In this lesson, we will discuss encryption for AWS-Managed VPNs. In order to create an AWS-Managed Site-to-Site VPN, you'll need to create a Virtual Private Gateway or a Transit Gateway, a Customer Gateway, and a VPN connection. Is during the creation and configuration of the VPN connection, the IPsec settings, and therefore encryption settings for the VPN connection are configured. When you create an AWS-Managed VPN, two IPsec tunnels are created and each tunnel's IPsec settings can be configured. Here, we can see some of the settings for Tunnel 1 of the Site-to-Site VPN connection. Firstly, we can configure the Phase 1 and Phase 2 encryption algorithms that can be negotiated. If you want to use AES256 exclusively, you would remove the other encryption algorithms by clicking the crosses. Remember, both ends of the VPN connection must negotiate to use the same protocol.

So, if you only allow one protocol for your AWS-Managed Site-to-Site VPN, the on-premises device must support that protocol. Next, we can select the Phase 1 and Phase 2 integrity algorithms that can be negotiated. Then we can select the Diffie-Hellman groupings for each phase and the version of IKE to be used for our tunnel. Diffie-Hellman was one of the first secure key exchange mechanisms to be developed. Prior to mechanisms such as Diffie-Hellman, if you wanted to establish encryption between two endpoints, you had to prearrange what keys should be used for your session. With Diffie-Hellman, our keys can be negotiated as the session is established. As a general rule, the higher the Diffie-Hellman number, the longer the encryption keys will be. So, therefore the higher the Diffie-Hellman number, the stronger our encryption will be for our session. We can repeat the configuration for Tunnel 2 of our Site-to-Site VPN connection.

You can see that we have a lot of control over levels of integrity encryption used for our Site-to-Site VPNs. In the following demonstration, we will configure a VPN connection. As part of the setup for this demonstration, the following have already been configured. A virtual private gateway has been attached to a VPC, a customer gateway identifying the on-premises device that we will establish the VPN connection with. I'm in the VPC dashboard in the 'Virtual Private Network' section. Here you can see I have a customer gateway already created. The customer gateway is a representation of your on-premise device, the device we're going to create a VPN connection with. If I select 'Virtual Private Gateways', you can see I have a virtual private gateway configured and attached to my VPC. Let's select 'Site-to-Site VPN Connections'. To create a VPN connection, I select 'Create VPN Connection'. I then provide a name for my VPN connection, and from the virtual private gateway dropdown, I select my gateway.

Then, from the customer gateway dropdown, I select my customer gateway. We can choose to static or dynamic routing for our VPN connection. If I scroll down, we can see Tunnel 1 and Tunnel 2 options. If I select Tunnel 1, we can configure the inside IPV for side of the Tunnel 1 and precheck key for Tunnel 1. Or we can leave these boxes blank and let Amazon generate the details. If I set the 'Edit Tunnel 1 options' radio button and scroll down, we can see the IPsec options for Phase 1 and Phase 2 of the IPsec tunnel negotiation. We can choose Phase 1 and Phase 2 encryption algorithms, Phase 1 or Phase 2 integrity algorithms, and Phase 1 or Phase 2 Diffie-Hellman groupings. Scroll down a bit more. Now we can configure settings such as the IKE version, Phase 1 and Phase 2 lifetimes, and other settings to customize our IPsec session. So, you can fully customize the IPsec tunnel to match the security requirements of your organization. Once you're happy with your configuration choices, scroll down. You can then configure Tunnel 2 before selecting 'Create VPN Connection'. It may take several minutes,  but your VPN connection should be created, and eventually, its state will go from pending to available.

If I select the 'VPN connections' radio button, notice we can download configuration. If I select that, we can choose from multiple vendors and platforms. If I click on the vendor's dropdown, we would choose the vendor that matches our on-sites VPN device, such as CISCO systems. We can choose an appropriate platform. We can then select 'Download' to download the configuration file that can then be used to configure our on-premise device. The configuration file will include all the matching IPsec configuration details that we will need to successfully establish a Site-to-Site VPN.