AWS Certified Advanced Networking Prep – VPN
This post is part of a multi-series blog to help folks prepare to take the AWS Certified Advanced Networking Exam. As the title indicates, this section is dedicated to VPN, which is a significant topic for the exam. The previous post for Direct Connect can be found here.
VPN Options on AWS
To set the stage here, let’s quickly discuss the different options available on AWS and the requirements of each one:
Software VPN refers to running some type of VPN software running on an EC2 instance which provides the tunnel’s endpoint in your VPC. This could be something like OpenVPN or an appliance from the AWS marketplace. It’s important to note that outside of providing the EC2 and VPC platform to run the instance, AWS provides no management or services around the connectivity and availability of the VPN connection. Therefore, it’s a less desirable option when connecting into AWS.
There are some apparent downsides of software VPN. The customer has to manage the instance itself, including the OS and the application providing VPN connectivity, which means you need to harden it, patch it, and ensure it meets your business’ regulatory and compliance requirements. It also means that you need likely need to run multiple instances in multiple Availability Zones to provide redundancy if connectivity is critical to operations. Long-term instances also cost money, and you’ll likely want to purchase Reserved Instances for these instances as well. Last but not least, VPN connectivity involves the Internet, which is inherently unreliable so network latency and performance may vary depending on various conditions.
Beyond the downsides of software VPN, there are use cases where it makes sense to use as an alternative to the other options available on AWS. First, it will provide the most extensive capabilities with other products you might be running on premises. For example, if you want to use something outside of IPsec for connectivity, like PPTP or TLS/SSL, you’ll need to use software VPN to establish connectivity. Software VPN can also be useful when you need connectivity up rapidly, or you don’t have access to, or don’t want to engage, the networking/security team. The software can be configured relatively quickly, and likely automated using CloudFormation templates or bootstrap scripts.
Another positive of software VPN is that it can be used to extend connectivity between multiple regions within AWS. The managed service, as discussed below, doesn’t offer that capability and is the underlying solution behind solutions such as a transit VPC.
AWS Managed VPN
The preferred option on AWS is to use the managed VPN provided by AWS Virtual Private Cloud service, sometimes referred to as Hardware VPN. Just as the name suggests, this is a fully managed service provided by AWS to allow IPsec VPN connectivity into your VPC. One the AWS side, the VPN tunnel is terminated at a Virtual Private Gateway (VGW) that is connected to your VPC.
The benefits for managed VPN are extensive, although there are limitations to the service. To start, the managed VPN provides redundancy by use of the VGW, which provides two endpoints to connect. You don’t see these endpoints in the console, but the VPN configuration will provide information of each one which you’ll connect. AWS does guarantee that these endpoints are provisioned in multiple fault domains. Ideally, on the customer side, you will configure your device (referred to as the customer gateway) to connect to BOTH of the endpoints. To provide further redundancy, you’ll want to connect multiple customer gateway devices to both tunnels to eliminate any single points of failure.
As with software VPN, this services is relatively simple to set up, and connectivity can be established quickly. This is the route businesses go when doing a proof of concept with AWS or waiting for a Direct Connect to be delivered. VPN can be configured to be active/active, meaning it can use BGP multi-pathing to send packets across both tunnels. It can also be configured with static or dynamic routes, but BGP is the preferred method for connectivity, especially when using multiple VPNs or setting up VPN as a backup path if a Direct Connect becomes unavailable. Note that AWS will advertise the entire VPC range via BGP rather than the individual subnets.
A downside to the managed VPN service includes the fact that it only supports IPsec, so if you need something different, you’ll need to resort to software VPN. Managed VPN also relies on the Internet which doesn’t provide consistent latency and speed, depending on traffic and other factors. It should also be noted that the managed VPN tunnel will only be established if traffic from the customer gateway is sent, meaning that traffic originating from AWS to your data center will not bring the tunnel up. If you need a consistent connection for outbound connectivity destined to your data center, you might need to set up a keep-alive, something like a continuous ping from your data center to the VPC.
Requirements for Customer Gateway
The customer gateway must meet specific requirements to connect to the managed VPN service. The majority of enterprise firewalls and routers should support these, but they’re important to know for the test. More can be found in the official documentation here.
- First of all, it needs to support BGP if you’re planning to use dynamic routing.
- Support of IKE Security association using Pre-Shared Keys
- Ability to establish IPsec Security associations in tunnel-mode
- Support of AES 128-bit or AES 256-bit encryption
- Utilize SHA-1 or SHA-256 hashing
- Use Diffie-Hellman Perfect Forward Secrecy – Group 2
- IPsec Dead peer detection
- Device must fragment packets before encapsulating
Any firewalls or devices blocking traffic between the customer gateway and AWS must also allow traffic to flow over the following ports both inbound and outbound on both sides of the connection:
- UDP 500
- IP 50
Managed VPN is billed using two different charges:
- VPN Connection-Hour – charged each hour that the VPN tunnel is established. As with most other services, partial hours are billed as full hours.
- Data transfer charges – like anything else on AWS, you are charged data transfer fees for any data that is transferred outbound from AWS
For software VPN, you’ll pay for the following:
- EC2 instance changes
- Possibly software licensing if not using open source
- Data transfer charges (outbound)
Additional Points of Interest
- You can only have one VGW per VPC, therefore if you want to establish VPN connectivity to other VPCs, you’ll need separate connections (or you can use something like a transit VPC.
- If you need to change the Pre-Shared Key for the VPN connection, you can just delete it and recreate a new connection. However, beware that the VGW endpoints might change as well.
- If you want to change the crypto configuration on your VPN tunnel, you can update your on-premises device. VPN configuration is negotiated each time when the tunnel is established.
- If you want to move the VPN connection to a new VPC, merely disconnect the VGW from the original VPC and connect it to a new one. Keep in mind that routing may change (if not using BGP) if the new VPC uses a different IP subnet than the original). This is only possible if the VPC is in the same region and same account.