AWS, AWS Interview Question

How to setup VPN connection between two AWS VPC

VPC – Virtual Private Cloud . The core network component in AWS. It provide isolated network environment .Normally communication between two VPCs not enabled . We can enable communication through VPC peering, AWS supports peering connections for same region,different region, same account or different AWS account .

When we use VPC peering it use AWS backbone network . So it has huge bandwidth capacity and high availability . Communication between two VPC can operate normally and it can handle heavy traffic.

Some of the customers have a security requirement to meet the “Encryption in Transmission using IPSec or different method ” But , AWS does not encrypt your data during transmission between two different VPC in same region or different region.

So we have to use some technology or software to encrypt all your data before transmission , but this is not an easy solution . The other option is using VPN. It use public internet to transfer the data in encrypted channel using IPSec

Yes. It is possible . Same like On-prem to AWS we can make VPN connection between two VPC we can enable VPN connection. We have some option to enable this setup . Once VPN setup is enabled you can use your VPC subnet private IP address for communication. We can choose whichever is suitable for the scenario.

Keep in mind at any point VPN can not meet VPC peering performance.

Option 1 – Software VPN Appliance:

AWS Does not provide any inbuilt service to enable VPN connection between 2 different VPC. But we have lot of 3rd party market place produt to enable VPN setup in AWS .This is one of preferred solution because of reliability , standard , and support for enterprise level.

Software VPN appliance from Marketplace will run on EC2 instance which you can choose the size.

The advantage is These appliance will take care of all VPN part , of course you have to provide IP details , and which IP subnet you plane to share in VPN. It vary depends on each vendors.For High availability you have to plan with additional appliances.

Below are the few popular market place product.

Check Point,
Cisco,
Sophos,
OpenVPN Technologies,
Microsoft,
open source tools like OpenVPN,
Openswan

Keep in mind about pricing of subscription, support and validity.

Market place Link:
https://aws.amazon.com/marketplace/search/results/ref%3Dbrs_navgno_search_box?searchTerms=vpn

Option 2:Connecting Multiple VPCs with EC2 Instances (IPSec):

You can create a secure IPSec tunnel to connect multiple VPCs into a larger virtual private network that allows instances in each VPC to seamlessly connect to each other using private IP addresses.

VPN-Setup-with EC2 instance

Instead of using AWS Marketplace product , you can setup using opensource product on EC2. Ex with openswan.

You can install openswan on any Linux instance Ex Amazon Linux instance.You can configure yourself related network files and entries . The configuration steps you can get it from below link.

If you plan to setup with HA follow the architecture.

VPN Setup with HA

Refer the link for additional details .

https://aws.amazon.com/articles/connecting-multiple-vpcs-with-ec2-instances-ipsec/

Option 3: Software-to-AWS Managed VPN:

 You can create secure VPN tunnels between a software VPN appliance and a virtual private gateway to connect multiple VPCs .

Software-to-AWS Manged VPN

The advantage with this method is in one part when we use VPG no need to plan for HA, since AWS has already built . You can use same VPG to enable multiple connection with other VPCs, On-Prem or other cloud.

In the above example Region 1 use VPG and the Region 2 use internet gateway with VPN appliance.

There are some other options also available , not widely used for VPN options. Because not fully encrypted channel, and high latency and more number of resources involved .


AWS Managed VPN – with Remote DC and Customer Gateway
AWS Direct Connect – route VPC at Direct connect location
AWS Private Link – With AWS VPC endpoint and Network Loadbalancer

Thank you!

Tagged

Leave a Reply

Your email address will not be published. Required fields are marked *