Connecting Your On-Premises Network to Your VPC – Configuring Infrastructure Security – SCS-C02 Study Guide

Note

This book concentrates on security and how to create secure network connections in AWS and presents the information on network connectivity needed for the AWS Certified Security – Specialty exam. Networking in AWS, the cloud, and as a practice is a much larger topic, and it is recommended you dive into it further. This short chapter is by no means a definitive guide.

Now, if you have multiple locations for your on-premises connectivity, you can look to AWS VPN CloudHub as an option for securing multiple locations to the same AWS VPC. Using a Hub and Spoke model, VPN CloudHub allows multiple office locations to connect to a VPG, making a secure connection. The primary condition that you must abide by when setting up CloudHub is that none of the sites can have overlapping IP ranges; this is to prevent IP collisions.

Figure 10.27: AWS CloudHub connecting multiple locations in the spoke-and-hub model

The network setup in Figure 10.27 shows an established VPN on the right-hand side. There are three different corporate data centers that need to connect to the AWS resources located in different locations. None of these data centers have conflicting IPv4 CIDR ranges. Using a customer gateway (CGW) connection in each location, along with AWS CloudHub, allows all the data centers to connect to the resources in AWS and network with each other.

Using Direct Connect to Secure On-Premises Connectivity

Like an AWS VPN connection, Direct Connect extends your infrastructure and joins it to your AWS architecture as if it were a single network. However, with Direct Connect, you do not use a public network to initiate the connection. Instead, your connection runs across a private network via an AWS Direct Connect location.

These AWS Direct Connect locations are data centers where your network and the AWS network physically connect to each other via cross-connects using standard fiber-optic cables between your router and an AWS Direct Connect router. AWS Direct Connect manages these Direct Connect Delivery Partner data centers.

Note

For more information on these Delivery Partners, please visit https://packt.link/8PX50.

Direct Connect is one option for securing connectivity between your corporate infrastructure and AWS, and uses private infrastructure as the underlying backbone. The following section discusses VPC connections, which use the internet instead.

Connecting with a VPN Connection

As an alternative to a direct connection, you can use a VPN to connect your on-premises network to an AWS VPC. A VPN provides a secure and encrypted connection, which is useful when you need to extend your on-premises network to include resources in your VPC. To establish this VPN connection, your VPC must have at least one subnet and must enable communication between itself and the on-premises network by creating an AWS Site-to-Site VPN connection. VPNs are a secure option to establish a connection between your on-premises infrastructure and the AWS cloud.

Connecting to a VPC using a VPN involves the following steps:

  1. Set up a VPG: A VPG is a logical representation of an Amazon VPC that enables VPN connections from on-premises data centers or remote networks.
  2. Configure a CGW: A CGW is a physical or software appliance located in your on-premises data center or remote network. It acts as a secure endpoint for your VPN tunnel to terminate.
  3. Create a VPN connection: Create a VPN between your VPC and your customer gateway using the VPG and CGW you set up in steps 1 and 2.
  4. Configure routing: Configure routing for your VPC and on-premises network so traffic can flow through the VPN tunnel.

Once you have completed these steps, you can connect to your VPC using your VPN client software and network credentials.