docs.aws.amazon.com Open in urlscan Pro
52.222.174.22  Public Scan

URL: https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html
Submission: On June 06 via api from ZA — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

SELECT YOUR COOKIE PREFERENCES

We use essential cookies and similar tools that are necessary to provide our
site and services. We use performance cookies to collect anonymous statistics so
we can understand how customers use our site and make improvements. Essential
cookies cannot be deactivated, but you can click “Customize cookies” to decline
performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide
useful site features, remember your preferences, and display relevant content,
including relevant advertising. To continue without accepting these cookies,
click “Continue without accepting.” To make more detailed choices or learn more,
click “Customize cookies.”

Accept all cookiesContinue without acceptingCustomize cookies


CUSTOMIZE COOKIE PREFERENCES

We use cookies and similar tools (collectively, "cookies") for the following
purposes.


ESSENTIAL

Essential cookies are necessary to provide our site and services and cannot be
deactivated. They are usually set in response to your actions on the site, such
as setting your privacy preferences, signing in, or filling in forms.




PERFORMANCE

Performance cookies provide anonymous statistics about how customers navigate
our site so we can improve site experience and performance. Approved third
parties may perform analytics on our behalf, but they cannot use the data for
their own purposes.

Allow performance category
Allowed


FUNCTIONAL

Functional cookies help us provide useful site features, remember your
preferences, and display relevant content. Approved third parties may set these
cookies to provide certain site features. If you do not allow these cookies,
then some or all of these services may not function properly.

Allow functional category
Allowed


ADVERTISING

Advertising cookies may be set through our site by us or our advertising
partners and help us deliver relevant marketing content. If you do not allow
these cookies, you will experience less relevant advertising.

Allow advertising category
Allowed

Blocking some types of cookies may impact your experience of our sites. You may
review and change your choices at any time by clicking Cookie preferences in the
footer of this site. We and selected third-parties use cookies or similar
technologies as specified in the AWS Cookie Notice

.

CancelSave preferences




UNABLE TO SAVE COOKIE PREFERENCES

We will only store essential cookies at this time, because we were unable to
save your cookie preferences.

If you want to change your cookie preferences, try again later using the link in
the AWS console footer, or contact support if the problem persists.

Dismiss


Contact Us
English


Create an AWS Account
 1. AWS
 2. ...
    
    
 3. Documentation
 4. AWS VPN
 5. User Guide

Feedback
Preferences


AWS SITE-TO-SITE VPN


USER GUIDE

 * What is Site-to-Site VPN
 * How AWS Site-to-Site VPN works
    * VPN tunnel options
    * VPN tunnel authentication options
    * VPN tunnel initiation options
    * Endpoint replacements
       * Tunnel endpoint lifecycle
   
    * Customer gateway options
    * Accelerated VPN connections
    * Site-to-Site VPN routing options
       * IPv4 and IPv6 traffic

 * Getting started tutorial
 * Architectures
    * Single and multiple VPN connections
    * AWS VPN CloudHub
    * Redundant VPN connections

 * Your customer gateway device
    * Example configurations for static routing
    * Example configurations for dynamic routing (BGP)
    * Windows Server as a customer gateway device
    * Troubleshooting
       * Device with BGP
       * Device without BGP
       * Cisco ASA
       * Cisco IOS
       * Cisco IOS without BGP
       * Juniper JunOS
       * Juniper ScreenOS
       * Yamaha

 * Work with Site-to-Site VPN
    * Create a VPN attachment for AWS Cloud WAN
    * Create a transit gateway VPN attachment
    * Test a VPN connection
    * Delete a VPN connection
    * Modify the target gateway of a VPN connection
    * Modify VPN connection options
    * Modify VPN tunnel options
    * Edit static routes for a VPN connection
    * Change the customer gateway for a VPN connection
    * Replace compromised credentials
    * Rotate VPN tunnel endpoint certificates
    * Private IP VPN with AWS Direct Connect

 * Security
    * Data protection
    * Identity and access management
       * How AWS Site-to-Site VPN works with IAM
       * Identity-based policy examples
       * Troubleshooting
       * Using service-linked roles
   
    * Resilience
    * Infrastructure security

 * Monitoring your Site-to-Site VPN connection
    * AWS Site-to-Site VPN logs
       * Contents of Site-to-Site VPN logs
   
    * Monitoring VPN tunnels using Amazon CloudWatch
    * Monitoring VPN connections using AWS Health events

 * Quotas
 * Document history

What is AWS Site-to-Site VPN? - AWS Site-to-Site VPN
AWSDocumentationAWS VPNUser Guide
ConceptsSite-to-Site VPN featuresSite-to-Site VPN limitationsWorking with
Site-to-Site VPN Pricing


WHAT IS AWS SITE-TO-SITE VPN?

PDFRSS

By default, instances that you launch into an Amazon VPC can't communicate with
your own (remote) network. You can enable access to your remote network from
your VPC by creating an AWS Site-to-Site VPN (Site-to-Site VPN) connection, and
configuring routing to pass traffic through the connection.

Although the term VPN connection is a general term, in this documentation, a VPN
connection refers to the connection between your VPC and your own on-premises
network. Site-to-Site VPN supports Internet Protocol security (IPsec) VPN
connections.

CONTENTS

 * Concepts
 * Site-to-Site VPN features
 * Site-to-Site VPN limitations
 * Working with Site-to-Site VPN
 * Pricing


CONCEPTS

The following are the key concepts for Site-to-Site VPN:

 * VPN connection: A secure connection between your on-premises equipment and
   your VPCs.

 * VPN tunnel: An encrypted link where data can pass from the customer network
   to or from AWS.
   
   Each VPN connection includes two VPN tunnels which you can simultaneously use
   for high availability.

 * Customer gateway: An AWS resource which provides information to AWS about
   your customer gateway device.

 * Customer gateway device: A physical device or software application on your
   side of the Site-to-Site VPN connection.

 * Target gateway: A generic term for the VPN endpoint on the Amazon side of the
   Site-to-Site VPN connection.

 * Virtual private gateway: A virtual private gateway is the VPN endpoint on the
   Amazon side of your Site-to-Site VPN connection that can be attached to a
   single VPC.

 * Transit gateway: A transit hub that can be used to interconnect multiple VPCs
   and on-premises networks, and as a VPN endpoint for the Amazon side of the
   Site-to-Site VPN connection.


SITE-TO-SITE VPN FEATURES

The following features are supported on AWS Site-to-Site VPN connections:

 * Internet Key Exchange version 2 (IKEv2)

 * NAT traversal

 * 4-byte ASN in the range of 1 – 2147483647 for Virtual Private Gateway (VGW)
   configuration. See Customer gateway options for your Site-to-Site VPN
   connection for more information.

 * 2-byte ASN for Customer Gateway (CGW) in the range of 1 – 65535. See Customer
   gateway options for your Site-to-Site VPN connection for more information.

 * CloudWatch metrics

 * Reusable IP addresses for your customer gateways

 * Additional encryption options; including AES 256-bit encryption, SHA-2
   hashing, and additional Diffie-Hellman groups

 * Configurable tunnel options

 * Custom private ASN for the Amazon side of a BGP session

 * Private Certificate from a subordinate CA from AWS Private Certificate
   Authority

 * Support for IPv6 traffic for VPN connections on a transit gateway


SITE-TO-SITE VPN LIMITATIONS

A Site-to-Site VPN connection has the following limitations.

 * IPv6 traffic is not supported for VPN connections on a virtual private
   gateway.

 * An AWS VPN connection does not support Path MTU Discovery.

In addition, take the following into consideration when you use Site-to-Site
VPN.

 * When connecting your VPCs to a common on-premises network, we recommend that
   you use non-overlapping CIDR blocks for your networks.


WORKING WITH SITE-TO-SITE VPN

You can create, access, and manage your Site-to-Site VPN resources using any of
the following interfaces:

 * AWS Management Console— Provides a web interface that you can use to access
   your Site-to-Site VPN resources.

 * AWS Command Line Interface (AWS CLI) — Provides commands for a broad set of
   AWS services, including Amazon VPC, and is supported on Windows, macOS, and
   Linux. For more information, see AWS Command Line Interface.

 * AWS SDKs — Provide language-specific APIs and takes care of many of the
   connection details, such as calculating signatures, handling request retries,
   and error handling. For more information, see AWS SDKs.

 * Query API— Provides low-level API actions that you call using HTTPS requests.
   Using the Query API is the most direct way to access Amazon VPC, but it
   requires that your application handle low-level details such as generating
   the hash to sign the request, and error handling. For more information, see
   the Amazon EC2 API Reference.


PRICING

You are charged for each VPN connection hour that your VPN connection is
provisioned and available. For more information, see AWS Site-to-Site VPN and
Accelerated Site-to-Site VPN Connection pricing.

You are charged for data transfer out from Amazon EC2 to the internet. For more
information, see Data Transfer on the Amazon EC2 On-Demand Pricing page.

When you create an accelerated VPN connection, we create and manage two
accelerators on your behalf. You are charged an hourly rate and data transfer
costs for each accelerator. For more information, see AWS Global Accelerator
pricing.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please
refer to your browser's Help pages for instructions.

Document Conventions
How AWS Site-to-Site VPN works
Did this page help you? - Yes

Thanks for letting us know we're doing a good job!

If you've got a moment, please tell us what we did right so we can do more of
it.



Did this page help you? - No

Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Did this page help you?
Yes
No
Provide feedback
Next topic:How AWS Site-to-Site VPN works
Need help?
 * Connect with an AWS IQ expert 

PrivacySite termsCookie preferences
© 2023, Amazon Web Services, Inc. or its affiliates. All rights reserved.


ON THIS PAGE

--------------------------------------------------------------------------------

 * Concepts
 * Site-to-Site VPN features
 * Site-to-Site VPN limitations
 * Working with Site-to-Site VPN
 * Pricing





DID THIS PAGE HELP YOU? - NO



Thanks for letting us know this page needs work. We're sorry we let you down.

If you've got a moment, please tell us how we can make the documentation better.




Feedback