- Newest
- Most votes
- Most comments
There's some detail missing here - how are the IPSEC tunnels being created? Are A and B instances or sites?
If I assume that you're using the AWS VPN service and that A and B are sites: The traffic within Transit Gateway is not encrypted. Think of Transit Gateway as a cloud-scale router. If you had a router that terminated two IPSEC tunnels and routed between them the traffic on the router is not encrypted as it passes through that device. That's because the router must decrypt the packet from (say) A, determine the appropriate destination (B in this case) and then encrypt it again before sending it onto B.
In general, there are many places in every network where (at least) the IP (and perhaps TCP) headers of a packet need to be visible in order to route the packet(s) correctly. For the payload to remain encrypted at that point requires application-layer security such as TLS. It's the only way to achieve end-to-end encryption between two hosts.
Relevant content
- asked 2 years ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- How do I monitor my transit gateway and Site-to-Site VPN on a transit gateway using Network Manager?AWS OFFICIALUpdated a year ago
Thanks for your reply and sorry for not being entirely clear. Yes, A and B are meant to be sites using the AWS VPN service.
This is what I expected, I just wanted to make sure.