Passer au contenu
En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post
À propos de re:Post

Understanding Traffic Flow when using AWS Site To Site VPN

0

My team is researching VPN solutions for partner integrations and we came across the AWS Site To Site VPN. The terminology used throughout the documentation implies that I need to own both ends of the tunnel, so my question starts off with: Is AWS Site To Site VPN a valid solution for the scenario where we need to talk to an application inside of a partners network, but prevent them from being able to talk to anything inside of ours? We can't find a definitive answer to this

Sujets
Réseaux et diffusion de contenu
Balises
AWS Virtual Private Network (VPN)Sécurité du réseau
Langue
English
demandé il y a un an476 vues
2 réponses
0

Depending on the application there is a way to do this using Site-to-Site VPN and PrivateLink. For this example where there is something on a remote network that you need to connect to you could do this:

EC2 (VPC A) -> PrivateLink Endpoint (VPC A) -> NLB (VPC B) -> VPN -> Remote network -> Remote application

This only allows connections from VPC A to the remote network/application and not the other way. Traffic is still bidirectional but the initiation of each flow/session has to come from VPC A. VPCs A and B, the NLB and the VPN can still be owned by you; with the remote VPN end controlled by the partner.

This works well if you're calling an API endpoint or basically anything that is TCP-based and uses a single TCP session for transport and where the remote application has a stable IP address. If the IP address changes then you need to update the NLB target group. So it's good for databases, web servers, that sort of thing.

This is not suitable for UDP-based applications (as PrivateLink doesn't support UDP); nore for what I would call "complex" applications where there are many TCP ports. It can be made to work in some circumstances but not all.

AWS
EXPERT
répondu il y a un an
  • rv-ddouglas
    il y a un an

    Can you elaborate a little bit so I can understand. Are you saying that because the VPN terminates on our side in VPC B and the rest of our infrastructure is in VPC A and since they old connection between VPC A and VPC B is via the NLB which is unidirectional, then we do not need to worry about the lack of unidirectional support on the VPN?

  • Brettski-AWS EXPERT
    il y a un an

    Bear in mind that it is NLB in VPC A and a PrivateLink endpoint between the two VPCs. PrivateLink only allows for connections to be established in one direction (in this case from VPC B to the NLB in VPC A). The traffic flow is bidirectional because it has to be (otherwise you'd never get data back to the client that initiated the session). Where the VPN is terminated is not relevant; you could have EC2 instances in VPC B and it would work the same - but it also happens to work with clients at the "far end" of the VPN from VPC B. The other tricks here is that PrivateLink deals with overlapping IP addresses too - so you don't have to worry if VPC A is the same IP range as VPC B, the VPN or anything connected to the VPN.

0

AWS Site-to-Site VPN is generally meant for situations where you control both ends of the VPN tunnel, such as connecting your own on-premises network to your AWS VPC. It typically establishes bidirectional communication, so it’s not well-suited for scenarios where you only want one-way access—where you can connect to a partner’s application but they can’t access your network.

For your situation, where you need to securely connect to a partner's network while preventing them from accessing yours, AWS PrivateLink might be a better fit. It allows you to access services in another VPC privately without exposing your network. Alternatively, if the partner’s network is also on AWS, VPC Peering could work, but it requires careful setup to manage traffic flow. Another option is using API Gateway for application-level access if that fits your needs.

EXPERT
répondu il y a un an
  • rv-ddouglas
    il y a un an

    Other AWS Services aren't typically an option because the partners are not in AWS unfortunately. If they were, we'd most likely end up using PrivateLink

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Contenus pertinents