In this lesson, we will discuss encapsulation protocols involved in encrypting our data as it travels between our offices and AWS. When configuring hybrid network connectivity between your sites and AWS VPC, we can choose to use: AWS managed site-to-site VPNS, also known as hardware VPNS, Customer-managed site-to-site VPNS, also known as software VPNS, and direct connect connections. Whichever method or combination of methods you use, your data traveling between your site and your AWS VPC must be protected. Protected by: strong authentication of the endpoints involved in the connection, strong integrity checks on the data packets traveling between the endpoints, and strong encryption, so that our data isn't readable if it's intercepted by a bad actor while it travels between the endpoints. When working with AWS managed site-to-site VPNS, authentication is achieved using pre-shared keys or digital certificates. 

Integrity checks are performed by using a hashing algorithm, such as the Secure Hash Algorithm. And encryption is performed using Internet Protocol security, IPsec. Authentication, integrity checks, and encryption across AWS-managed VPNS is enforced. AWS recommends using AWS Managed VPN, but one reason to configure a customer-managed site-to-site VPN is if you wish to use authentication, integrity, and encryption algorithms that AWS managed VPNS do not support. When working with AWS Direct Connect, please keep in mind that AWS Direct Connect does not encrypt your traffic in transit by default. If you wish to encrypt traffic traversing an AWS Direct Connect connection, you could create an AWS site-to-site VPN over your Direct Connect connection, or enable MAC security (MACsec) for your Direct Connect connection. IPSec is at the heart of encryption in transit in AWS. 

IPsec is an open standard that is part of the IPV4 suite. Is the protocol suite used to secure AWS-managed VPNs. IPSec is made up of several protocols: Authentication Headers: AH provides data integrity and data source authentication. Encapsulating Security Payload: ESP provides confidentiality, data integrity, and data source authentication. Internet Security Association and Key Management Protocol: ISAKMP provides a framework for authentication and key exchange. Provided either by processes such as manual configuration with pre-shared keys, or by negotiating keys using standards such as Internet Key Exchange. 

When two endpoints want to establish a site-to-site VPN using IPSec, they create a secure tunnel through a network such as the Internet. To do this, the two endpoints become IPSec peers, which involves negotiating: which integrity protocols to use, and which encryption protocols to use. To do this the two endpoints go through two negotiation phases using IKE  or IKEv2. Phase one: Phase one is used to establish a secure encrypted channel through which the two peers can negotiate phase two. Phase two: Phase two is used to agree on a set of parameters that define what traffic can go through the VPN and how to encrypt and authenticate that traffic. Through negotiation, both ends of VPN mutually agree on security to be used for the VPN session.