Learn about options for connecting local infrastructure to AWS.
- [Instructor] With Virtual Private Cloud, you can build a logical data center in AWS. However, most established companies have existing equipment and services installed in a local data center or colocation facility. Let's explore different options for securely connecting existing infrastructure to AWS, as well as how to link multiple VPCs together. One way to connect your AWS account with your existing facilities is by establishing an Internet Protocol Security, or IPsec, VPN tunnel.
Let's visualize the components required to make that happen. After creating a VPC, you want to attach it back to an existing data center you operate. In this context, a data center is any facility where you have physical equipment. You want the servers in your physical data center to communicate privately with your Elastic Compute Cloud, or EC2, Instances. An EC2 Instance is simply a virtual server hosted in AWS. You want your private network address space to encompass both your local and AWS-hosted facilities.
To facilitate this, AWS supports IPsec VPN tunnels. An IPsec tunnel needs an anchor configured on both sides in order to work. In your AWS account, the anchor is called a Virtual Private Gateway, or VPG. Once you create a VPG, you need to attach it to the VPC containing the servers you want to address privately. Meanwhile, in your physical facility, you need to configure what AWS calls a Customer Gateway. A customer gateway is an appliance you purchase and can configure to establish an IPsec tunnel.
Networking companies, including Cisco and Juniper, have this type of equipment available. In this configuration, the path your VPC tunnel takes between your local data center and AWS is routed over the internet. Organizations that expect to continue to operate an on-premises facility may want to consider a different offering from AWS called Direct Connect. Instead of a VPN tunnel, Direct Connect offers dedicated network connection to AWS. Only available in Direct Connect locations or through the AWS partner network, Direct Connect establishes a physical link between a router you own and an AWS Direct Connect router.
The result is that the private traffic between your local data center and AWS gets a dedicated, consistent network path instead of getting routed over the internet. Depending on how much data you move in and out of AWS, Direct Connect can decrease your overall bandwidth costs. This comes from reducing the bandwidth needed from your ISP while benefiting from lower data egress pricing. In order to prevent Direct Connect from being a single point of failure, you have a couple of different options. The first is to establish two redundant Direct Connect links.
The second is to configure an IPsec VPN tunnel as a backup. Suppose you work with a partner that operates resources in AWS and that you need to establish a private connection to that partner's resources. For instance, in the US West Oregon region, you are running some EC2 Instances within a VPC. You need to privately access some EC2 Instances within a partner's VPC in a separate AWS account. Let's suppose that this account is also located in the US West Oregon region.
If you want to communicate privately between the two, AWS supports the ability to establish a private VPC peering connection. The unique thing about a VPC peering connection is that it doesn't need a gateway or VPN connection. Instead, it makes use of existing AWS routing infrastructure. A VPC peering connection is highly available and shouldn't be considered a single point of failure. Keep in mind that VPC peering connections only work within the same AWS region.
Let's recap the Private Connectivity Options for AWS. To connect to an on-premises environment, you can set up an IPsec VPN tunnel between your local facility and AWS. To do so, you will need to configure a virtual private gatweay within AWS and a customer gateway in your local facility. Alternatively, Direct Connect exists for organizations that are looking for a consistent, highly-performing network path between local facilities and AWS. Finally, with VPC peering, you can establish private connectivity between VPCs within an AWS region.
This can be done for multiple VPCs within an account or across separate AWS accounts.
This course is also part of a series designed to help you prepare for the AWS Certified SysOps Administrator – Associate certification exam.
This course includes trademarks owned by Amazon Web Services. This course has not been prepared, approved, or endorsed by Amazon Web Services.
- Exploring Virtual Private Cloud (VPC)
- Configuring subnets, route tables, and gateways
- Working with access control lists (ACLs)
- Maintaining network security
- Implementing VPC peering and peer routing
- Using Route 53
- Managing a private DNS