Encryption for VPNs


Understanding Direct Connect, Implementation and Configuration
Why Direct Connect?
5m 25s
Understanding AWS Direct Connect - Connectivity Options
7m 3s
Securing Network Connectivity with Encryption
Examining AWS Routing
AWS Default Routing
AWS Transit Gateway
Start course
2h 40m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various tools, technologies, and services used to connect on-premises environments to the AWS Cloud, including Direct Connect and VPNs.

Learning Objectives

  • Identify and describe how Direct Connect and VPNs are used to connect on-premises environments to the AWS Cloud
  • Describe advanced AWS Direct Connect connectivity scenarios, including when to leverage Public, Private, and Transit Virtual Interfaces (VIFs)
  • Understand routing fundamentals for static and dynamic routing in AWS along with industry-standard routing protocols such as Border Gateway Protocol (BGP)
  • Describe how to use encryption to secure traffic as it travels across VPNs and Direct Connect connections


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


In this lesson, we will discuss encryption for AWS-Managed VPNs. In order to create an AWS-Managed Site-to-Site VPN, you'll need to create a Virtual Private Gateway or a Transit Gateway, a Customer Gateway, and a VPN connection. Is during the creation and configuration of the VPN connection, the IPsec settings, and therefore encryption settings for the VPN connection are configured. When you create an AWS-Managed VPN, two IPsec tunnels are created and each tunnel's IPsec settings can be configured. Here, we can see some of the settings for Tunnel 1 of the Site-to-Site VPN connection. Firstly, we can configure the Phase 1 and Phase 2 encryption algorithms that can be negotiated. If you want to use AES256 exclusively, you would remove the other encryption algorithms by clicking the crosses. Remember, both ends of the VPN connection must negotiate to use the same protocol.

So, if you only allow one protocol for your AWS-Managed Site-to-Site VPN, the on-premises device must support that protocol. Next, we can select the Phase 1 and Phase 2 integrity algorithms that can be negotiated. Then we can select the Diffie-Hellman groupings for each phase and the version of IKE to be used for our tunnel. Diffie-Hellman was one of the first secure key exchange mechanisms to be developed. Prior to mechanisms such as Diffie-Hellman, if you wanted to establish encryption between two endpoints, you had to prearrange what keys should be used for your session. With Diffie-Hellman, our keys can be negotiated as the session is established. As a general rule, the higher the Diffie-Hellman number, the longer the encryption keys will be. So, therefore the higher the Diffie-Hellman number, the stronger our encryption will be for our session. We can repeat the configuration for Tunnel 2 of our Site-to-Site VPN connection.

You can see that we have a lot of control over levels of integrity encryption used for our Site-to-Site VPNs. In the following demonstration, we will configure a VPN connection. As part of the setup for this demonstration, the following have already been configured. A virtual private gateway has been attached to a VPC, a customer gateway identifying the on-premises device that we will establish the VPN connection with. I'm in the VPC dashboard in the 'Virtual Private Network' section. Here you can see I have a customer gateway already created. The customer gateway is a representation of your on-premise device, the device we're going to create a VPN connection with. If I select 'Virtual Private Gateways', you can see I have a virtual private gateway configured and attached to my VPC. Let's select 'Site-to-Site VPN Connections'. To create a VPN connection, I select 'Create VPN Connection'. I then provide a name for my VPN connection, and from the virtual private gateway dropdown, I select my gateway.

Then, from the customer gateway dropdown, I select my customer gateway. We can choose to static or dynamic routing for our VPN connection. If I scroll down, we can see Tunnel 1 and Tunnel 2 options. If I select Tunnel 1, we can configure the inside IPV for side of the Tunnel 1 and precheck key for Tunnel 1. Or we can leave these boxes blank and let Amazon generate the details. If I set the 'Edit Tunnel 1 options' radio button and scroll down, we can see the IPsec options for Phase 1 and Phase 2 of the IPsec tunnel negotiation. We can choose Phase 1 and Phase 2 encryption algorithms, Phase 1 or Phase 2 integrity algorithms, and Phase 1 or Phase 2 Diffie-Hellman groupings. Scroll down a bit more. Now we can configure settings such as the IKE version, Phase 1 and Phase 2 lifetimes, and other settings to customize our IPsec session. So, you can fully customize the IPsec tunnel to match the security requirements of your organization. Once you're happy with your configuration choices, scroll down. You can then configure Tunnel 2 before selecting 'Create VPN Connection'. It may take several minutes,  but your VPN connection should be created, and eventually, its state will go from pending to available.

If I select the 'VPN connections' radio button, notice we can download configuration. If I select that, we can choose from multiple vendors and platforms. If I click on the vendor's dropdown, we would choose the vendor that matches our on-sites VPN device, such as CISCO systems. We can choose an appropriate platform. We can then select 'Download' to download the configuration file that can then be used to configure our on-premise device. The configuration file will include all the matching IPsec configuration details that we will need to successfully establish a Site-to-Site VPN.


About the Author
Learning Paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).