPN 10.0.1.0/24 concentrator for the AWS side. F Configure the customer gateway with the VPN 5 parameters to bring up the AWS VPN connection EC2 instance corporate VPC and route traffic destined to the Transit Gateway Transit Gateway association network through the AWS VPN connection. subnet AWS Transit Gateway 192.168.0.0/16 10.0.0.0/24 E AWS Direct Connect location Sample traffic flow C A client located in the corporate network needs to Spoke VPC route A route network traffic to the IP address of an elastic network interface CIDR Attachment Amazon EC2 instance in the spoke VPC A, and B A routes the traffic through the customer gateway. 192.168.0.0/16 S2S VPN spoke VPC B Direct The customer gateway determines that the best VPN route B 10.1.0.0/16 Connect route to the VPC is through the AWS Site-to-Site D AWS customer or customer Availability Zone B CIDR Attachment VPN tunnel. The traffic is then encrypted based on device Partner device gateway Transit Gateway VPN cryptographic parameters for the IPSec tunnel, 10.0.0.0/24 Spoke VPC A subnet attachment with the destination of the encrypted packet being 10.1.0.0/24 10.1.0.0/24 Spoke VPC B the AWS VPN endpoint public IP address.
VPC The customer gateway determines that the best
elastic network interface association C route to the AWS VPN endpoint public IP address is through the Direct Connect public VIF. Workload subnet Spoke VPC B route 10.1.1.0/24 The AWS VPN endpoint attached to the Transit Destination Target D Gateway receives the encrypted IPSec traffic and 10.1.0.0/16 local forwards it to the Transit Gateway. EC2 instance The traffic is decrypted, forwarded to the spoke 0.0.0.0/0 tgw-id E VPC A, and routed to the Amazon EC2 instance.