Encryption of Data in Transit
Encryption of Data in Transit
2h 40m

In this section of the AWS Certified Advanced Networking - Specialty learning path, we introduce you to the various tools, technologies, and services used to connect on-premises environments to the AWS Cloud, including Direct Connect and VPNs.

Learning Objectives

  • Identify and describe how Direct Connect and VPNs are used to connect on-premises environments to the AWS Cloud
  • Describe advanced AWS Direct Connect connectivity scenarios, including when to leverage Public, Private, and Transit Virtual Interfaces (VIFs)
  • Understand routing fundamentals for static and dynamic routing in AWS along with industry-standard routing protocols such as Border Gateway Protocol (BGP)
  • Describe how to use encryption to secure traffic as it travels across VPNs and Direct Connect connections


The AWS Certified Advanced Networking - Specialty certification has been designed for anyone with experience designing, implementing, and operating complex AWS and hybrid networking architectures. Ideally, you’ll also have some exposure to the nuances of AWS networking, particularly regarding the integration of AWS services and AWS security best practices. Many exam questions will require advanced level knowledge of many AWS services, including AWS networking services. The AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.


In this lesson, we will discuss encapsulation protocols involved in encrypting our data as it travels between our offices and AWS. When configuring hybrid network connectivity between your sites and AWS VPC, we can choose to use: AWS managed site-to-site VPNS, also known as hardware VPNS, Customer-managed site-to-site VPNS, also known as software VPNS, and direct connect connections. Whichever method or combination of methods you use, your data traveling between your site and your AWS VPC must be protected. Protected by: strong authentication of the endpoints involved in the connection, strong integrity checks on the data packets traveling between the endpoints, and strong encryption, so that our data isn't readable if it's intercepted by a bad actor while it travels between the endpoints. When working with AWS managed site-to-site VPNS, authentication is achieved using pre-shared keys or digital certificates. 

Integrity checks are performed by using a hashing algorithm, such as the Secure Hash Algorithm. And encryption is performed using Internet Protocol security, IPsec. Authentication, integrity checks, and encryption across AWS-managed VPNS is enforced. AWS recommends using AWS Managed VPN, but one reason to configure a customer-managed site-to-site VPN is if you wish to use authentication, integrity, and encryption algorithms that AWS managed VPNS do not support. When working with AWS Direct Connect, please keep in mind that AWS Direct Connect does not encrypt your traffic in transit by default. If you wish to encrypt traffic traversing an AWS Direct Connect connection, you could create an AWS site-to-site VPN over your Direct Connect connection, or enable MAC security (MACsec) for your Direct Connect connection. IPSec is at the heart of encryption in transit in AWS. 

IPsec is an open standard that is part of the IPV4 suite. Is the protocol suite used to secure AWS-managed VPNs. IPSec is made up of several protocols: Authentication Headers: AH provides data integrity and data source authentication. Encapsulating Security Payload: ESP provides confidentiality, data integrity, and data source authentication. Internet Security Association and Key Management Protocol: ISAKMP provides a framework for authentication and key exchange. Provided either by processes such as manual configuration with pre-shared keys, or by negotiating keys using standards such as Internet Key Exchange. 

When two endpoints want to establish a site-to-site VPN using IPSec, they create a secure tunnel through a network such as the Internet. To do this, the two endpoints become IPSec peers, which involves negotiating: which integrity protocols to use, and which encryption protocols to use. To do this the two endpoints go through two negotiation phases using IKE  or IKEv2. Phase one: Phase one is used to establish a secure encrypted channel through which the two peers can negotiate phase two. Phase two: Phase two is used to agree on a set of parameters that define what traffic can go through the VPN and how to encrypt and authenticate that traffic. Through negotiation, both ends of VPN mutually agree on security to be used for the VPN session.


About the Author
Learning Paths

Jeremy is a Content Lead Architect and DevOps SME here at Cloud Academy where he specializes in developing DevOps technical training documentation.

He has a strong background in software engineering, and has been coding with various languages, frameworks, and systems for the past 25+ years. In recent times, Jeremy has been focused on DevOps, Cloud (AWS, Azure, GCP), Security, Kubernetes, and Machine Learning.

Jeremy holds professional certifications for AWS, Azure, GCP, Terraform, Kubernetes (CKA, CKAD, CKS).