Site-to-Site VPN
By default, instances that you launch into an VPC can't communicate with your own (remote) network.
You can enable access to your remote network from your VPC by creating an Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.
A Site-to-Site VPN connection offers two VPN tunnels:
Between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway (which represents a VPN device) on the remote (on-premises) side.
Virtual private gateway:
A VPN concentrator on the Amazon side of the Site-to-Site VPN connection.
Transit gateway:
A transit hub that you can use to interconnect your VPC and on-premises networks.
Customer gateway device:
A physical device or software application on your side of the Site-to-Site VPN connection.
If you have a site-to-site VPN where your on-premises servers can access your VPC but your VPC can't access your on-premises servers, it might be an issue where you have configured your VPC route tables incorrectly.
Two tunnels per VPN connection
A Site-to-Site VPN connection has two tunnels to provide increased availability to your VPC.
If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted.
Each tunnel supports a maximum throughput of up to 1.25 Gbps.
From time to time, AWS also performs routine maintenance on your VPN connection, which may briefly disable one of the two tunnels of your VPN connection.
Set up a Site-to-Site VPN connection
Create a customer gateway - A customer gateway provides information to AWS about your customer gateway device or software application.
Create a target gateway - The target gateway can be a virtual private gateway or a transit gateway.
Configure routing - You must configure your route table to include the routes used by your Site-to-Site VPN connection and point them to your virtual private gateway or transit gateway.
Update your security group - To allow access to instances in your VPC from your network, you must update your security group rules to enable inbound SSH, RDP, and ICMP access.
Create a Site-to-Site VPN connection.
Download the configuration file - Download the configuration information and use it to configure the customer gateway device or software application.
Configure the customer gateway device - Use the configuration file to configure your customer gateway device. The customer gateway device is the physical or software appliance on your side of the Site-to-Site VPN connection.
Last updated
Was this helpful?