What is AWS Virtual Private Network (AWS VPN)?
AWS VPN allows establishing secure connection between customer’s on-premise site (datacenter, office, remote site) and the AWS global network.
AWS offers two services under VPN service category:
- AWS Client VPN
- AWS Site-to-Site VPN
AWS Client VPN
This is a simple managed service that requires configuration only on the AWS side (no setup needed on user side, other than installing OpenVPN client).
Features
- Allows users to connect (using OpenVPN client) from anywhere, and access AWS resources or on-premise resources.
- Fully managed by AWS. There is no need to install (and thus manage) any software or hardware to setup this VPN service.
- Secure connections (using TLS).
- Highly scalable – AWS automatically scales according to number of users connecting.
- Administrator(s) can administer the connection logs and other details from console.
Limitations
- Client VPN only supports IPv4 traffic.
- Client VPN is not HIPAA (Health Insurance Portability and Accountability Act) or FIPS (Federal Information Processing Standards) compliant.
Steps to setup Client VPN
- Define Client VPN endpoint – this is where all the connections end at.
- Associate Subnet(s) to VPN endpoint. You can associate multiple Subnets so long each of them are from different Availability Zone, and under the same VPC.
- Associate Authentication and Authorization
- Authentication is supported through Active Directory and / or Mutual Authentication (certificates). MFA is supported only if the Active Directory has enabled it.
- Authorization is supported through Network-based and Security Groups
- Update Route Table for the VPN endpoint to establish routing to desired sources.
- Sources may include resources within this VPC, other VPCs (through VPC peering), on-premise network, Internet, AWS public services
Pricing
- Billed per active Client VPN endpoint hour, and
- Billed per each client VPN connection hour
AWS Site-to-Site VPN
This VPN service allows connection between a VPC and on-premise network.
Key components
- VPC
- Virtual Private Gateway – attaches to the VPC
- Customer Gateway – a physical or software component in on-premise network
- Routing may be Dynamic (propagated routes using BGP) or Static (defined routes)
- should have a public IP
- to be more precise, this has two components – Customer Gateway (AWS provided resource) and Customer Gateway device (physical or software)
- Tunnel – an encrypted link to allow data flow between AWS and on-premise site
- Each VPN connection has two tunnels to allow high availability
Limitations
- Site-to-Site VPN only supports IPv4 traffic.
Pricing
- Billed for each hour the Site-to-Site VPN is available. To stop incurring charges, you have to terminate the VPN connection (from console, CLI, or API)
- Also billed for each GB (after the first GB) transferred out
- Enabling Global Acceleration will add the premium changes, in addition to above two basic fees
External Resources
- AWS VPN – https://aws.amazon.com/vpn/
- AWS VPN Pricing – https://aws.amazon.com/vpn/pricing/