Cloud Notes: AWS VGW

published: 28th of December 2023

Intro

Virtual Private Gateways (VGWs) are an AWS manged VPN concentrator service which allow non-AWS and other AWS account networks to connect to a VPC via IPSEC VPN or Direct Connect.

VGW Architecture

The following diagram shows a typical VGW architecture.

blog/cloud-notes-aws-vgw/aws-virtual-private-gateway.png

The following points describe the above diagram.

The VGW is deployed in the AWS public zone across 2x AZs for HA.
A customer gateway (CGW) is deployed in the customers network and is configured to connect with the VGW public IP addresses via IPSEC.
A customer gateway (CGW) object is created in AWS to represent the CGW in the customers network.
For each CGW object, the VGW has 2x public IP addresses, one in each AZ which are used for VPN connections.
A direct connect (DX) is configured to connect to the VGW via private VIFs.
The VGW has 2x private IP addresses, one in each AZ which are used for DX connections.
The VGW is attaced to a VPC, subnet routing is directed to the VGW via the subnets route-table.

VGW Considerations

The following considerations apply to VGWs.

A VGW can be attached to a maximum of 1 VPC at a time.
If a VGW is migrated from one VPC to another, the connections are maintained.
IPSEC VPN has a maximum throughput of 1.25Gbps.
Each VGW has a a maximum total throughput of 1.25Gbps
VGWs can use either static routing or Dynamic routing via BGP.
BGP uses a Private Autonomous System Number (ASN) and by default is assigned 64512.
VGWs can only connect to a DX connection in the same region.

VPN CloudHub

VPN Cloud Hub is a method of connecting multiple remote networks to a Virtual Private Gateway (VGW) in a hub and spoke topology.

The following diagram shows a typical VPN CloudHub architecture.

blog/cloud-notes-aws-vgw/aws-vpn-cloudhub.png