6.1.4. Hybrid Connectivity: Site-to-Site VPN and Client VPN
š” First Principle: VPCs are isolated networks ā by design, they don't connect to on-premises data centers automatically. Hybrid connectivity bridges this gap, creating encrypted tunnels or dedicated circuits between your corporate network and AWS. The choice between VPN and Direct Connect is fundamentally a trade-off between cost, setup time, and guaranteed bandwidth.
Site-to-Site VPN:
| Component | Description |
|---|---|
| Customer Gateway (CGW) | Represents your on-premises VPN device (firewall, router) ā configured in AWS with the device's public IP |
| Virtual Private Gateway (VGW) | The AWS-side VPN endpoint, attached to your VPC |
| VPN Connection | Two IPsec tunnels between CGW and VGW (two tunnels for redundancy) |
| Routing | Static routes (you configure prefixes) or BGP (dynamic route exchange) |
Each VPN connection has two tunnels in different AWS availability zones. AWS recommends configuring your on-premises device to use both tunnels for redundancy ā if one tunnel endpoint fails, traffic fails over to the other.
Transit Gateway VPN: For architectures with many VPCs, attach all VPCs and VPN connections to a Transit Gateway instead of attaching VPN connections directly to individual VGWs. This hub-and-spoke model dramatically simplifies routing.
AWS Client VPN: A managed client-to-site VPN service for individual users (remote workers) to access AWS resources. Client VPN endpoints are associated with subnets and use OpenVPN-compatible clients.
| Authentication Method | Use Case |
|---|---|
| Mutual certificate | Certificate-based; clients need a certificate |
| Active Directory | Username/password via AWS Directory Service |
| SAML IdP | SSO integration with identity providers |
Split Tunnel vs. Full Tunnel:
- Split tunnel: Only traffic destined for AWS goes through the VPN; other internet traffic uses the client's local connection. Reduces bandwidth on the VPN endpoint.
- Full tunnel: All client traffic routes through VPN. Useful for compliance (all traffic must go through corporate security inspection) but increases VPN load.
Transit Gateway Attachments:
Transit Gateway supports route tables that control which attachments can communicate ā enabling you to isolate production from development while both share the on-premises VPN connection.
ā ļø Exam Trap: A Site-to-Site VPN connection goes over the public internet ā it's an encrypted tunnel, but the underlying path is public. For guaranteed bandwidth and consistent latency, you need AWS Direct Connect (a dedicated physical circuit from your data center to an AWS Direct Connect location). VPN is cheaper and faster to set up; Direct Connect is more reliable and consistent. When the exam says "consistent, guaranteed throughput" or "dedicated circuit," the answer is Direct Connect, not VPN.
Reflection Question: A company has five VPCs and an on-premises data center. Currently each VPC has its own Site-to-Site VPN connection to on-premises (5 VPN connections total). They're adding 10 more VPCs. What architectural change simplifies connectivity management, and what is the AWS service that enables it?
