AWS Site-to-Site VPN User Guide AWS Site-to-Site VPN User Guide AWS Site-to-Site VPN: User Guide Copyright © Amazon Web Services, Inc. and/or its affiliates. All rights reserved. Amazon's trademarks and trade dress may not be used in connection with any product or service that is not Amazon's, in any manner that is likely to cause confusion among customers, or in any manner that disparages or discredits Amazon. All other trademarks not owned by Amazon are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by Amazon. AWS Site-to-Site VPN User Guide Table of Contents What is Site-to-Site VPN ..................................................................................................................... 1 Concepts ................................................................................................................................... 1 Working with Site-to-Site VPN ..................................................................................................... 1 Site-to-Site VPN limitations ......................................................................................................... 2 Pricing ...................................................................................................................................... 2 How AWS Site-to-Site VPN works ........................................................................................................ 3 Site-to-Site VPN Components ...................................................................................................... 3 Virtual private gateway ....................................................................................................... 3 Transit gateway ................................................................................................................. 3 Customer gateway device .................................................................................................... 4 Customer gateway ............................................................................................................. 4 IPv4 and IPv6 support ................................................................................................................ 4 Site-to-Site VPN categories ......................................................................................................... 4 Site-to-Site VPN tunnel options ................................................................................................... 5 Site-to-Site VPN tunnel authentication options ............................................................................ 10 Pre-shared keys ................................................................................................................ 10 Private certificate from AWS Certificate Manager Private Certificate Authority .......................... 10 Site-to-Site VPN tunnel initiation options .................................................................................... 10 VPN tunnel IKE initiation options ....................................................................................... 10 Rules and limitations ........................................................................................................ 11 Working with VPN tunnel initiation options ......................................................................... 11 Endpoint replacements ............................................................................................................. 11 Endpoint replacements during VPN tunnel updates .............................................................. 11 Endpoint replacements during VPN connection modifications ................................................ 12 Customer gateway options ........................................................................................................ 12 Accelerated Site-to-Site VPN connections .................................................................................... 13 Enabling acceleration ........................................................................................................ 14 Rules and restrictions ........................................................................................................ 14 Pricing ............................................................................................................................ 14 Site-to-Site VPN routing options ................................................................................................ 14 Static and dynamic routing ................................................................................................ 15 Route tables and VPN route priority ................................................................................... 15 Routing during VPN tunnel endpoint updates ...................................................................... 17 IPv4 and IPv6 traffic ......................................................................................................... 17 Getting started ................................................................................................................................ 18 Prerequisites ............................................................................................................................ 18 Create a customer gateway ....................................................................................................... 19 Create a target gateway ............................................................................................................ 20 Create a virtual private gateway ......................................................................................... 20 Create a transit gateway ................................................................................................... 20 Configure routing ..................................................................................................................... 20 (Virtual private gateway) Enable route propagation in your route table .................................... 21 (Transit gateway) Add a route to your route table ................................................................ 22 Update your security group ....................................................................................................... 22 Create a Site-to-Site VPN connection .......................................................................................... 22 Download the configuration file ................................................................................................. 23 Configure the customer gateway device ...................................................................................... 24 Architectures .................................................................................................................................... 25 Single and multiple connection examples .................................................................................... 25 Single Site-to-Site VPN connection ..................................................................................... 25 Single Site-to-Site VPN connection with a transit gateway ..................................................... 25 Multiple Site-to-Site VPN connections ................................................................................. 26 Multiple Site-to-Site VPN connections with a transit gateway ................................................. 26 Site-to-Site VPN connection with AWS Direct Connect .......................................................... 27 iii AWS Site-to-Site VPN User Guide AWS VPN CloudHub ................................................................................................................. 27 Overview ......................................................................................................................... 28 Pricing ............................................................................................................................ 29 Using redundant Site-to-Site VPN connections to provide failover .................................................. 29 Your customer gateway device ........................................................................................................... 32 Example configuration files ....................................................................................................... 33 Requirements for your customer gateway device .......................................................................... 35 Configuring a firewall between the internet and your customer gateway device ................................ 38 Multiple VPN connection scenarios ............................................................................................. 39 Routing for your customer gateway device .................................................................................. 40 Example configurations for static routing .................................................................................... 40 Example configuration files ............................................................................................... 40 User interface procedures for static routing ......................................................................... 41 Additional information for Cisco devices .............................................................................. 50 Testing ............................................................................................................................ 51 Example configurations for dynamic