📖 What is AWS Site-to-Site VPN?
AWS Site-to-Site VPN is a managed service that creates a secure, encrypted tunnel between an on-premises network and an AWS VPC over the public internet. It uses IPsec to ensure data confidentiality and integrity while providing a reliable connection for hybrid cloud architectures.
"Note that VPN is faster to deploy than Direct Connect, but Direct Connect provides more consistent bandwidth and lower latency for heavy workloads."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of AWS Site-to-Site VPN?
- ▸ Customer Gateway (CGW) represents the physical device or software application on your on-premises side that initiates the encrypted VPN connection.
- ▸ Virtual Private Gateway (VGW) or Transit Gateway acts as the AWS-side anchor, terminating the VPN connection and routing traffic into your VPC.
- ▸ IPsec (Internet Protocol Security) is used to encrypt the data tunnel, ensuring that traffic remains confidential and secure while traversing the public internet.
- ▸ Dynamic routing via Border Gateway Protocol (BGP) allows the VPN to automatically update routing tables, reducing manual overhead and improving failover efficiency.
- ▸ High availability is achieved by AWS providing two tunnels per connection; architects should configure both to ensure redundancy if one tunnel fails.
🎯 How does AWS Site-to-Site VPN appear on the SAA-C03 Exam?
You may be asked to recommend a connectivity solution for a company that needs a secure, encrypted connection to AWS deployed immediately, making VPN the correct choice over Direct Connect.
A scenario might describe a requirement for a cost-effective backup connection for an existing Direct Connect circuit to ensure business continuity during a physical link failure, requiring a Site-to-Site VPN failover.
Expect questions where you must choose between a Virtual Private Gateway and a Transit Gateway based on whether the VPN connects to a single VPC or a complex hub-and-spoke network of multiple VPCs.
❓ Frequently Asked Questions
When should I use a Transit Gateway instead of a Virtual Private Gateway for my VPN?
Use a Virtual Private Gateway for simple, point-to-point connections between one VPC and one on-premises site. Use Transit Gateway when you need to scale, connecting multiple VPCs and multiple on-premises locations through a single central hub.
Does a Site-to-Site VPN provide guaranteed bandwidth and latency?
No, because the traffic travels over the public internet, it is subject to congestion and jitter. If your application requires consistent throughput and predictable low latency, AWS Direct Connect is the appropriate architectural choice.