AWS VPN is comprised of two services: AWS Site-to-Site VPN and AWS Client VPN. You can securely and privately access your cloud resources with either a Site-to-Site VPN IP Security (IPSec) setup or with a Client VPN Transport Layer Security (TLS) tunnel. AWS Site-to-Site VPN enables you to securely connect your on-premises network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). AWS Client VPN enables you to securely connect users to AWS or on-premises networks.
AWS Site-to-Site VPN features
AWS Site-to-Site VPN extends your data center or branch office to the cloud via IP Security (IPSec) tunnels, and supports connecting to both virtual private gateway and AWS Transit Gateway. You can optionally run Border Gateway Protocol (BGP) over the IPSec tunnel for a highly available solution.
AWS Site-to-Site VPN enable you to create IPSec tunnels to a virtual gateway or AWS Transit Gateway. Traffic in the tunnel between these endpoints can be encrypted with AES128 or AES256 and use Diffie-Hellman groups for key exchange, providing Perfect Forward Secrecy. AWS Site-to-Site VPN will authenticate with SHA1 or SHA2 hashing functions.
AWS Site-to-Site VPN enable you to create failover and CloudHub solutions with AWS Direct Connect. CloudHub enables your remote sites to communicate with each other, and not just with the VPC. It operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable for customers with multiple branch offices and existing internet connections who'd like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these remote offices.
Configuration and performance
AWS Site-to-Site VPN offers customizable tunnel options including inside tunnel IP address, pre-shared key, and Border Gateway Protocol Autonomous System Number (BGP ASN), so you can set up multiple secure VPN tunnels to increase the bandwidth for your applications or for resiliency in case of a down time. In addition, equal-cost multi-path routing (ECMP) is available with AWS Site-to-Site VPN on AWS Transit Gateway to help increase the traffic bandwidth over multiple paths.
Network Address Translation (NAT) Traversal
AWS Site-to-Site VPN supports NAT Traversal applications so that you can use private IP addresses on private networks behind routers with a single public IP address facing the internet.
AWS Site-to-Site VPN can send metrics to CloudWatch to provide you with greater visibility and monitoring. CloudWatch also allows you to send your own custom metrics and add data points in any order, and at any rate you choose. You can retrieve statistics about those data points as an ordered set of time-series data.
AWS Site-to-Site VPN limits
You can have up to five (5) customer gateways per AWS account per AWS Region.*
You can have up to five (5) virtual gateways per AWS account per AWS Region.*
You can have up to fifty (50) Site-to-Site VPN connections per AWS account per AWS Region.*
You can have up to fifty (50) Site-to-Site VPN connections per virtual gateway.
You can advertise up to one hundred (100) routes per virtual gateway.
AWS Client VPN features
AWS Client VPN provides a fully-managed VPN solution that can be accessed from anywhere with an Internet connection and an OpenVPN-compatible client. It is elastic, and automatically scales to meet your demand. It enables your users to connect to both AWS and on-premises networks. AWS Client VPN seamlessly integrates with your existing AWS infrastructure including Amazon VPC and AWS Directory Services, so you don’t have to change your network topology.
AWS Client VPN provides the following features:
AWS Client VPN will authenticate using either Active Directory or certificates. Client VPN integrates with AWS Directory Services, which connects to your existing on-premises Active Directory, so it does not require you to replicate data from your existing Active Directory to the cloud. Certificate-based authentication with Client VPN integrates with AWS Certificate Manager to easily provision, manage, and deploy certificates.
AWS Client VPN provides network-based authorization so you can define access control rules that limit access to specific networks, based on Active Directory groups. Client VPN can provide granular access to specific applications for Client VPN users using security groups.
AWS Client VPN uses the secure TLS VPN tunnel protocol to encrypt the traffic. A single VPN tunnel terminates at each Client VPN endpoint and provides users access to all AWS and on-premises resources.
You can use Amazon CloudWatch Logs to monitor, store, and access your log files from AWS Client VPN connection logs. You can then retrieve the associated log data from CloudWatch Logs. So, you can easily monitor, conduct forensics analysis, and terminate specific connections, staying in control of who has access to your network.
Compatibility with your employees' devices
AWS Client VPN is designed to connect devices to your applications. It allows you to choose from OpenVPN-based client, giving employees the option to use the device of their choice, including Windows, Mac, iOS, Android, and Linux-based devices.