Migrating VPN from OnPrem to AWS


Hi Team i have some resources in my onprem network and im connecting them with and Zyxel VPN. Now i want to migrate that Zyxel VPN to AWS. What are the possible ways that i can migrate?

  • Is this Zyxel VPN a hardware device or a virtual machine?

asked a month ago184 views
3 Answers

Hi Gunashekar ,

please go through the below approaches based on your budget and requirements chose any approach that i mentioning below, I hope it will helps to resolve your query.

1. Site-to-Site VPN

Description: Set up a Site-to-Site VPN between your on-premises network and AWS. This allows your on-premises network to communicate securely with your AWS resources.


Create a Virtual Private Gateway (VGW):

  • In the AWS Management Console, navigate to the VPC dashboard.
  • Create a Virtual Private Gateway and attach it to your VPC.

Configure Customer Gateway:

  • Define your on-premises Zyxel VPN device as a customer gateway in AWS.
  • Provide the public IP address of your Zyxel VPN device.

Create a Site-to-Site VPN Connection:

  • Create a VPN connection between the Virtual Private Gateway and the Customer Gateway.
  • Download the configuration file provided by AWS for Zyxel devices and apply it to your on-premises VPN device.

Update Routing Tables:

  • Update your VPC route tables to route traffic through the VPN connection.
  • Update routing on your on-premises network to route traffic destined for the AWS VPC through the VPN.


  • Secure and direct communication between on-premises and AWS resources.
  • Managed by AWS with high availability and redundancy.


  • Potentially more complex setup.
  • Might require advanced network configuration skills.

2. AWS Transit Gateway

Description: Use an AWS Transit Gateway to connect multiple VPCs and on-premises networks through a centralized hub.


Create a Transit Gateway:

  • In the AWS Management Console, navigate to the Transit Gateway section.
  • Create a new Transit Gateway.

Attach VPCs to Transit Gateway:

  • Attach the relevant VPCs to the Transit Gateway.

Create Transit Gateway VPN Attachment:

  • Create a VPN attachment to the Transit Gateway for your on-premises network.
  • Configure the VPN settings on your Zyxel VPN device based on the configuration provided by AWS.

Update Routing:

  • Update routing tables in your VPCs and on-premises network to route traffic through the Transit Gateway.


  • Simplifies the management of multiple VPCs and VPN connections.
  • Scalable and flexible.


  • Additional costs associated with using a Transit Gateway.
  • May require more complex routing configurations.

3. AWS Direct Connect with VPN Backup

Description: Use AWS Direct Connect for a dedicated network connection with a VPN backup.


Set Up AWS Direct Connect:

  • Establish a Direct Connect connection between your on-premises network and AWS.
  • Create a Direct Connect gateway and link it to your VPC.

Set Up a Backup VPN:

  • Create a Site-to-Site VPN connection as a backup for your Direct Connect link.
  • Configure the VPN on your Zyxel device.

Configure Failover:

  • Set up routing policies to failover to the VPN connection if the Direct Connect link goes down.


  • High bandwidth and low latency connection.
  • Increased reliability with VPN backup.


  • Higher costs due to Direct Connect.
  • More complex to set up and manage.

4. Third-Party VPN Solutions

Description: Use a third-party VPN solution available in AWS Marketplace that supports Zyxel devices.


Choose a VPN Solution:

  • Select a compatible VPN solution from AWS Marketplace that supports Zyxel devices.

Deploy the Solution:

  • Deploy the VPN solution in your AWS environment.

Configure the VPN:

  • Follow the documentation to set up and configure the VPN connection between your on-premises Zyxel VPN and the third-party solution.


  • Potentially simpler setup with comprehensive support.
  • May offer additional features not available in native AWS VPN.


  • Additional costs for the third-party solution.
  • Dependency on third-party support and updates.
answered a month ago
  • Hi, I have an issue here. I don't have any resources in AWS i only want to migrate my VPN to aws and that VPN has to handle the on Prem traffic.


Do you mean that you are connecting to the ZyXEL box with a VPN client to access your on-premises systems? Or that other VPN devices at other locations/companies are connecting to your on-premises systems via one or more site-to-site VPN connections?

You're saying you have nothing running in AWS and only want to have your VPN there. If you connected to AWS with a VPN client or one or more site-to-site VPNs from other locations, then how would the AWS data centres (AWS region, like the ones in Mumbai or Hyderabad) connect to your on-premises systems? Would you still have a hardware box on premises to receive a VPN tunnel from AWS? Or would you intend the traffic between AWS (where the VPN is terminated) and your on-premises systems to run over the public internet, without the encryption and authentication protections provided by VPN?

Leo K
answered a month ago
  • Hi Leo. Here is my use case. All of my servers running on Prem datacenter and users accessing those servers using Zyxel VPN endpoint which is also hosted in on Prem DC. Now we want to migrate that Zyxel VPN to AWS without disturbing any functionality of accessing my servers.


@Gunasekhar, your ZyXEL box currently being in your on-premises data centre is what allows it to have a local, physical cable connecting it to the on-premises network, at the same time as it is also connected to the internet to provide the VPN capability for your users. That's how the VPN-connected users can reach the on-premises systems, by the ZyXEL box physically connected to both the VPN (over the internet) and the on-premises network mediating between them.

If you create a new VPN connection to AWS, your users will be able to connect to AWS just fine, but there would be no connection from AWS to your on-premises systems, unless you continue to have a VPN-capable device on premises, which would be able to establish a new VPN connection between on-premises and AWS. That way, users would connect via VPN to AWS, and traffic from there would continue over a second VPN tunnel to your on-premises systems.

The other option would be for you to move all your systems from on-premises to AWS. Then users could connect to AWS via VPN and be connected to all the systems there, just the same way as they are currently connecting via VPN to the ZyXEL box that is in the same place as the systems they're needing to access.

Leo K
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions