This post is part 1 of a two-part series about site-to-site VPN on AWS. In this post, we’ll cover why VPN is needed, what is site-to-site VPN, and how it works. Part 2 shows how to set up a site-to-site VPN on AWS. If you know the basics of VPN skip part 1.
Consider a global organization where you have many office locations. For communication between multiple offices, there needs to be network connectivity. Few options exist to build this network connectivity.
One option is to have the physical cable running between the offices. This is not a workable solution due to the nature of having a dedicated line. There would be tremendous costs and maintenance associated with it. Another option is to leverage the ISP (Internet Service Provider). By using ISP all network traffic gets routed to the internet. There comes a problem with using the internet. Traffic sent through the internet is not SECURE. Various mechanisms exist to sniff data sent through the internet. E.g. eavesdropping attack where someone tries to steal information on the network.
For various reasons, the best choice is to leverage the ISP for network connectivity. Yet we need to also build secure communications over the internet. This is where VPN helps achieve secure communications.
VPN (Virtual Private Network) enables you to create a secure communication channel between networks. There are two types of VPN. Client (Remote) access VPN and site-to-site VPN.
Client access VPN enables remote users to connect securely to private networks. In comparison, site-to-site VPN enables independent networks (entire network) to be securely connected. For this post, we will only focus on the site-to-site VPN.
In a site-to-site VPN, all traffic sent and received between sites will be through the VPN gateway. In AWS, this is commonly called “Virtual Private Gateway (vgw)”. The internal workings of the VPN gateway are to encapsulate and encrypt outbound network traffic. Send it through the internet to the peer VPN gateway on the destination site. The VPN gateway at the destination site will decrypt the inbound network traffic. Forwards the packets to the destination host inside the private network.
A VPN can be a router that has VPN gateway built into it or it could be a dedicated VPN gateway or a software VPN gateway. There are different protocols that support the VPN gateway setup.
- OpenVPN — Open source VPN protocol built on top of OpenSSL. It is primarily used for Client (Remote) VPNs.
- IPSec — Internet Protocol Security or IPSec authenticates and encrypts the entire IP packet. It does at the layer 3 OSI model.
- PPTP — Point-to-Point-Tunneling is an older VPN protocol. Was widely used in dial-up networking.
For our setup, we will be using the IPSec protocol.
Now that you understood the basics of VPN, let us move on to set up site-to-site VPN on AWS.
