1.

AWS Site-to-Site VPN to an Amazon VPC

Traffic Encryption Options in
2. AWS Site-to-Site VPN to a Transit Gateway (Public VIF)
AWS Direct Connect
3. AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway

4. MACsec Security in AWS Direct Connect

Reviewed for technical accuracy October 13, 2022

© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
 Configuration steps

AWS Site-to-Site VPN to an Amazon VPC 1

Create an AWS Direct Connect connection. For
dedicated connections, set up a cross-connect
This method achieves traffic encryption by combining the benefits of the end-to-end secure IPSec connection, with between the AWS device and your device (or partner
device) at the location. For hosted connections, you
low latency and consistent network experience of AWS Direct Connect when reaching resources in your Amazon VPC. must accept the hosted connection before you can
use it.
Once the connection is established, create an AWS
2 Direct Connect public virtual interface (VIF) over the
AWS Region AWS Direct Connect existing connection. Configure your customer
public VIF gateway to bring up the VIF.
Once the border gateway protocol (BGP) peer on the
VPC AWS Site-to-Site VPN 3 VIF is established, AWS advertises its public IP range
10.0.0.0/16 to the customer gateway device over the public VIF.

Subnet route Create an AWS Site-to-Site VPN to the virtual

Availability Zone 1 4 private gateway associated to the virtual private
workload subnet 1 Destination Target cloud (VPC). AWS provides two AWS VPN endpoints
10.0.0.0/24 attached to the virtual private gateway, which have
10.0.0.0/16 local
corporate network public IP addresses that are reachable over the public
E 192.168.0.0/16 vgw-id 192.168.0.0/16 VIF.
Configure your customer gateway with the VPN
AWS Direct Connect location 5 parameters to bring up the AWS Site-to-Site VPN
connection.
Amazon EC2 instance Sample traffic flow
C B A client located in the corporate network needs to
A A reach the IP address of an Amazon EC2 instance in
Direct the VPC, so the traffic is routed through the
D Connect customer gateway (CGW).
Availability Zone 2 virtual private AWS customer or customer
gateway device partner device gateway The customer gateway determines that the best
workload subnet 2 B route to the VPC is through the AWS Site-to-Site
10.0.1.0/24 VPN tunnel. The traffic is then encrypted based on
cryptographic parameters for the IPSec tunnel,
with the destination of the encrypted packet being
the Site-to-Site VPN endpoint public IP address.
Subnet route
The customer gateway determines that the best
EC2 instances Destination Target C route to the AWS VPN endpoint public IP address
10.0.0.0/16 local is through the Direct Connect public VIF.

192.168.0.0/16 vgw-id The AWS VPN endpoint receives the encrypted

Reviewed for technical accuracy October 13, 2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved.
D IPSec traffic and decrypts it. Because the original IP
destination address is the Amazon EC2 instance in
the VPC, the traffic is routed through the VPC
fabric to the EC2 instance.
Return traffic from the EC2 instance to the client
AWS Reference Architecture E located in the corporate network follows a reverse
but identical path.
 Configuration steps

AWS Site-to-Site VPN to AWS Transit Gateway (Public VIF) 1

Create an AWS Direct Connect connection. For
dedicated connections, proceed to set up a cross-
This method achieves traffic encryption by combining the benefits of the end-to-end secure IPSec connection, with the low latency connect between the AWS device and your device
and consistent network experience of AWS Direct Connect when reaching resources in your Amazon VPCs through AWS Transit (or partner device) at the location. For hosted
connections, you must accept the connection
Gateway. This approach is suitable for customers that need to reach multiple VPCs in their AWS environment. before you can use it.
Once the connection is established, create an AWS
2 Direct Connect public virtual interface. Configure
AWS Region Spoke VPC A route AWS Direct Connect your customer gateway to bring up the VIF.
public VIF Once the BGP peer on the VIF is established, AWS
spoke VPC A Destination Target 3 advertises its public IP range to the customer
10.0.0.0/16 10.0.0.0/16 local AWS Site-to-Site VPN gateway device over the public VIF.
Availability Zone A Create an AWS Site-to-Site VPN and choose your
0.0.0.0/0 tgw-id 4
workload subnet AWS Transit Gateway instance as the VPN
10.0.1.0/24 concentrator for the AWS side.
F
Configure the customer gateway with the VPN
5 parameters to bring up the AWS VPN connection
EC2 instance corporate
VPC and route traffic destined to the Transit Gateway
Transit Gateway association network through the AWS VPN connection.
subnet AWS Transit Gateway 192.168.0.0/16
10.0.0.0/24 E AWS Direct Connect location Sample traffic flow
C A client located in the corporate network needs to
Spoke VPC route A route network traffic to the IP address of an
elastic network interface CIDR Attachment Amazon EC2 instance in the spoke VPC A, and
B
A routes the traffic through the customer gateway.
192.168.0.0/16 S2S VPN
spoke VPC B Direct The customer gateway determines that the best
VPN route B
10.1.0.0/16 Connect route to the VPC is through the AWS Site-to-Site
D AWS customer or customer
Availability Zone B CIDR Attachment VPN tunnel. The traffic is then encrypted based on
device Partner device gateway
Transit Gateway VPN cryptographic parameters for the IPSec tunnel,
10.0.0.0/24 Spoke VPC A
subnet attachment with the destination of the encrypted packet being
10.1.0.0/24 10.1.0.0/24 Spoke VPC B the AWS VPN endpoint public IP address.

VPC The customer gateway determines that the best

elastic network interface association
C route to the AWS VPN endpoint public IP address
is through the Direct Connect public VIF.
Workload subnet Spoke VPC B route
10.1.1.0/24 The AWS VPN endpoint attached to the Transit
Destination Target D Gateway receives the encrypted IPSec traffic and
10.1.0.0/16 local forwards it to the Transit Gateway.
EC2 instance The traffic is decrypted, forwarded to the spoke
0.0.0.0/0 tgw-id E VPC A, and routed to the Amazon EC2 instance.

Return traffic from the EC2 instance to the

Reviewed for technical accuracy October 13, 2022 F corporate network follows a reverse but identical
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture path.
 Configuration steps

AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway 1

Create an AWS Direct Connect connection. For
dedicated connections, proceed to set up the cross-
AWS Site-to-Site VPN Private IP VPN connections are created over Direct Connect using private IP addresses, enabling enhanced connect between the AWS device and your device
(or partner device) at the location. For hosted
security and network privacy at the same time. Private IP VPNs are deployed on top of Transit VIFs and Direct Connect gateways as connections, you must accept the hosted
underlying transport. connection before you can use it.
Once the connection is established, create a Direct
2 Connect transit virtual interface (VIF) and Direct
AWS Region
Spoke VPC A route Connect gateway. Configure your customer
gateway to bring up the VIF.
spoke VPC A Destination Target
10.0.0.0/16 Associate your AWS Transit Gateway to the Direct
10.0.0.0/16 local
AWS Site-to-Site VPN 3 Connect gateway, specifying the Transit Gateway
Availability Zone A CIDR block as the allowed prefix on this
0.0.0.0/0 tgw-id attachment - make sure this CIDR block does not
workload subnet
10.0.0.0/24 overlap with any VPC CIDR block or on-premises
D
CIDR range.
corporate data center
Create the AWS Site-to-Site VPN using the Direct
192.168.0.0/16 4
EC2 instance AWS Transit Gateway Connect gateway and Transit VIF as underlying
Transit Gateway C AWS Direct Connect transport.
subnet location
VPN route Bring up the AWS Site-to-Site VPN tunnels and
10.0.1.0/28 5 route traffic destined to the Transit Gateway via
CIDR Attachment the AWS Site-to-Site VPN connection.
VPN B
elastic network interface 10.0.0.0/16 spoke VPC A attachment Sample traffic flow
10.1.0.0/16 spoke VPC B transit A
spoke VPC B A client located in the corporate network needs to
10.1.0.0/16 Spoke VPC route
gateway
association Direct Connect
VIF
customer
A route network traffic to the IP address of an
Direct
Connect router gateway Amazon EC2 instance in the spoke VPC A, and
Availability Zone B CIDR Attachment gateway routes the traffic through the customer gateway.
Transit Gateway 192.168.1.0/16 S2S VPN The customer gateway determines that the best
subnet B route to the VPC is via the AWS Site-to-Site VPN
10.1.1.0/28
connection. The traffic flows through the IPSec
tunnels with the selected encryption method,
using the Transit VIF and Direct Connect gateway
elastic network interface
as underlying transport network.
workload subnet
Spoke VPC B route
The traffic arrives to the Transit Gateway. As per
10.1.0.0/24
Destination Target C the Transit Gateway VPN route table, the traffic is
forwarded to the spoke VPC A, and then routed to
10.1.0.0/16 local the EC2 instance.
EC2 instance
0.0.0.0/0 tgw-id The return traffic from the EC2 instance to the
D client located in the corporate network follows a
reverse but identical path as described in steps A-C.
Reviewed for technical accuracy October 13, 2022
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture For more information about Private IP VPNs, see
Introducing AWS Site-to-Site Private IP VPNs.
 Configuration steps
MACsec Security in AWS Direct Connect 1
To configure MACsec in an AWS Direct Connect
dedicated connection, ensure that the device at
This method achieves encryption of traffic using MACsec security (IEEE 802.1AE), delivering a native, near line-rate, and your end supports MACsec. Additionally, the Direct
Connect location also must support MACsec.
point-to-point encryption for 10 Gbps and 100 Gbps links. With MACsec, you won’t need to create VPN connections on
Create a 10G/100G AWS Direct Connect dedicated
top of your Direct Connect links to encrypt the traffic. 2 connection, choosing the option for a MACsec
enabled port.
Create a Connection Key Name (CKN)/ Connectivity
AWS Region 3
Spoke VPC A route Association Key (CAK) pair for the MACsec secret
AWS Direct Connect key, making sure that the key-pair is compatible
spoke VPC A Destination Target transit VIF with your device (or Partner device).
10.0.0.0/16
10.0.0.0/16 local Associate the CKN/CAK pair with the connection
Availability Zone A
4 via the AWS Console, AWS Command Line
0.0.0.0/0 tgw-id Interface (CLI), or API.
workload subnet
10.0.1.0/24 E Set up the cross-connect and complete the
5 physical connection to your device (or Partner
VPC
corporate network device). Update the device at your end with the
association
EC2 instance 192.168.0.0/16 CKN/CAK pair.
Transit Gateway AWS Transit Gateway
Create a transit VIF to a Direct Connect gateway
subnet AWS Direct Connect 6 on the new MACsec-enabled connection,
10.0.0.0/24 location
Spoke VPC route C associated with your AWS Transit Gateway.
D B
CIDR Attachment Sample traffic flow
Elastic network interface A A client located in the corporate network needs to
192.168.0.0/16 DX gateway A route network traffic to the IP address of an EC2
cross-connect MACsec
spoke VPC B encrypted instance in the spoke VPC A, and routes the traffic
10.1.0.0/16 Direct Connect route (MACsec encrypted)
AWS customer or to the customer gateway.
AWS Direct device
customer
CIDR Attachment Connect partner device gateway
Availability Zone B VPC The customer gateway determines that the best
Transit Gateway association 10.0.0.0/24 spoke VPC A gateway B route to the VPC is via the transit VIF, indicating
subnet the traffic should be sent over the Direct Connect
10.1.0.0/24 10.1.0.0/24 spoke VPC B connection.
gateway
association Because MACsec is enabled, the traffic between
NOTE: C the customer gateway and AWS Transit Gateway
elastic network interface
Spoke VPC B route The connection between the customer or partner device is encrypted.
workload subnet at the AWS Direct Connect Location and the on-
As per the Transit Gateway Direct Connect route
10.1.1.0/24 Destination Target premises customer gateway is only MACsec enabled if D table, the traffic is forwarded to the spoke VPC A,
the Layer-2 circuit was extended all the way.
10.1.0.0/16 local and then routed to the EC2 instance.
EC2 instance 0.0.0.0/0 tgw-id If the Layer-2 circuit terminates on the customer or Return traffic from the EC2 instance to the client
partner device at the AWS Direct Connect Location, the E located in the corporate network follows a reverse
responsibility for that segment of the circuit lies with but identical path, as described in steps A-D.
the customer or partner.
Reviewed for technical accuracy October 13, 2022 For more information about MACsec in AWS Direct
© 2022, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture Connect, see Adding MACsec security to AWS Direct
Connect connections.