AWS VPN FAQ

Q: What options do I have for connecting to a VPN?

A: You can connect your VPC to your own data center using a hardware VPN connection via a virtual private gateway.

Q: If my instance does not have a public IP address, how do I access the internet?

A: An instance without a public IP address can access the internet in one of two ways:

Instances without a public IP address can access the internet by routing traffic through a network address translation (NAT) gateway or NAT instance. These instances connect to the internet using a NAT gateway or the public IP address of the NAT instance. A NAT gateway or NAT instance allows outbound communication, but does not allow machines on the Internet to initiate connections to privately addressed instances.

For VPCs with hardware VPN or Direct Connect connections, internet traffic from your instances can be routed to your existing data center through a virtual private gateway. From there, you can access the internet through your existing egress points and network security/monitoring devices.

Q: How does an AWS Site-to-Site VPN connection work with Amazon VPC?

A. An AWS Site-to-Site VPN connection connects your VPC to your data center. Amazon supports Internet Protocol Security (IPsec) VPN connections. Data transferred between your VPC and data center is routed through an encrypted VPN connection to maintain the confidentiality and integrity of data in transit. You don't need to establish a site-to-site VPN connection on your Internet gateway.

Q: What is IPSec?

A. IPsec is a protocol suite that protects Internet Protocol (IP) communications by authenticating and encrypting each IP packet in a data stream.

Q: Which customer gateway devices can I use to connect to Amazon VPC?

A: There are two types of AWS Site-to-Site VPN connections you can create. One VPN connection with static routing and one VPN connection with dynamic routing. Customer gateway devices that support VPN connections that use static routing must have the following capabilities:

Establishing an IKE Security Association with Pre-Shared Keys

Establishing an IPsec Security Association in Tunnel Mode

Take advantage of AES 128-bit, 256-bit, 128-bit GCM-16, or 256-GCM-16 encryption capabilities

Use SHA-1, SHA-2 (256), SHA2 (384), or SHA2 (512) hash functions

Using Diffie-Hellman (DH) Perfect Forward Secrecy in "Group 2" mode or one of the additional DH groups supported by AWS

Perform packet fragmentation before encryption

Devices that support AWS Site-to-Site VPN connections that use dynamic routing must have the following features in addition to the above features.

Establishing a Border Gateway Protocol (BGP) peer connection

Binding a tunnel to a logical interface (route-based VPN)

Using IPsec Dead Peer Detection

Q: What Diffie-Hellman groups do you support?

A: We support the following Phase 1 and Phase 2 Diffie-Hellman (DH) groups.

Phase 1 DH Group 2, 14-24.

Phase 2 DH Groups 2, 5, 14-24.

Q: What algorithm does AWS recommend when IKE rekey is required?

A: By default, the VPN endpoint on the AWS side suggests AES-128, SHA-1, DH group 2. If you want specific suggestions for rekeying, we recommend using Change VPN Tunnel Options to restrict the tunnel options to specific required VPN parameters.

Q: What customer gateway devices are known to work with Amazon VPC?

A: A list of devices that meet the above requirements can be found in the Network Administrator's Guide. They are known to work with hardware VPN connections and support command line tools that automatically generate the appropriate configuration files for your device.

Q: If my device is not on the supported list, where can I get more information about using it with Amazon VPC?

A: We encourage you to check the Amazon VPC forums, as other customers may already have the same device as yours.

Q: What is the maximum throughput of a site-to-site VPN connection?

A: Each AWS Site-to-Site VPN connection has two tunnels, and each tunnel supports a maximum throughput of 1.25 Gbps. Aggregated throughput limits apply when the VPN connection is connected to a virtual private gateway.

Q: Do virtual private gateways have aggregate throughput limits?

A: A virtual private gateway has an aggregate throughput limit per connection type. Multiple VPN connections to the same virtual private gateway are bound by an aggregate throughput limit of up to 1.25 Gbps from AWS to on-premises. For AWS Direct Connect connections over virtual private gateways, throughput is limited by the Direct Connect physical port itself. Use AWS Transit Gateway to connect to multiple VPCs and achieve higher throughput limits.

Q: What factors affect the throughput of a VPN connection?

A: The throughput of a VPN connection depends on several factors, such as the customer gateway's capabilities, the connection's capacity, the average packet size, the protocol used (TCP or UDP), and the network latency between the customer gateway and the virtual private gateway. varies depending on the factors of

Q: What is the maximum number of packets per second for a site-to-site VPN connection?

A: Each AWS Site-to-Site VPN connection has two tunnels, and each tunnel supports up to 140,000 packets per second.

Q: What tools can I use to troubleshoot my site-to-site VPN setup?

A: The DescribeVPNConnection API shows the VPN connection status, including the state of each VPN tunnel ("up"/"down") and the corresponding error message if one of the tunnels is "down" . This information is also displayed in the AWS Management Console.

Q: How do I connect my VPC with my corporate data center?

A: By establishing a hardware VPN connection between your existing network and your Amazon VPC, you can connect Amazon EC2 instances within your VPC as if they were within your existing network. can communicate. AWS does not perform network address translation (NAT) on communications with Amazon EC2 instances located within a VPC accessed through a hardware VPN connection.

Q: Can I enable NAT for my customer gateway behind a router or firewall?

A: Use the public IP address of your NAT device.

Q: What IP address do you use for your customer gateway address?

A: Use the public IP address of your NAT device.

Q: How do I disable NAT-T on my connection?

A: You need to disable NAT-T on your device. If you do not plan to use NAT-T and it is not disabled on your device, AWS will attempt to establish a tunnel over UDP port 4500. If this port is not open, the tunnel will not be established.

Q: What do I need to do to have multiple customer gateways behind a NAT?

A: You need to disable NAT-T on your device. If you do not plan to use NAT-T and it is not disabled on your device, AWS will attempt to establish a tunnel over UDP port 4500. If this port is not open, the tunnel will not be established.

Q: How many IPsec Security Associations can be established simultaneously per tunnel?

Since the AWS VPN service is a route-based solution, SA limits are not an issue with route-based configurations. However, a policy-based solution should be limited to a single SA as the service is a route-based solution.

Q: Can I advertise my VPC public IP address ranges to the internet and route that traffic through my data center, site-to-site VPN to reach my Amazon VPC? ?

A: Yes. You can advertise address ranges from your home network, routing traffic through your hardware VPN connection.

Q: Up to how many routes can a VPN connection advertise to a customer gateway device?

A: Your VPN connection advertises up to 1,000 routes to your customer gateway device. For virtual private gateway VPNs, advertised route sources include VPC routes, other VPN routes, and routes from DX virtual interfaces. For AWS Transit Gateway VPNs, advertised routes are obtained from the route table associated with the VPN attachment. If you try to send more than 1000 routes, only a subset of 1000 will be advertised.

Q: What is the maximum number of routes that a customer gateway device can advertise to my VPN connection?

A: You can advertise up to 100 routes from your customer gateway device to a site-to-site VPN connection on your virtual private gateway, or up to 1,000 routes to a site-to-site VPN connection on your AWS Transit Gateway. For VPN connections that use static routes, you cannot add more than 100 static routes. For VPN connections that use BGP, attempting to advertise routes that exceed the maximum gateway type will reset the BGP session.

Q: Does your VPN connection support IPv6 traffic?

A: Yes. A VPN connection to an AWS Transit Gateway can support either IPv4 or IPv6 traffic, which you can choose when creating a new VPN connection. To select IPv6 for VPN traffic, set the Internal IP Version VPN Tunnel option to IPv6. Tunnel endpoint and customer gateway IP addresses are IPv4 only. please note.

Q: Which side of the VPN tunnel initiates the Internet Key Exchange (IKE) session?

A: By default, the customer gateway (CGW) must initiate IKE. Alternatively, AWS VPN endpoints can be started by enabling the appropriate option.