Connecting On-prem to AWS VPC using Site to Site VPN
Connecting on-premises infrastructure to the cloud has been a growing trend since the early 2000s, as businesses have begun to realize the benefits of cloud computing, such as scalability, agility, and cost savings. The early days of cloud connectivity were focused on simple point-to-point connections between on-premises networks and cloud providers. This was typically done using VPNs or dedicated circuits. However, as cloud computing has become more mainstream, the need for more sophisticated and flexible connectivity solutions has emerged. Today, there are a variety of different ways to connect on-premises infrastructure to the cloud. Some of the most common methods include:
Direct connect: This involves establishing a dedicated physical connection between an on-premises network and a cloud provider's data center. Direct Connect offers the highest performance and reliability, but it can also be the most expensive option.
VPN: A VPN (virtual private network) creates a secure tunnel over the public internet between an on-premises network and a cloud provider's network. VPNs are a relatively inexpensive and easy-to-implement solution, but they can offer lower performance than direct connect.
Cloud interconnect: Cloud interconnect services allow businesses to establish a secure and reliable connection between their on-premises networks and multiple cloud providers. This can be a good option for businesses that use multiple cloud providers or that need to have a high degree of control over their network connectivity.
Software-defined WAN (SD-WAN): SD-WAN is a technology that uses software to create a virtual WAN over the public internet. SD-WAN can be used to connect on-premises networks to cloud providers, as well as to connect multiple on-premises sites. SD-WAN offers several benefits, such as improved performance, increased reliability, and reduced costs.
If you are prepping for the new 300-440 ENCC v1.0 exam, you note in domain 3.0 IPSEC Cloud Connectivity. For most network engineers or those who have worked with firewalls for some time, IPSEC is not a new technology. IPsec protocols were first proposed in 1998, IPsec VPN features in firewalls and other security devices started taking off in the early-mid 2000s after IPsec was standardized. The protocols continue evolving, but 2005 RFC 4301 represents the key official standardization. Let's cover some of the basics of concepts and components of IPsec:
Encryption - IPsec provides encryption using symmetric cryptographic algorithms like AES, DES, 3DES, etc. This encrypts the data packets sent over the network.
Integrity - Hash algorithms like SHA-1, SHA-256, etc are used to ensure the integrity of the packets and authenticate them.
Key Exchange - Protocols like Internet Key Exchange (IKE) are used to negotiate and exchange keys between parties.
Security Associations (SAs) - These are agreements between two devices on the encryption, hash, keys, etc to be used for secure communication.
Security Protocols - The main IPsec security protocols are AH (Authentication Header) and ESP (Encapsulating Security Payload). AH provides integrity and authentication, while ESP provides encryption and optional authentication.
Modes - IPsec can operate in two modes: transport mode (only payload of IP packet encrypted) and tunnel mode (entire IP packet is encrypted/authenticated).
Endpoints - IPsec typically connects two endpoints like VPN gateways, firewalls, etc. This forms an IPsec VPN tunnel between the devices.
Standards - IPsec is defined by various RFC standards like RFC 4301, RFC 4309, etc that specify the protocols, algorithms, modes, etc.
Implementation - IPsec support needs to be implemented in OS kernels, routers, firewalls, etc. to work. It's natively supported in IPv6.
To connect your on-premise infrastructure to AWS as noted above there are a few options, but for site-to-site VPN the term used is customer gateway device. It is one endpoint of the Site-to-Site VPN connection that connects your on-premises network to the Amazon VPC. This is a physical or software appliance located in your on-premises network that you configure to connect with a Site-to-Site VPN connection to an Amazon Virtual Private Cloud (VPC). Some key points about customer gateway devices:
They are owned and managed by you, the customer. AWS does not provide or manage them.
They are one endpoint of the VPN connection, the other being the virtual private gateway on the AWS side.
Common examples include routers, firewalls, VPN concentrators provided by Cisco, and other providers.
The device must be configured with parameters like the VPC VPN tunnel IP addresses, pre-shared keys, etc. as provided by AWS.
Redundant customer gateway devices can be configured for high availability.
Software VPN appliances can also be used if supported by your virtualization platform.
AWS provides configuration information for the customer gateway when setting up the Site-to-Site VPN connection in the VPC.
Traffic flowing from on-premises to VPC will pass through the customer gateway device over the VPN tunnels.
As the customer, a customer gateway device is to be compatible with the VPN connection to AWS. The diagram shows a customer gateway device in your network connecting through two redundant VPN tunnels to the virtual private gateway on the AWS side.
This redundancy ensures continuity of access if there is a failure in one of the tunnels. AWS also performs periodic maintenance that may temporarily disable one tunnel, so having two tunnels prevents an interruption. When setting up your customer gateway, it is important to configure both tunnels for maximum availability. The customer gateway and the Amazon virtual private gateway together enable the Site-to-Site VPN connection between your on-premises network and the VPC.
One of the major advantages of using IPsec VPNs is the ability to run dynamic routing protocols such as BGP and OSPF over the encrypted tunnels. Rather than relying on static routes, routing protocols allow the VPN endpoints to exchange routes automatically as they change. This provides key benefits including automatic failover if a link goes down, scalability as new endpoints are added, and the ability to implement advanced traffic engineering and routing policies. For example, BGP features like route maps and LOCAL_PREF attributes can be used to prefer or filter certain routes over the VPN tunnel. Routing over the encrypted IPsec tunnel also enhances security by protecting the routing updates exchanged between untrusted networks. As organizations expand their networks, using routing protocols over VPNs provides automation, flexibility, and security for connecting remote sites and infrastructure. The dynamic exchange of routes and encryption from IPsec improves convergence times, simplifies management, and allows administrators to scale their networks efficiently. For secure transit between on-premises and cloud environments, routing protocols over IPsec VPNs are a robust and scalable solution.
So with BGP configured on both ends, the customer gateway device and AWS VPC can dynamically share routing information over the IPsec VPN tunnels instead of relying on static routes. This enhances automation and flexibility.
Firewall - Optimizer - https://www.firemon.com/webinars/on-demand/firewall-rule-review-and-cleanup/
https://cybelangel.com/api-attacks-protecting-your-infrastructure/