Virtual Private Networks Flashcards
Site-to-Site VPN
Two networks can securely communicated over an untrusted intermediary network (such as the internet)
Need endpoints at each site
Used to contact resource within the vpc
Virtual Private Gateway (VGW)
Managed endpoint in your VPC
VPN and Direct Connect
VPC can only have one VGW attached to it
Can be detached and attached to another VPC
Define ASN for BGP (ASN cannot be changed)
Can terminate a VPN connection on it (only IPsec) in ESP mode
VGW Redundancy and Availability
When created -> 2 highly available endpoints each in a different availability zones
Each endpoint has an IP
Endpoints can be setup as Active/Active (noted as a single VPN connection)
VPN Tunnels
Each tunnel contains Internet Key Exchange (IDE) Security Association (SA) and a BGP peering
1 Unique SA per tunnel (1 inbound, 1 outbound)
2 unique SA pairs for each tunnel (2 tunnels - 4 pairs)
Policy-based VPN
Policy-based VPNs that are configured with more than one security association will drop existing VPN tunnel connections when initiating a VPN tunnel connection that uses a different SA.
Can overcome this problem by:
1) Limit the number of encryptions domains that are allowed to VPC
2) Configure the policy to allow an network behind the VPN termination.
VGW routing
Supports both static and BGP dynamic routes
VGW will use BGP route advertisement
Can have up to 100 BGP prop orated routes per VPC subnet route table
Within VPC enable VGW route propagation
BGP configuration cannot be modified. It is fully managed by AWS
2 tunnels per VPN connection, can do multiple VPN connection for HA
Tunnels should be active/passive
NAT and Traversal (NAT-T) support
Traditionally, the IPsec protocol does not work very well when traversing a NAT device. Due to the encrypted nature of the ESP header, NAT translations fail.
NAT-T solves this problem by encapsulating the packet in a User Datagram Protocol (UDP) enabling header using port 4500
VPN endpoints must use NAT-T
