AWS: Hybrid Environments


The VPN connectivity with AWS enables us to combine resources from our on-premise environment with those in our AWS environment.

The VPN enables you to extend a subnet from one geographic location to another, across two separate networks. Each side of the VPN (on premise and AWS) can communicate with all resources on the other side – no public IP addresses or internet gateways are required to facilitate this communication.

VPN’s add additional security by encrypting traffic that is sent using the VPN.

The VPN’s have two parallel routes (IPSEC Tunnels) for redundancy.

Virtual Private Gateway (VPG)This is the connector on the VPC (AWS-side) of the VPN connection. A VPC can only have one VPG. However, it can have both a VPG and an IGW.
Customer Gateway (CGW)A customer gateway can be either a physical device or a software application in the on-premise environment.
VPNThis is the link between the VPG and the CGW. We can setup this link through the AWS interface. We must choose the VPG and CGW during the setup process.
Route TableWhen setting up a VPN, the route table for the subnet you’re trying to connect to must include routes to the on premise network that is used for the VPN.

AWS Direct Connect

The AWS direct connect service provides a dedicated network connection between your network & authorised AWS direct connect locations.

This service does not require that you host any hardware / networking equipment at the direct connect partner site.

The benefits of using the direct connect service are reduced network costs and lower latency when compared to utilizing public connections.

Side Note:

You can only connect to the region that your direct connect partner is linked to. You cannot connect to multiple regions.

You can connect to EC2 instances utilizing a virtual private interface which only uses private IP addresses to communicate with AWS resources. It’s a dedicated private connection, just like a VPN.

You can also connect using a public virtual interface which connects to public AWS endpoints such as DynamoDB or S3. These resources must have a public IP & will require you to enter the public CIDR block range upon config.

Best practice is to configure a VPN as a backup to the direct connect connection in addition to running 2 direct connects (active/active or active/standby).

VPC Peering

VPC peering is the process of sharing internal resources of multiple VPC’s via private IP addresses. This can only happen between 2 VPC’s in the same region but VPC’s can be peered when they’re part of different AWS accounts (as long as they’re in the same region).

Side Note:

To peer VPC’s they must have separate, non overlapping CIDR block ranges

Transitive connections are not permitted. This means, if VPC2 is connected to VPC1 and VPC1 is connected to VPC3 then VPC2 and VPC3 will be unable to communicate. They must have direct links.

When peering, you can choose to peer the entire VPC or just specific subnets within.