🔐
AWS SCS-C01
  • Practice Test Scores
  • Domain 1 - Incident Response
    • Incident Response
    • Exposed AWS Access Keys
    • Compromised EC2 Instance
    • How do you report abuse of AWS resources?
    • GuardDuty
    • Penetration Testing
  • Domain 2 - Logging & Monitoring
    • Some Basics
    • Inspector
    • Security Hub
    • AWS WAF
    • Systems Manager
    • Systems Manager Features
    • CloudWatch Logs
    • Athena
    • CloudTrail
    • Config
    • Trusted Advisor
    • CloudTrail Log File Integrity
    • Macie
    • S3 Event Notifications
    • VPC Flow Logs
    • Centralized Logging Architecture
  • Domain 3 - Infrastructure Security
    • Bastion Hosts
    • Site-to-Site VPN
    • VPC Peering
    • VPC Endpoints
    • Network ACL
    • Firewall vs IPS vs IDS
    • EBS
    • CloudFront
    • Shield
    • Mitigating DDoS Attacks
    • EC2 Key Pair Troubleshooting
    • EC2 Tenancy
    • Artifact
    • Lambda@Edge
    • Simple Email Service (SES)
    • DNS Support in VPC
  • Domain 4 - Identity & Access Management
    • Organizations
    • IAM Policy Evaluation Logic
    • Understanding IAM Policies
    • IAM Tutorial: Delegate access across AWS accounts using IAM roles
    • External ID
    • iptables
    • IAM policy elements: Version
    • IAM policy elements: Variables and tags
    • Policy elements: Principal and NotPrincipal
    • IAM policy elements: Condition
    • Security Token Service (STS)
    • Identity federation in AWS
    • Enabling SAML for your AWS resources
    • Single Sign-On
    • Cognito
    • Directory Service
    • Trusts in Active Directory
    • Example S3 Bucket Policies
    • Cross-account access to S3 buckets using Resource-based policies and IAM policies
    • S3 Access Control Lists (ACLs)
    • Presigned URLs
    • S3 Versioning
    • S3 Cross-Region Replication (CRR)
    • S3 Object Lock
    • Configuring MFA-protected API access
    • IAM Permission Boundaries
  • Domain 5 - Data Protection
  • CloudHSM
  • Key Management Service (KMS)
  • Symmetric CMKs vs Asymmetric CMKs
  • Data Key Caching
  • Deleting KMS CMKs
  • Default KMS Key Policy
  • Managing access to KMS CMKs
  • KMS CMK Key Types
  • Rotating KMS CMKs
  • Example Key Policies for KMS Questions
  • KMS Grants
  • KMS CLI Commands
  • Importing key material in KMS
  • KMS Condition Keys
  • Migrating Encrypted KMS Data Across Regions
  • KMS Encryption Context
  • CloudHSM vs KMS
  • S3 Data Encryption
  • Application Load Balancer (ALB)
  • ELB Listeners Part 1
  • ELB Listeners Part 2
  • AWS Certificate Manager (ACM)
  • Glacier
  • DynamoDB Encryption
  • AWS Secrets Manager
  • Summaries
    • Domain 1
    • Domain 2
    • Domain 3
    • Domain 4
    • Domain 5
Powered by GitBook
On this page
  • Two tunnels per VPN connection
  • Set up a Site-to-Site VPN connection

Was this helpful?

  1. Domain 3 - Infrastructure Security

Site-to-Site VPN

  • By default, instances that you launch into an VPC can't communicate with your own (remote) network.

  • You can enable access to your remote network from your VPC by creating an Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.

  • A Site-to-Site VPN connection offers two VPN tunnels:

    • Between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway (which represents a VPN device) on the remote (on-premises) side.

  • Virtual private gateway:

    • A VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

  • Transit gateway:

    • A transit hub that you can use to interconnect your VPC and on-premises networks.

  • Customer gateway device:

    • A physical device or software application on your side of the Site-to-Site VPN connection.

  • If you have a site-to-site VPN where your on-premises servers can access your VPC but your VPC can't access your on-premises servers, it might be an issue where you have configured your VPC route tables incorrectly.

Two tunnels per VPN connection

  • A Site-to-Site VPN connection has two tunnels to provide increased availability to your VPC.

  • If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted.

  • Each tunnel supports a maximum throughput of up to 1.25 Gbps.

  • From time to time, AWS also performs routine maintenance on your VPN connection, which may briefly disable one of the two tunnels of your VPN connection.

Set up a Site-to-Site VPN connection

  1. Create a customer gateway - A customer gateway provides information to AWS about your customer gateway device or software application.

  2. Create a target gateway - The target gateway can be a virtual private gateway or a transit gateway.

  3. Configure routing - You must configure your route table to include the routes used by your Site-to-Site VPN connection and point them to your virtual private gateway or transit gateway.

  4. Update your security group - To allow access to instances in your VPC from your network, you must update your security group rules to enable inbound SSH, RDP, and ICMP access.

  5. Create a Site-to-Site VPN connection.

  6. Download the configuration file - Download the configuration information and use it to configure the customer gateway device or software application.

  7. Configure the customer gateway device - Use the configuration file to configure your customer gateway device. The customer gateway device is the physical or software appliance on your side of the Site-to-Site VPN connection.

PreviousBastion HostsNextVPC Peering

Last updated 4 years ago

Was this helpful?