AWS TAM or SA can help create site to site VPN?

Creating a site-to-site VPN connection in AWS does not necessarily require hardware on the AWS side, but it does require some specific components and configuration on both the AWS and customer sides.

On the AWS side, you'll need to set up:

1. A Virtual Private Gateway (VGW) or Transit Gateway (TGW) attached to your VPC
2. A VPN connection in AWS

On the customer's on-premises side, they will need:

1. A customer gateway device (this can be physical hardware or a software appliance)
2. A public IP address for the customer gateway device

The customer gateway device is crucial as it terminates the VPN connection on the customer's side. This device can be a physical router, firewall, or a software-based VPN appliance. AWS has tested various devices from different vendors for compatibility.

While you can create the VPN connection through the VPC console as you mentioned, setting up a site-to-site VPN involves several steps and considerations, including:

1. Configuring routing
2. Setting up security groups and network ACLs
3. Configuring the customer gateway device with the information provided by AWS

An AWS Technical Account Manager (TAM) or Solutions Architect (SA) can indeed help with this process. They can provide guidance on best practices, help troubleshoot issues, and offer advice on the overall architecture. However, they typically won't perform the actual configuration, especially on the customer's on-premises side.

It's important to note that while AWS provides a managed Site-to-Site VPN service, the customer is responsible for configuring and managing their on-premises VPN device. The AWS team can provide the necessary configuration information for the customer's network team to set up their end of the VPN connection.

If your customer is not comfortable with setting up the VPN themselves, they might consider engaging AWS Professional Services or an AWS Partner for hands-on assistance with the implementation.
Sources
Site 2 site VPN | AWS re:Post
Configure an AWS site-to-site VPN | AWS re:Post
Hybrid network connections - Hybrid Connectivity

VPN connections can certainly be setup without a TAM or SA. To setup a site-to-site VPN, there needs to be something to terminate the tunnels on both sides:

• on AWS, it can be a Transit Gateway (TGW) or Virtual Private Gateway (VGW)
• on the customer side, there needs to be a physical or virtual appliance, such as a Router or Firewall (can be a virtual router running on something like VMware, if the network connectivity allows non-NAT communication from AWS)

Setting up a site-to-site VPN connection is not necessarily difficult but must be done methodically because the settings on both (the AWS and Customer) sides must match Exactly. Settings to plan for:

• IP addressing / subnet planning
• BGP AS numbers, if applicable - always try to use a routing protocol when possible

Got more questions?

Q: AWS TAM or SA can help create site to site VPN? A: AWS TAMs and SAs can provide information and direction but have no access or authorization to configure resources in your account or on your behalf. If you need an AWS employee to implement a solution in your account on your behalf, you will need a Statement of Work with AWS Professional Services.