How do I establish an encrypted connection over an AWS Direct Connect connection?

Lesedauer: 3 Minute
1

I want to establish an encrypted connection from my local network to my Amazon Virtual Private Cloud (Amazon VPC) over an AWS Direct Connect connection.

Short description

AWS Direct Connect provides a dedicated and private connection, with consistent throughput between your local network and AWS. An AWS Direct Connect connection isn't encrypted by default. To encrypt traffic over AWS Direct Connect connections, use either of these methods:

  • Use MAC Security (MACsec). MACsec provides point-to-point encryption over a dedicated direct connect connection. For information on connections that support MACsec, see AWS Direct Connect.
  • Create an AWS Site-to-Site VPN over Direct Connect. Site-to-Site VPN provides encryption between a customer gateway and an AWS gateway. The AWS gateway can be an AWS Transit Gateway or a virtual private gateway.

For more information on how to use MACsec encryption, see Get started with MACsec on dedicated connections.

If you don't use MACsec, then use Site-to-Site VPN. Site-to-Site VPN allows VPN tunnels between an on-premises appliance and a virtual private gateway or a Transit Gateway. To build Site-to-Site VPN over Direct Connect to Amazon VPC, use a public virtual interface. To build Site-to-Site VPN between on-premises equipment and AWS Transit Gateway, choose a public or a transit virtual interface.

Resolution

Create a Site-to-Site VPN over a public virtual interface

  1. Create your Direct Connect connection.

  2. Create a public virtual interface for your Direct Connect connection.

    For Prefixes you want to advertise, enter your customer gateway device's public IP address and any network prefixes that you want to advertise.

    Note: Your public virtual interface receives all AWS public IP address prefixes from each AWS Region (except the AWS China Region). These include the public IP addresses of AWS managed VPN endpoints. Use Border Gateway Protocol (BGP) communities to filter prefixes by Local AWS Region or AWS Regions of a continent.

  3. Create a new VPN connection to your Virtual Private Gateway or AWS Transit Gateway.

    In the customer gateway configuration, use the same public IP address that you specified in the previous step.

    Note: Configure your customer gateway device to create the VPN tunnels. You can download example configurations from the AWS Management Console or the AWS Command Line Interface (AWS CLI).

Create a Site-to-Site VPN over a transit virtual interface

  1. Create your Direct Connect connection.

  2. Associate an IP CIDR block with your Transit Gateway. You can't associate addresses in the 169.254.0.0/16 range, or ranges that overlap with addresses for your VPC attachments and on-premises networks. You can modify an existing Transit Gateway to add this CIDR block.

  3. Create a transit virtual interface. In the transit virtual interface configuration, you can select an existing Direct Connect gateway, or create a new one.

    Note: A Direct Connect Gateway can't be associated with virtual private gateway and Transit Gateway at same point of time.

  4. Associate your Transit Gateway to the Direct Connect gateway. Make sure the Transit Gateway CIDR block configured in the previous step is announced to your local network through allowed prefixes.

  5. Create a new VPN connection using private IP addresses to the Transit Gateway.

  6. Configure your customer gateway device to create the VPN tunnels. You can download example configurations from the AWS Management Console or the AWS CLI.

Related information

Troubleshooting AWS Direct Connect

Logging AWS Direct Connect API calls using AWS CloudTrail

Monitoring your Site-to-Site VPN connection

AWS Site-to-Site VPN logs

Amazon Virtual Private Cloud connectivity options

AWS OFFICIAL
AWS OFFICIALAktualisiert vor einem Jahr
6 Kommentare

Why create a public virtual interface? Why not create a private virtual interface?

beantwortet vor einem Jahr

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
beantwortet vor einem Jahr

Sanity check: Will the bandwidth supported in this solution still be 1.25Gbps as in a regular site-to-site VPN over Internet?

beantwortet vor einem Jahr

Thank you for your comment. We'll review and update the Knowledge Center article as needed.

profile pictureAWS
MODERATOR
beantwortet vor einem Jahr

@Richard: Thank you for your question, you can create AWS Site to Site VPN to Transit Gateway only over a transit VIF or a Public VIF. AWS Site to Site VPN is not supported over a Private VIF.

profile pictureAWS
EXPERTE
beantwortet vor einem Jahr

@Rafael: Thank you for your question. AWS Site to Site VPN supports bandwidth of upto 1.25Gbps or 140,000 PPS. As long as your underlay network (Direct Connect or Internet) is able to support this bandwidth you should be fine. Please read this blog which talks about optimizing performance for our AWS Site to Site VPN.

profile pictureAWS
EXPERTE
beantwortet vor einem Jahr