← Back to Services

Site-to-Site VPN

HIGH Domain 1: Design Secure Architectures Domain 3: Design High-Performing Architectures Domain 4: Design Cost-Optimized Architectures

AWS Site-to-Site VPN establishes a secure connection between your on-premises equipment and your AWS Virtual Private Clouds (VPCs). It consists of a Virtual Private Gateway on the AWS side and a Customer Gateway on the customer side, forming a dual-tunnel connection for redundancy. This service allows extending your corporate data center into the AWS Cloud.

Learning Objectives

Understand the core components and architecture of an AWS Site-to-Site VPN connection.
Identify the purpose and characteristics of AWS VPN CloudHub for multi-site connectivity.
Recognize various scenarios and integrations where Site-to-Site VPN is utilized with other AWS networking services.
Grasp the security and redundancy features built into Site-to-Site VPN connections.

Site-to-Site VPN Fundamentals

AWS Site-to-Site VPN provides secure and private connectivity between your on-premises network and your AWS VPCs.

AWS Site-to-Site VPN establishes a secure connection between on-premises equipment and your VPCs. It allows you to create hardware virtual private network connections between your corporate data center and your VPC to leverage the AWS cloud as an extension of your corporate data center.

The Virtual Private Gateway (VGW) is the AWS side of a VPN connection. It is the VPN concentrator on the Amazon side of the VPN connection.

The Customer Gateway is the on-premises device or software used for a VPN connection. It is a physical device or software application on the customer side of the VPN connection.

A VPN connection is a dual tunnel connection, providing built-in redundancy. Each VPN connection has two tunnels, with each tunnel using a unique virtual private gateway public IP address. If you wanted to take advantage of that dual tunnel connection and dual tunnel traffic, you can attach another customer gateway, ensuring redundancy and preventing a single point of failure.

Technical Specs: Dual tunnel connection; Each tunnel uses a unique VPG public IP; Can use two Customer Gateways for redundancy.

VPN CloudHub

AWS VPN CloudHub offers a way to simplify VPN network topology for connecting multiple sites.

VPN CloudHub is a service that allows you to connect multiple sites, each with its own VPN connection, together, helping to simplify your network by aggregating VPN connections and allowing for direct communication between different sites.

Purpose

VPN CloudHub is useful if you have multiple sites and you want to connect them together. It helps to simplify your network by aggregating VPN connections, allowing for direct communication between different sites.

Use Cases:

Connecting multiple sites with VPN connections
Aggregating VPN connections from different customer sites all over the world.

Operating Model

It operates on a hub and spoke model, similar to VPC peering. In the case of VPN CloudHub, the hub is the AWS VPN CloudHub, and the spokes are the different customer sites.

Use Cases:

Simplifying network topology for multi-site connectivity

Cost and Management

It is low cost and easy to manage, making it a cost-effective solution for connecting multiple sites together. It is also easy to set up and manage.

Security and Traffic

It operates over the public internet, but all traffic between the customer gateway and the AWS VPN CloudHub is encrypted, ensuring that your data is protected.

security all traffic between the customer gateway and the AWS VPN CloudHub is encrypted

Configuration Requirement

You must use a unique Border Gateway Protocol (BGP) Autonomous System Number (ASN) for each customer gateway.

requirement unique Border Gateway Protocol (BGP) Autonomous System Number (ASN) for each customer gateway

Site-to-Site VPN Connection Examples

AWS provides various configurations for Site-to-Site VPN connections to suit different networking needs.

Examples of Site-to-Site VPN connections include: Single Site-to-Site VPN connection; Single Site-to-Site VPN connection with a Transit Gateway; Multiple Site-to-Site VPN connections; Multiple Site-to-Site VPN connections with a Transit Gateway; Site-to-Site VPN connection with AWS Direct Connect; Private IP Site-to-Site VPN connection with AWS Direct Connect.

Integration with AWS Networking Services

Site-to-Site VPN can be combined with other AWS networking and data transfer services for enhanced functionality and secure hybrid architectures.

This combination leverages the benefits of AWS Direct Connect for low latency and a VPN for redundancy or geographically dispersed locations. A VPN can be run over a Direct Connect connection for added security.

AWS Transit Gateway acts as a central hub to connect VPCs and on-premises networks in a hub-and-spoke model. It works with Direct Connect and VPN connections, allowing transitive peering between thousands of VPCs and on-premise data centers.

VPC Flow Logs capture information about the IP traffic flowing through network interfaces within your VPC, including traffic over a VPN connection between AWS and an on-premises data center. This data is crucial for identifying network connectivity issues.

Technical Specs: Captures information about IP traffic; Can be published to CloudWatch Logs, S3, or Kinesis Data Firehose.

AWS DataSync is an online data transfer service. While Direct Connect or Site-to-Site VPN is not strictly required for DataSync, it is recommended for better performance, security, and predictability when transferring large datasets between on-premises and AWS.

Exam Focus

VPN CloudHub is useful for connecting multiple sites, each with its own VPN connection. It operates over the public internet but all traffic between the customer gateway and AWS VPN CloudHub is encrypted. It works on a hub and spoke model just like VPC peering. It is low cost and easy to manage. It is a way of aggregating VPN connections from different customer sites all over the world. (source_page: 6)
Site-to-Site VPNs and Direct Connect link on-premises networks to VPCs. (source_page: 2)
For scenarios requiring online data transfer (internet, Direct Connect, VPN) for large datasets with automation, monitoring, speed, and data integrity, AWS DataSync is the correct service. (source_page: 9)
VPC Flow Logs are the service to enable for capturing and logging all IP traffic metadata flowing over a VPN connection. (source_page: 8)

Glossary

Virtual Private Gateway (VGW): The AWS side of a VPN connection; the VPN concentrator on the Amazon side of the VPN connection.

Customer Gateway (CGW): The on-premises device or software application on the customer side of the VPN connection.

VPN CloudHub: A service that allows you to connect multiple sites, each with its own VPN connection, together, operating on a hub and spoke model over the public internet with encrypted traffic.

Border Gateway Protocol (BGP) Autonomous System Number (ASN): A unique identifier that must be used for each customer gateway when using VPN CloudHub.

Key Takeaways

AWS Site-to-Site VPN provides a secure, redundant connection between on-premises networks and AWS VPCs using Virtual Private Gateways and Customer Gateways, with dual tunnels for high availability. (source_page: 6)
VPN CloudHub simplifies multi-site connectivity by aggregating VPN connections in a hub-and-spoke model, offering a cost-effective and secure solution over the public internet. (source_page: 6)
Site-to-Site VPN integrates with Direct Connect for enhanced redundancy and security, and with Transit Gateway for simplifying complex network topologies across many VPCs and on-premises networks. (source_page: 2, 6)

Content Sources

AWS Cloud Foundations AWS Networking Services AWS_MIGRATION_PLAN 08_AWS_Solutions_Architect_Associate_... EC2 Networking and Optimization Extracted: 2026-01-26 11:32:55.588829 Model: gemini-2.5-flash