VPN

Cards (6)

  • AWS VPN CloudHub

    • Provide secure communication between multiple sites, if you have multiple VPN connections.
    • Low-cost hub-and-spoke model for primary or secondary network connectivity between different locations (VPN only) (1).
    • It’s a VPN connection so it goes over the public Internet (the VPN connection is encrypted).
    • To set it up, connect multiple VPN connections on the same VGW, setup dynamic routing and configure route tables.

    (1) All the DCs can now communicate with one another through that VPN connection too.
  • AWS Client VPN
    • Connect from your computer using OpenVPN to your private network in AWS and on-premises.
    • Allow you to connect to your EC2 instances over a private IP (just as if you were in the private VPC network).
    • Goes over public Internet.
  • Site-to-Site VPN: Which two components are needed to establish an encrypted VPN connection over the internet using a managed AWS VPN?
    A VGW deployed on the AWS and then a CGW deployed on the customer side or office location VGW (AWS) <=> VPN <=> CGW
  • Site-to-Site VPN: Which AWS component terminates the VPN from your remote office location?
    Virtual Private Gateway (VGW) - attached to the VPC
  • Client VPN – Authentication Types
    1. AD Authentication
    2. Mutual Authentication
    3. Single Sign-On (supports IAM Identity Center / AWS SSO)
    AD Authentication
    • Authenticate against Microsoft AD (User-Based).
    • AWS Managed Microsoft AD or on-premises AD through AD Connector.
    • Supports MFA.
    Mutual Authentication
    • Use certs to perform the authentication (Certificate-Based).
    • Must upload the server certificate to AWS Certificate Manager.
    • One client cert for each user (recommended).
  • Client VPN – Authentication Types
    1. AD Authentication
    2. Mutual Authentication
    3. Single Sign-On (supports IAM Identity Center / AWS SSO)
    Single Sign-On (supports IAM Identity Center / AWS SSO)
    • Authenticate against SAML 2.0-based identity providers (User- based).
    • Establish trust relationship between AWS and the identity provider.
    • Only one identity provider at a time.