AWS VPC(Connectivity)

Customer Network->VPC: Hardware VPN

•  See VPC (VPN) notes for details

Customer Network->VPC: Direct Connect

• See Direct Connect for details

Customer Network->VPC: Direct Connect + VPN

• Uses DX public VIF
• Connects to public VGW endpoint

Customer Network->VPC: VPC CloudHub

• Hub-and-spoke model
• Multiple branches connected to VGW
• Routes are propagated branch -> VGW -> branch
  • BGP announcements are re-advertised to other branches
  • Branch-to-Branch connectivity possible (traffic flows via AWS)
• Segmenting branches
  • Separate ASN for each
  • Non overlapping CIDR

VPC->VPC: VPC Peering

• Networking connection between two VPCs
• Cross region support (since 2017)
  • Stays on AWS backbone
• Routing based on private IPs
  • Both VPC must have Route Table updated (pcx-* entry)
• Can be done cross-account
• No IGW, VGW - no bottleneck, no SPOF
• Use cases
  • File sharing
  • Access between environments
• Establishment
  • requester VPC sends request: initiating-request -> pending-acceptance
  • peer VPC accepts: provisioning -> active
• Limitations
  • CIDR blocks may overlap but route tables need to be specially adjusted
  • Not transitive ( A<->B<->C does not imply A<->C)
    
    • 1-to-1 only
    • You can use proxy instance to facilitate it (mesh)
  • MTU = 1500 (no jumbo frames)
  • Placement Groups - no full bi-section bandwidth
  • Unicast Reverse Path Forwarding (check against IP spoofing) not supported
  • Cannot reference peer Security Groups
  • Private DNS values not resolved between instances in peer VPC
  • No edge to edge routing (i.e. traffic does not extend to the edges of the network), e.g.
    • A VPN connection or an AWS Direct Connect connection to a corporate network
    • An Internet connection through an Internet gateway
    • A ClassicLink connection to an EC2-Classic instance
    • A VPC endpoint to an AWS service; for example, an endpoint to Amazon S3.
    • An Internet connection in a private subnet through a NAT instance

VPC->VPC: Software VPN

• See VPC (VPN)
• Inter-region VPN
  • Each region runs a "Software VPN appliance" (IGW)

VPC->VPC: Software to Hardware VPN

• Uses VGW in region 1
• Uses "Software VPN appliance" (IGW) in region 2
  • initiates connection

VPC->VPC: Hardware VPN

• Hub-and-spoke model
  • Customer Network is Hub
    • Connects to multiple VPC (using VGW)
• VPC-to-VPC routing via Customer Network

VPC->VPC: Direct Connect

• Hub-and-spoke model
  • Customer Network is Hub
  • Connects to multiple VPC (using DX)
• Inter-region routing possible if Customer has WAN (e.g. MPLS)

User->VPC: Sofware Remote Access VPN

• Run "Remote Access Server"
  • Can use LDAP/Active Directory
• See VPC (VPN) Software VPN