Site-to-Site VPN

  • By default, instances that you launch into an VPC can't communicate with your own (remote) network.

  • You can enable access to your remote network from your VPC by creating an Site-to-Site VPN connection, and configuring routing to pass traffic through the connection.

  • A Site-to-Site VPN connection offers two VPN tunnels:

    • Between a virtual private gateway or a transit gateway on the AWS side, and a customer gateway (which represents a VPN device) on the remote (on-premises) side.

  • Virtual private gateway:

    • A VPN concentrator on the Amazon side of the Site-to-Site VPN connection.

  • Transit gateway:

    • A transit hub that you can use to interconnect your VPC and on-premises networks.

  • Customer gateway device:

    • A physical device or software application on your side of the Site-to-Site VPN connection.

  • If you have a site-to-site VPN where your on-premises servers can access your VPC but your VPC can't access your on-premises servers, it might be an issue where you have configured your VPC route tables incorrectly.

Two tunnels per VPN connection

  • A Site-to-Site VPN connection has two tunnels to provide increased availability to your VPC.

  • If there's a device failure within AWS, your VPN connection automatically fails over to the second tunnel so that your access isn't interrupted.

  • Each tunnel supports a maximum throughput of up to 1.25 Gbps.

  • From time to time, AWS also performs routine maintenance on your VPN connection, which may briefly disable one of the two tunnels of your VPN connection.

Set up a Site-to-Site VPN connection

  1. Create a customer gateway - A customer gateway provides information to AWS about your customer gateway device or software application.

  2. Create a target gateway - The target gateway can be a virtual private gateway or a transit gateway.

  3. Configure routing - You must configure your route table to include the routes used by your Site-to-Site VPN connection and point them to your virtual private gateway or transit gateway.

  4. Update your security group - To allow access to instances in your VPC from your network, you must update your security group rules to enable inbound SSH, RDP, and ICMP access.

  5. Create a Site-to-Site VPN connection.

  6. Download the configuration file - Download the configuration information and use it to configure the customer gateway device or software application.

  7. Configure the customer gateway device - Use the configuration file to configure your customer gateway device. The customer gateway device is the physical or software appliance on your side of the Site-to-Site VPN connection.

PreviousBastion HostsNextVPC Peering

Last updated

Was this helpful?