Posted On: Jun 22, 2022
Starting today, AWS Site-to-Site VPN supports the ability to deploy IPSec VPN connections over Direct Connect using private IP addresses. With this change, customers can encrypt DX traffic between their on-premises network and AWS without the need for public IP addresses, thus enabling enhanced security and network privacy at the same time.
AWS Site-to-Site VPN is a fully-managed service that creates a secure connection between your data center or branch office and your AWS resources using IP Security (IPSec) tunnels. Until now, you were required to use a public IP address to connect your on-premises networks to AWS VPCs. Many customers require robust encryption of network traffic over Direct Connect and at the same time are not allowed to use public IP addresses for this communication. With this launch, you can configure private IP addresses (RFC1918) on their IPSec VPN tunnels over Direct Connect and ensure that traffic between AWS and on-premises networks is both encrypted and private. This feature improves your overall security posture and allows you to better comply with any regulatory or security mandates.
To get started, create a private IP VPN connection to an AWS transit gateway over Direct Connect, and specify the outside IP address type to be a private IP. You need to specify the appropriate Transit Gateway Direct Connect attachment that you wish to use as transport for this private IP VPN connection. You can route traffic over the Private IP VPN connection between AWS and your remote network using either BGP (dynamic) or by configuring static routes in Transit Gateway route tables. This feature is available through the AWS Management Console, the Amazon Command Line Interface (Amazon CLI), and the Amazon Software Development Kit (Amazon SDK).