If you’re experiencing issues with your AWS services, then please refer to the AWS Health Dashboard. You can find the overall status of ongoing outages, the health of AWS services, and the latest updates from AWS engineers.
How do I establish an encrypted connection over an AWS Direct Connect connection?
I want to establish an encrypted connection from my local network to my Amazon Virtual Private Cloud (Amazon VPC) over an AWS Direct Connect connection.
Short description
To encrypt traffic over an AWS Direct Connect connection, use one of the following methods:
- Use MAC Security (MACsec) in AWS Direct Connect. For information about connections that support MACsec, see Supported connections.
- Create an AWS Site-to-Site VPN over Direct Connect. Site-to-Site VPN provides encryption between a customer gateway and an AWS gateway. The AWS gateway can be AWS Transit Gateway or a virtual private gateway.
To build a Site-to-Site VPN over Direct Connect to Amazon VPC, use a Direct Connect public virtual interface. To build a Site-to-Site VPN between on-premises equipment and AWS Transit Gateway, use a Direct Connect transit virtual interface.
Network to Amazon VPC supports several connectivity options.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
Use MACsec
To use MACsec, see Get started using MACsec on a dedicated AWS Direct Connect connection.
Create a Site-to-Site VPN over a public virtual interface
Complete the following steps:
- Use the Connection wizard to create your Direct Connect dedicated connection.
- Create a Direct Connect public virtual interface. For Prefixes you want to advertise, enter your Site-to-Site VPN customer gateway device's public IP address and the network prefixes that you want to advertise.
Note: Your public virtual interface receives all AWS public IP address prefixes from each AWS Region except the AWS China Region. These include the public IP addresses of AWS managed VPN endpoints. Use Border Gateway Protocol (BGP) communities to filter prefixes by local Region or all Regions of a continent. - Create a new VPN connection to your virtual private gateway or transit gateway.
- For Customer gateway, choose Existing, and then select the customer gateway that you created.
- Configure your customer gateway device to create the VPN tunnels. You can use the Amazon VPC console or AWS CLI to download the example configuration file.
Create a Site-to-Site VPN over a transit virtual interface
Complete the following steps:
- Use the Connection wizard to create your Direct Connect dedicated connection.
- For Transit gateway CIDR blocks, specify IPv4 or IPv6 CIDR blocks.
- Create a transit virtual interface.
- In the transit virtual interface configuration, select an existing Direct Connect gateway, or create a new one.
Note: You can't associate a Direct Connect gateway with a virtual private gateway and transit gateway at same point of time. - Associate your Direct Connect gateway to your transit gateway. Make sure that you announce the transit gateway CIDR block to your local network through allowed prefixes.
- Create a new private IP Site-to-Site VPN over Direct Connect to the transit gateway.
- Configure your customer gateway device to create the VPN tunnels. You can use the Amazon VPC console or AWS CLI to download the example configuration file.
Related information
- Language
- English
Why create a public virtual interface? Why not create a private virtual interface?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Sanity check: Will the bandwidth supported in this solution still be 1.25Gbps as in a regular site-to-site VPN over Internet?
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
@Richard: Thank you for your question, you can create AWS Site to Site VPN to Transit Gateway only over a transit VIF or a Public VIF. AWS Site to Site VPN is not supported over a Private VIF.
@Rafael: Thank you for your question. AWS Site to Site VPN supports bandwidth of upto 1.25Gbps or 140,000 PPS. As long as your underlay network (Direct Connect or Internet) is able to support this bandwidth you should be fine. Please read this blog which talks about optimizing performance for our AWS Site to Site VPN.
It seems the recommendation provided in the article to ue public VIF is dated. AWS now supports private IP VPNs over transit VIFs, eliminating public IP dependencies. Check this article which for obvious reason is better from security perspective. @ Moderators - Please can you check and update the recommendations accordingly.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 2 years ago
- asked 2 years ago
- asked 5 years ago
- asked 4 years ago
