Everything you need to know about AWS VPN is covered in this blog:
- What is VPN?
- Overview of AWS VPN
- Components
- Types
- AWS Client VPN
- AWS Site-to-Site VPN
- VPN Cloud Hub
- FAQs
What is Virtual Private Network?
VPN (Virtual Private Network) refers to the ability to establish a secure network connection when using public networks. VPNs mask your online identity and encrypt your internet activity. This makes it more challenging for outside parties to monitor your internet activities and steal data. Real-time encryption is employed.
What is AWS VPN?
AWS Virtual Private Network (VPN) solutions connect your on-premises networks, distant offices, client devices, and the AWS global network in a secure manner. AWS Client VPN and AWS Site-to-Site VPN are the two services that make up this system. Each service offers a managed, scalable, and highly available cloud VPN solution to secure your network traffic.
Components of AWS VPN
- Virtual Private Gateway – VGW
- A virtual private gateway is the VPN concentrator on the AWS side of the VPN connection
- Customer Gateway – CGW
- A customer gateway is a physical device or software application located on the customer side of the VPN connection.
Types of AWS VPN
It provides two private connectivity options with the high availability and strong security your data needs:
AWS Client VPN:
It is a fully managed remote access VPN solution that allows your distant employees to safely access resources on AWS as well as your on-premises network. It automatically adjusts up or down dependent on demand because it is fully elastic. Your users can access your applications in the same way before, during, and after the transfer to AWS.
The OpenVPN protocol is supported by AWS Client VPN, including the software client.
How it works
Use Cases:
- Quickly scale remote access: Many of your employees could have to work remotely due to unforeseen circumstances. Due to the increase in VPN connections and traffic, your users’ experience may suffer in terms of performance or availability.
- Access applications during migration: Users can securely access applications both on-premises and on AWS thanks to AWS Client VPN. This is useful when moving apps from on-premises sites to the cloud during a cloud migration.
- Integrate with your authentication and MDM systems: When utilising the AWS-provided OpenVPN Client software, AWS Client VPN enables authentication using Microsoft Active Directory using AWS Directory Services, Certificate-based authentication, and Federated Authentication using SAML-2.0.
- Securely connecting IoT devices: Utilizing certificate-based authentication, establish secure connections between IoT devices and Amazon Virtual Private Cloud (VPC) resources.
Features:
- Authentication: Either Active Directory or certificates will be used for authentication. It works with AWS Directory Services, which links to your existing on-premises Active Directory, thus it does not require you to duplicate data from your existing Active Directory to the cloud.
- Authorization: It offers network-based authorization, allowing you to create access control rules based on Active Directory groups that restrict access to particular networks.
- Secure connectivity: It encrypts the traffic using the safe TLS VPN tunnel protocol. Each Client VPN endpoint terminates a separate VPN tunnel that gives users access to both on-premises and AWS services.
- Connection management: Amazon CloudWatch Logs can be used to monitor, store, and access log files from AWS Client VPN connection logs. The associated log data can then be obtained from CloudWatch Logs.
- Compatibility with your employees’ devices: Devices can be connected to your network using it. Employees have the flexibility to utilize any device they like, including Windows, Mac, iOS, Android, and Linux-based devices, thanks to its selection of OpenVPN-based clients.
Pricing
You are billed for the number of active client connections per hour and the number of linked subnets with Client VPN per hour in AWS Client VPN.
AWS Site-to-Site VPN:
It is a fully managed service that uses IP Security (IPSec) tunnels to establish a secure link between your data centre or branch office and your AWS resources. You can connect to both your Amazon Virtual Private Clouds (VPC) and the AWS Transit Gateway when utilizing it, and two tunnels are used for each connection to increase redundancy.
The Accelerated Site-to-Site VPN option, which works with AWS Global Accelerator to dynamically route your traffic to the closest AWS network endpoint with the best speed, offers even better performance for internationally distributed applications.
How it works
Use Cases:
- Application Migration: A Site-to-site VPN connection between your network and the AWS cloud makes moving applications to the cloud easier. You can host Amazon VPCs behind your corporate firewall and migrate your IT resources without disrupting your users’ access to these applications.
- Secure communication between remote locations: AWS Site-to-Site VPN connections can be used to securely communicate between remote sites.
Features:
- Secure connectivity: It employs OpenVPN, which negotiates data channel parameters over a TLS encrypted control channel.
- High availability: With AWS Direct Connect, you can create failover and CloudHub solutions. CloudHub allows your remote sites to communicate with one another as well as with the VPC.
- Customization: It provides tunnel customization options such as inside tunnel IP address, pre-shared key, and Border Gateway Protocol Autonomous System Number (BGP ASN).
- Network Address Translation (NAT) Traversal: It supports NAT Traversal applications, allowing you to use private IP addresses behind routers on private networks with a single public IP address facing the internet.
- Private IP VPN: Private IP VPN enables the use of private IP addresses to deploy site-to-site VPN connections over Direct Connect (DX).
- Monitoring: It can send metrics to CloudWatch to improve visibility and monitoring. CloudWatch also lets you send your own custom metrics and add data points in any order and rate you want.
Pricing
You are charged for each VPN connection hour that your VPN connection is provisioned and available if you create an AWS Site-to-Site VPN connection to your Amazon VPC. Each hour of partial VPN connection consumption is billed as a full hour. All data transferred via the VPN connection is also subject to standard AWS data transfer charges.
VPN CloudHub
If you have multiple VPN connections, it can be used to provide secure communication between multiple on-premises sites. It uses a Virtual Private gateway in a detached mode that can be used without a VPC and operates on a simple hub-and-spoke model.
VPN CloudHub architecture with blue dashed lines indicates network traffic being routed between remote sites via VPN connections. CloudHub necessitates the use of a virtual private gateway with multiple customer gateways.
To configure the CloudHub:
- Multiple customer gateways can be created, each with its own unique public IP address and ASN.
- A VPN connection can be established between each customer gateway and a shared virtual private gateway.
- Every VPN connection must advertise its own BGP routes. This is accomplished through the use of network statements in the VPN configuration files for the VPN connection.
Frequently Asked Questions (FAQs)
Q1: What defines billable VPN connection hours?
Ans: VPN connection hours are charged for any time your VPN connections are “available.” The AWS Management Console, CLI, or API can be used to determine the status of a VPN connection. If you no longer want to use your VPN connection, simply disconnect to avoid being charged for additional VPN connection hours.
Q2: What is a target network?
Ans: A target network is a network that you associate with the Client VPN endpoint to provide secure access to AWS resources as well as on-premises resources. The target network is currently a subnet in your Amazon VPC.
Related Links/References
- AWS Free Tier Limits
- AWS Free Tier Account Details
- How to create a free tier account in AWS
- AWS Certified Solutions Architect Associate SAA-CO2
- Amazon Elastic File System User guide
- AWS Free Tier Account Services
- AWS Route 53 Introduction
Next Task For You
Begin your journey towards an AWS Cloud by joining our FREE Informative Class on Amazon Cloud Free Class by clicking on the below image.
Leave a Reply