AWS Networking - keshavbaweja-git/guides GitHub Wiki

Virtual Private Gateway (VGW)

  • Managed VPN gateway endpoint for VPC

  • Only one VGW can be attached to a VPC

  • VGW supports both static routing and dynamic routing using Border Gateway Protocol (BGP)

  • For BGP, you can assign an ASN from private range, if not AWS automatically assigns one. The ASN number can't be changed once assigned.

  • VGW supports AES-256 for encryption and SHA-2 for data integrity

  • VGW supports VPN termination behind NAT device on customer side

  • UDP port 4500 must be opened on customer side NAT device for NAT traversal

  • In case of Dynamic Routing, new routes are automatically propagated to route tables on AWS side

  • AWS routes table can't have more than 100 propagated routes. A remediation approach is to consolidate network ranges into larger CIDR ranges on customer side.

  • From customer side, VPN connection over VGW can't be used to access

    • Internet via IGW or NAT Gateway
    • Peered VPC
    • VPC Gateway Endpoint (S3 and DynamoDB)

  • From customer side, VPN connection over VGW can be used to access

    • Internet via IGW and NAT Instance
    • VPC Interface Endpoint

  • From AWS side, VPN connection over VGW and Customer Gateway can be used to access

    • Internet
    • Other network endpoints

  • Static Routing - Active/Active Tunnels

    • It can result in Asymmetric routing for return traffic from AWS VPC. Asymmetric routing must be enabled on CGW + FW for asymmetric traffic routing
    • For traffic originating from VPC, any tunnel can be chosen randomly. Asymmetric routing must be enabled on customer side

  • Static Routing - Active/Passive Tunnels

    • Asymmetric Routing is not a concern
    • Tunnel monitoring and activation is required

  • Dynamic Routing - Active/Active Tunnels

    • Dynamic Routing and BGP can influence VGW behavior to route return traffic a particular tunnel to avoid asymmetric routing
    • ASPATH lengths

  • Single Site-to-Site VPN

    • VGW + Customer Gateway + Two Tunnels
    • Transit Gateway (TGW) + Customer Gateway + Two Tunnels

  • Multiple Site-to-Site VPN connections to customer sites

    • VGW + Multiple Customer Gateways + Two Tunnels/Customer Gateway
    • Only one VGW is allowed/VPC
    • VGW aggregate bandwidth 1.25 Gbps is shared
    • Transit Gateway does not have this limitation

  • Multiple Customer Gateways in a single location to provide HA

  • VGW can also be used as Cloud Hub to provide connectivity between customer sites. Use VPG in detached mode, i.e. not attached to any VPC. Customer sites must not have overlapping CIDR ranges. It is also possible to use VGW in attached mode with this configuration.