Intro

Virtual Private Gateways (VGWs) are an AWS manged VPN concentrator service which allow non-AWS and other AWS account networks to connect to a VPC via IPSEC VPN or Direct Connect.

VGW Architecture

The following diagram shows a typical VGW architecture.

blog/cloud-notes-aws-vgw/aws-virtual-private-gateway.png

The following points describe the above diagram.

  • The VGW is deployed in the AWS public zone across 2x AZs for HA.
  • A customer gateway (CGW) is deployed in the customers network and is configured to connect with the VGW public IP addresses via IPSEC.
  • A customer gateway (CGW) object is created in AWS to represent the CGW in the customers network.
  • For each CGW object, the VGW has 2x public IP addresses, one in each AZ which are used for VPN connections.
  • A direct connect (DX) is configured to connect to the VGW via private VIFs.
  • The VGW has 2x private IP addresses, one in each AZ which are used for DX connections.
  • The VGW is attaced to a VPC, subnet routing is directed to the VGW via the subnets route-table.

VGW Considerations

The following considerations apply to VGWs.

  • A VGW can be attached to a maximum of 1 VPC at a time.
  • If a VGW is migrated from one VPC to another, the connections are maintained.
  • IPSEC VPN has a maximum throughput of 1.25Gbps.
  • Each VGW has a a maximum total throughput of 1.25Gbps
  • VGWs can use either static routing or Dynamic routing via BGP.
  • BGP uses a Private Autonomous System Number (ASN) and by default is assigned 64512.
  • VGWs can only connect to a DX connection in the same region.

VPN CloudHub

VPN Cloud Hub is a method of connecting multiple remote networks to a Virtual Private Gateway (VGW) in a hub and spoke topology.

The following diagram shows a typical VPN CloudHub architecture.

blog/cloud-notes-aws-vgw/aws-vpn-cloudhub.png

The following points describe the above diagram.

  • The VGW is acting as the HUB.
  • Each on-premises network are spokes.
  • Each spoke is connected to the VGW via IPSEC VPN.
  • The spokes communicate to each other via the Hub.
  • Each site is configured with a unique BGP ASN.
  • BGP is used to exchange routes between the VGW and the CGWs.