Intro
Virtual Private Gateways (VGWs) are an AWS manged VPN concentrator service which allow
non-AWS and other AWS account networks to connect to a VPC via IPSEC VPN or Direct Connect.
VGW Architecture
The following diagram shows a typical VGW architecture.
The following points describe the above diagram.
-
The VGW is deployed in the AWS public zone across 2x AZs for HA.
-
A customer gateway (CGW) is deployed in the customers network and
is configured to connect with the VGW public IP addresses via IPSEC.
-
A customer gateway (CGW) object is created in AWS to represent the
CGW in the customers network.
-
For each CGW object, the VGW has 2x public IP addresses, one in each AZ
which are used for VPN connections.
-
A direct connect (DX) is configured to connect to the VGW via
private VIFs.
-
The VGW has 2x private IP addresses, one in each AZ which are used
for DX connections.
-
The VGW is attaced to a VPC, subnet routing is directed
to the VGW via the subnets route-table.
VGW Considerations
The following considerations apply to VGWs.
-
A VGW can be attached to a maximum of 1
VPC at a time.
-
If a VGW is migrated from one VPC to another, the connections are
maintained.
-
IPSEC VPN has a maximum throughput of 1.25Gbps.
-
Each VGW has a a maximum total throughput of 1.25Gbps
-
VGWs can use either static routing or Dynamic routing via BGP.
-
BGP uses a Private Autonomous System Number (ASN) and by default
is assigned 64512.
-
VGWs can only connect to a DX connection in the same region.
VPN CloudHub
VPN Cloud Hub is a method of connecting multiple remote networks to a
Virtual Private Gateway (VGW) in a hub and spoke topology.
The following diagram shows a typical VPN CloudHub architecture.
The following points describe the above diagram.
-
The VGW is acting as the HUB.
-
Each on-premises network are spokes.
-
Each spoke is connected to the VGW via IPSEC VPN.
-
The spokes communicate to each other via the Hub.
-
Each site is configured with a unique BGP ASN.
-
BGP is used to exchange routes between the VGW and the CGWs.