Amazon Virtual Private Cloud (VPC) | Connectivity

Question 1

Do your prices include taxes?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 1

Except as otherwise noted, our prices are exclusive of applicable taxes and duties, including VAT and applicable sales tax. For customers with a Japanese billing address, use of AWS services is subject to Japanese Consumption Tax. Learn more.

Question 2

What are the connectivity options for my VPC?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 2

You may connect your VPC to:

The Internet (via an Internet gateway)

Your corporate data center using a Hardware VPN connection (via the virtual private gateway)

Both the Internet and your corporate data center (utilizing both an Internet gateway and a virtual private gateway)

Other AWS services (via Internet gateway, NAT, virtual private gateway, or VPC endpoints)

Other VPCs (via VPC peering connections)

Question 3

How do I connect my VPC to the Internet?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 3

Amazon VPC supports the creation of an Internet gateway. This gateway enables Amazon EC2 instances in the VPC to directly access the Internet.

Question 4

Are there any bandwidth limitations for Internet gateways? Do I need to be concerned about its availability? Can it be a single point of failure?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 4

No. An Internet gateway is horizontally-scaled, redundant, and highly available. It imposes no bandwidth constraints.

Question 5

How do instances in a VPC access the Internet?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 5

You can use public IP addresses, including Elastic IP addresses (EIPs), to give instances in the VPC the ability to both directly communicate outbound to the Internet and to receive unsolicited inbound traffic from the Internet (e.g., web servers). You can also use the solutions in the next question.

Question 6

How do instances without public IP addresses access the Internet

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 6

Instances without public IP addresses can access the Internet in one of two ways:

Instances without public IP addresses can route their traffic through a NAT gateway or a NAT instance to access the Internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the Internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the Internet to initiate a connection to the privately addressed instances.

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

Question 7

Can I connect to my VPC using a software VPN?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 7

Yes. You may use a third-party software VPN to create a site to site or remote access VPN connection with your VPC via the Internet gateway.

Question 8

How does a hardware VPN connection work with Amazon VPC?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 8

A hardware VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a hardware VPN connection.

Question 9

What is IPsec?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 9

IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.

Question 10

Which customer gateway devices can I use to connect to Amazon VPC

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 10

There are two types of VPN connections that you can create: statically-routed VPN connections and dynamically-routed VPN connections. Customer gateway devices supporting statically-routed VPN connections must be able to:

Establish IKE Security Association using Pre-Shared Keys

Establish IPsec Security Associations in Tunnel mode

Utilize the AES 128-bit or 256-bit encryption function

Utilize the SHA-1 or SHA-2 (256) hashing function

Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in “Group 2” mode, or one of the additional DH groups we support

Perform packet fragmentation prior to encryption

In addition to the above capabilities, devices supporting dynamically-routed VPN connections must be able to:

Establish Border Gateway Protocol (BGP) peerings

Bind tunnels to logical interfaces (route-based VPN)

Utilize IPsec Dead Peer Detection

Question 11

Which Diffie-Hellman Groups do you support?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 11

We support the following Diffie-Hellman (DH) groups in Phase1 and Phase2.

Phase1 DH groups 2, 14-18, 22, 23, 24

Phase2 DH groups 2, 5, 14-18, 22, 23, 24

Question 12

What customer gateway devices are known to work with Amazon VPC?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 12

The following devices meeting the aforementioned requirements are known to work with hardware VPN connections, and have support in the command line tools for automatic generation of configuration files appropriate for your device:

Statically-routed VPN connections:

Cisco ASA 5500 Series version 8.2 (or later) software

Cisco ISR running Cisco IOS 12.4 (or later) software

Cisco Meraki MX Series iOS 9.0 (or later) software

Check Point Security Gateway running R77.10 (or later) software

Dell SonicWALL Next Generation Firewalls (TZ, NSA, SuperMassive Series) running SonicOS5.8 (or later)

F5 Big-IP v12.0.0 (or later) software

Fortinet Fortigate 40+ Series running FortiOS 4.0 (or later), or 5.0 (or later) software

H3C MSR800 running Version 5.20 software

IIJ SEIL/B1, SEIL/X1 and SEIL/X2 running 3.70 (or later) software

IIJ SEIL/x86 running 2.30 (or later) software

Juniper J-Series Service Router running JunOS 9.5 (or later) software

Juniper SRX-Series Services Gateway running JunOS 9.5 (or later) software

Juniper SSG running ScreenOS 6.1, or 6.2 (or later) software

Juniper ISG running ScreenOS 6.1, or 6.2 (or later) software

Microsoft Windows Server 2008 R2 or 2012 R2 software

Netgate pfSense running OS 2.2.5 (or later) software

Palo Alto Networks PANOS running 4.1.2 (or later), or 7.0 (or later) software

WatchGuard XTM, Firebox Fireware OS 11.11.4 software

Yamaha RTX Routers Rev.10.01.16 (or later) software

Zyxel Zywall Series running 4.20 (or later) software

Dynamically-routed VPN connections (requires BGP)

Barracuda NextGen Firewall F-Series running 6.2 (or later) software

Check Point Security Gateway running R77.10 (or later) software

Cisco ISR running Cisco IOS 12.4 (or later) software

Dell SonicWALL Next Generation Firewalls (TZ, NSA, SuperMassive Series) running SonicOS5.9 (or later)

F5 Big-IP v12.0.0 (or later) software

Fortinet Fortigate 40+ Series running FortiOS 4.0 (or later), or 5.0 (or later) software

H3C MSR800 running Version 5.20 software

IIJ SEIL/B1, SEIL/X1 and SEIL/X2 running 3.70 (or later) software

IIJ SEIL/x86 running 2.30 (or later) software

Juniper J-Series Service Router running JunOS 9.5 (or later) software

Juniper SRX-Series Services Gateway running JunOS 9.5 (or later) software

Juniper SSG running ScreenOS 6.1, or 6.2 (or later) software

Juniper ISG running ScreenOS 6.1, or 6.2 (or later) software

Palo Alto Networks PANOS running 4.1.2 (or later), or 7.0 (or later) software

Sophos Astaro Security Gateway Essential Firewall Edition V8.300 (or later) software

Vyatta Network OS 6.5 (or later) software

Yamaha RTX Routers Rev.10.01.16 (or later) software

Zyxel Zywall Series running 4.30 (or later) software

Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups.

Question 13

If my device is not listed, where can I go for more information about using it with Amazon VPC?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 13

We recommend checking the Amazon VPC forum as other customers may be already using your device.

Question 14

What is the approximate maximum throughput of a VPN connection?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 14

VGW supports IPSEC VPN throughput upto 1.25 Gbps. Multiple VPN connections to the same VPC are cumulatively bound by the VGW throughput of 1.25 Gbps.

Question 15

What factors affect the throughput of my VPN connection?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 15

VPN connection throughput can depend on multiple factors, such as the capability of your Customer Gateway (CGW), the capacity of your connection, average packet size, the protocol being used (TCP vs. UDP), and the network latency between your CGW and the Virtual Private Gateway (VGW).

Question 16

What tools are available to me to help troubleshoot my Hardware VPN configuration?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 16

The DescribeVPNConnection API displays the status of the VPN connection, including the state (“up”/”down”) of each VPN tunnel and corresponding error messages if either tunnel is “down”. This information is also displayed in the AWS Management Console.

Question 17

How do I connect a VPC to my corporate datacenter?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 17

Establishing a hardware VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a hardware VPN connection.

Question 18

Can I NAT my CGW behind a router or firewall?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 18

Yes, you will need to enable NAT-T and open UDP port 4500 on your NAT device.

Question 19

What IP address do I use for my CGW address?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 19

You will use the public IP address of your NAT device.

Question 20

How do I disable NAT-T on my connection?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 20

You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish.

Question 21

I would like to have multiple CGWs behind a NAT, what do I need to do to configure that?

Connectivity

Amazon Virtual Private Cloud (VPC) | Networking & Content Delivery

Answer 21

You will use the public IP address of your NAT device for the CGW for each of your connections. You will also need to make sure UDP port 4500 is open.