Amazon VPC IPSec VPNs


Understanding Direct Connect, Implementation and Configuration
Why Direct Connect?
5m 25s
Understanding AWS Direct Connect - Connectivity Options
7m 3s
Securing Network Connectivity with Encryption
Examining AWS Routing
AWS Default Routing
AWS Transit Gateway
Amazon VPC IPSec VPNs
2h 40m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various tools, technologies, and services used to connect on-premises environments to the AWS Cloud, including Direct Connect and VPNs.

Learning Objectives

  • Identify and describe how Direct Connect and VPNs are used to connect on-premises environments to the AWS Cloud
  • Describe advanced AWS Direct Connect connectivity scenarios, including when to leverage Public, Private, and Transit Virtual Interfaces (VIFs)
  • Understand routing fundamentals for static and dynamic routing in AWS along with industry-standard routing protocols such as Border Gateway Protocol (BGP)
  • Describe how to use encryption to secure traffic as it travels across VPNs and Direct Connect connections


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


Hello and welcome to this Cloud Academy course on VPC VPNs and IPsec. Before we start, I'd like to introduce myself. My name is Jeremy Cook. I'm one of the trainers here at Cloud Academy specializing in AWS. Feel free to connect with either myself or the team here at Cloud Academy regarding anything about this course. You can email us at Alternatively, our online community forum is available for your feedback. In this training course, you will be introduced to IPsec and how and where it's used within VPCs to create site-to-site redundant VPN tunnels. This course will provide you with a background of the IPsec protocol suite and includes a fully-functional demonstration of both building statically and dynamically-routed IPsec VPN tunnels between two VPCs. The agenda for this course is as follows. We'll review general IPsec networking and security concepts, providing an explanation of what it is and why it's useful. We'll describe in detail the individual parts of the IPsec protocol suite, authentication headers, encapsulating security payloads, security associations, IKE Phase 1 and Phase 2, and both transport mode and tunnel mode. We'll review use cases and scenarios where IPsec would be useful. We'll review limitations, highlighting issues to watch out for. We'll examine where and how AWS uses and implements IPsec, introducing you to the VPC components, virtual private gateway, customer gateway, and VPN connection. Finally, we'll conclude our course with two VPC IPsec demonstrations. In the first demonstration, we'll create a statically-routed IPsec VPN between two VPCs. In the second demonstration, we'll create a dynamically-routed IPsec VPN between two VPCs. This demonstration will include BGP used to perform route advertisements, allowing us to propagate routes and dynamically update VPC route tables. The following prerequisites would be helpful for this course. An understanding of Open Systems Interconnection model, ethernet, TCP/IP, tcpdump and Wireshark, general networking, concepts such as routing and gateways. Finally, to build your own VPC jumbo frame-enabled environment, you'll need an active AWS account. If you require an introduction to VPCs and associated networking concepts, then please consider taking the VPC-related courses here on Cloud Academy:

About the Author
Learning Paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).