Understanding AWS Virtual Private Network (VPN)

What is AWS Virtual Private Network (AWS VPN)?

AWS VPN allows establishing secure connection between customer’s on-premise site (datacenter, office, remote site) and the AWS global network.

 

AWS offers two services under VPN service category:

• AWS Client VPN
• AWS Site-to-Site VPN

 

---

AWS Client VPN

This is a simple managed service that requires configuration only on the AWS side (no setup needed on user side, other than installing OpenVPN client).

Features

• Allows users to connect (using OpenVPN client) from anywhere, and access AWS resources or on-premise resources.
• Fully managed by AWS. There is no need to install (and thus manage) any software or hardware to setup this VPN service.
• Secure connections (using TLS).
• Highly scalable – AWS automatically scales according to number of users connecting.
• Administrator(s) can administer the connection logs and other details from console.

 

Limitations

• Client VPN only supports IPv4 traffic.
• Client VPN is not HIPAA (Health Insurance Portability and Accountability Act) or FIPS (Federal Information Processing Standards) compliant.

 

Steps to setup Client VPN

1. Define Client VPN endpoint – this is where all the connections end at.
   • Associate Subnet(s) to VPN endpoint. You can associate multiple Subnets so long each of them are from different Availability Zone, and under the same VPC.
2. Associate Authentication and Authorization
   • Authentication is supported through Active Directory and / or Mutual Authentication (certificates). MFA is supported only if the Active Directory has enabled it.
   • Authorization is supported through Network-based and Security Groups
3. Update Route Table for the VPN endpoint to establish routing to desired sources.
   • Sources may include resources within this VPC, other VPCs (through VPC peering), on-premise network, Internet, AWS public services

 

Pricing

• Billed per active Client VPN endpoint hour, and
• Billed per each client VPN connection hour

 

---

AWS Site-to-Site VPN

This VPN service allows connection between a VPC and on-premise network.

 

Key components

• VPC
• Virtual Private Gateway – attaches to the VPC
• Customer Gateway – a physical or software component in on-premise network
  • Routing may be Dynamic (propagated routes using BGP) or Static (defined routes)
  • should have a public IP
  • to be more precise, this has two components – Customer Gateway (AWS provided resource) and Customer Gateway device (physical or software)
• Tunnel – an encrypted link to allow data flow between AWS and on-premise site
  • Each VPN connection has two tunnels to allow high availability

 

Limitations

• Site-to-Site VPN only supports IPv4 traffic.

 

Pricing

• Billed for each hour the Site-to-Site VPN is available. To stop incurring charges, you have to terminate the VPN connection (from console, CLI, or API)
• Also billed for each GB (after the first GB) transferred out
• Enabling Global Acceleration will add the premium changes, in addition to above two basic fees

 

---

External Resources

• AWS VPN – https://aws.amazon.com/vpn/
• AWS VPN Pricing – https://aws.amazon.com/vpn/pricing/