• It enables data transfer between two nodes across a shared or public network like internet
  • emulates properties of a point-to-point private link
  • It
    • wraps data with routing information to traverse public network
    • encrypts data for confidentiality to make data indecipherable if intercepted.
  • It uses the encryption keys.
  • The part of VPN connection in which private data is encapsulated is called – tunnel.
  • virtual private network or VPN connection is the part of connection in which private data is encrypted
  • VPN uses following protocols for security
    • IPSec (Internet Protocol Security) was developed by IETF. L2TP frequently runs over IPSec.
      • IPSec encrypts and encapsulates IP packet inside an IPSec packet.
      • De-encapsulation happens at end of tunnel.
    • Transport Layer Security (SSL/TLS) can tunnel an entire network’s traffic. Used in SSL VPN
    • Secure Shell (SSH) VPN – provides few concurrent tunnels and VPN feature itself does not support personal authentication.
  • In AWS, site-to-site by using AWS VPN
  • Client-to-site is third party software on EC2 in VPC
  • IPSec and Encapsulating Security Protocol
  • for IPSec  UDP, port 500 is used
  • Benefits:
    • Data encryption in transit across the internet and direct connect
    • Used to encrypt direct connect (use Public VIF for VPN termination)
  • For keeping tunnel up, monitoring software should be used
  • Routing hard limit of 50 for static routes and 100 for dynamic routes (BGP)
  • VPN connection consists of two tunnels (configure to a single customer router for HA on the AWS end)
  • HA on the customer end requires two VPN connection (each provides two tunnels for mesh HA)
  • IPSec and Encapsulating Security Protocol .
    • IP protocol 50, port 500 UDP for IPSec.
  • AWS Cloudwatch can monitor VPN, but cannot keep IPSec tunnel open.
  • monitoring tool is needed to keep VPN tunnel up.
  • 128 bit AES is not supported by AWS VPN but 4-byte ASN is supported
  • A maximum of 50 routes for IPv4 and 50 routes for IPv6 in static VPN
  • Dynamic VPN w/ BGP: 100 routes max.
  • To run VPN over DX, you need to have a public VIF to access the VPN endpoints.
  • highly available VPN, can be done by
    • multiple customer gateways
    • dynamic routing
  • Can’t use S3 endpoint with VPN, can use Public VIF + VPN.
Menu