Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

2.3.1. AWS Site-to-Site VPN (IPsec VPN)

AWS Site-to-Site VPN provides a secure, encrypted connection over the public internet between your on-premises network and an Amazon VPC, enabling flexible and cost-effective hybrid cloud connectivity.

Scenario: A company needs to connect its on-premises data center to its AWS VPC to allow internal applications to access AWS resources securely. They want a flexible and cost-effective solution that leverages their existing internet connection.

AWS Site-to-Site VPN is a managed VPN connection that creates an encrypted tunnel between your on-premises network (using a customer gateway device) and your Amazon VPC (using a virtual private gateway).

Key Features of AWS Site-to-Site VPN:
  • Encrypted Tunnel: Uses IPsec (Internet Protocol Security) to encrypt traffic as it travels over the public internet, ensuring data confidentiality and integrity.
  • Virtual Private Gateway (VPG): The AWS side of the VPN connection.
  • Customer Gateway: Your on-premises router or firewall device that supports IPsec.
  • Two Tunnels: Each VPN connection consists of two redundant tunnels for high availability. If one tunnel fails, traffic automatically fails over to the other.
  • Routing: Supports both static routing and dynamic routing using Border Gateway Protocol (BGP) for automatically exchanging route information.
  • Use Cases: Securely connecting on-premises networks to AWS, disaster recovery (as a backup for Direct Connect), connecting smaller branch offices.
  • Cost: Billed per hour the VPN connection is provisioned, plus data transfer costs over the internet.
Practical Implementation: Creating a Site-to-Site VPN Connection
# Assuming VPG_ID (Virtual Private Gateway) and CUSTOMER_GATEWAY_ID are defined
# 1. Create a Customer Gateway (representing your on-premises device)
CUSTOMER_GATEWAY_ID=$(aws ec2 create-customer-gateway \
  --type ipsec.1 \
  --public-ip 203.0.113.1 \
  --bgp-asn 65000 \
  --query CustomerGateway.CustomerGatewayId --output text)
echo "Customer Gateway ID: $CUSTOMER_GATEWAY_ID"

# 2. Create a Virtual Private Gateway (attached to your VPC)
VPG_ID=$(aws ec2 create-vpn-gateway \
  --type ipsec.1 \
  --query VpnGateway.VpnGatewayId --output text)
echo "Virtual Private Gateway ID: $VPG_ID"
aws ec2 attach-vpn-gateway --vpc-id $VPC_ID --vpn-gateway-id $VPG_ID

# 3. Create the Site-to-Site VPN Connection
VPN_CONNECTION_ID=$(aws ec2 create-vpn-connection \
  --type ipsec.1 \
  --customer-gateway-id $CUSTOMER_GATEWAY_ID \
  --vpn-gateway-id $VPG_ID \
  --options '{"StaticRoutesOnly":false}' \
  --query VpnConnection.VpnConnectionId --output text)
echo "VPN Connection ID: $VPN_CONNECTION_ID"

# 4. Enable Route Propagation on VPC Route Table (if using dynamic routing)
aws ec2 enable-vpc-route-propagation --route-table-id $PRIVATE_ROUTE_TABLE_ID --gateway-id $VPG_ID

⚠️ Common Pitfall: Misconfiguring the on-premises customer gateway device. The VPN tunnel parameters (e.g., pre-shared key, encryption algorithms, DPD settings) must exactly match the configuration provided by AWS.

Key Trade-Offs:
  • Cost vs. Performance: Site-to-Site VPN is generally more cost-effective than Direct Connect but relies on the public internet, leading to variable performance and higher latency.

Reflection Question: How does AWS Site-to-Site VPN, by providing a secure, encrypted connection over the public internet (using IPsec and redundant tunnels), fundamentally enable flexible and cost-effective hybrid cloud connectivity for businesses?