We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3
All righty, cloud gurus.
Let's talk about network security via VPNs.
Now, the first thing I wanna start with is just a review on what a VPN is. A VPN is meant to establish encrypted connections between computer devices over the public internet. VPNs are a secure method to mimic the privacy of an internal or private network connection. Now, as far as AWS goes, true or false, there are two primary VPN methods to connect to your VPC. If you guess false, you're right. There are actually four different primary methods to connect to your AWS VPC, and let's cover those now. The first is a Site-to-Site VPN. And in a Site-to-Site VPN, users must be on the on-premise network to access this. Now with this setup, it is best for complex solutions, because it offers the best security via IPsec. Now, it's actually very simple from an architectural standpoint. We have a customer gateway device, which maps to a customer gateway in our VPC, and the customer gateway actually connects to our internal network. Now, we also have our virtual private gateway, which is attached to our VPC, and this is going to allow private communication with our VPC resources. When these are in place, we can establish our VPN connection, which again uses IPsec, and we can then establish that communication through that VPN connection, both to and from our data center and AWS, specifically our VPCs. Again, this is gonna be the most complex solution and it's going to offer the best security with IPsec. This is very important that you know this. Site-to-Site VPN is best because it offers IPsec security. Now, let's talk about another solution called Client VPN. Now, with Client VPN, users can gain network access from anywhere, and that's because it's done via a client endpoint. What this is is a service that's an AWS managed solution that offers native high availability and scalability. So there's not a lot you have to manage, you just have to configure it to a certain extent. Now, this particular method offers TLS VPN sessions, so it's not entirely as secure as IPsec. So again, if you need IPsec connections, you want to think Site-to-Site VPN. Now, in this architecture, it's even simpler. We have our employee laptop. We establish our Client VPN endpoint using the service. We have a virtual private gateway, which makes sense. We attach that to our VPC, and then once those are in place, we can establish our VPN connection from our employee laptops, which can be anywhere, into our VPC over a TLS VPN connection. Now, access is gained via an OpenVPN based VPN client that gets installed on our laptops. It is extremely easy to use, and this solution is perfect for small companies or simple architectures. Okay, let's go ahead and start talking about VPN CloudHub. Now, VPN CloudHub is basically a hub-and-spoke VPN solution. It's going to allow communication between two or more on-premise networks with our VPC. Now, because of this architectural design, it does require there are multiple customer gateway devices with unique BGP ASNs. Now, this is not a networking specialty, so we're not gonna cover BGP and ASNs in depth, but you do need to know for this they have to be unique per customer gateway device. Now, this solution is going to be best for multiple sites that need a Site-to-Site VPN for the same virtual gateway. So in this example, we have two different regional data centers, one in Chicago, one in Kansas, and we have one VPC with our private subnet. So to establish this, we would establish the same pieces here, our customer gateway, our virtual private gateway, and then we can establish a VPN connection between those using CloudHub by referencing those different unique customer gateway devices. So notice the unique ASNs here for each gateway device, but we're using the same virtual gateway in our VPC. So now our two different data centers can leverage the same VPN connection via CloudHub, and connect to our virtual gateway, and then talk to our internal resources. So really a good key word is to look for two or more connecting to the same virtual gateway, or something about hub-and-spoke whenever you need to look at CloudHub. Now, the last solution here is a third party VPN appliance. Now, third party VPN appliances are good for very simple use cases, and especially when you just need something up and running quickly. These are going to be hosted on some type of compute, usually EC2 instances, which are unmanaged, and unmanaged in this use case or scenario means unmanaged by AWS. Now, with this, you do get full control over the software and the instance hosting it, which is very unique. If you do need that full control, this might be the perfect option for you. However, with full control comes full responsibility. You have to maintain patches, you have to implement your own high availability, and you have to handle scalability. AWS doesn't touch any of that, so that's all on you. Now, usually this is gonna be open sourced or something from the AWS marketplace. For instance, on the marketplace, there are open VPN AMIs that you can subscribe to of different sizes based on your needs. Now, for this architecture, again, it's pretty similar as far as components go. We have our customer gateway device, we have our virtual private gateway, and of course, we can implement a VPN connection between those. Now, the difference here is that even though we're having a TLS VPN connection, access is gained via third-party VPN software. So while this VPN connection security is the same, essentially, the access is different. So you're going to be accessing it via things like OpenVPN, for example. But overall, they function the same. It's just about how you want to implement, and what kind of control you need. So that covers the different scenarios and the different options. Let's go ahead and have a takeaway and exam tip section. Now, the first thing we talked about was Site-to-Site VPN. It's important you remember this is an IPsec VPN connection that offers the most secure connection, but also comes as the most complex solution. These are perfect for on-premise only connections that need the most security. Now, we also talked about the Client VPN, and this is an AWS managed VPN connection that uses TLS VPN connections from a software client from anywhere. It does require a client endpoint to be created via AWS, which your employees can connect to from, again, anywhere. Now, we also talked about CloudHub. Anything related to hub-and-spoke VPNs are going to leverage CloudHub, and they allow multiple separate Site-to-Site VPNs to connect to a single virtual gateway. Remember, each customer gateway device requires its own unique BGP ASN. You have to have that for this to work. And then lastly, we just covered third party VPNs, which are fully controllable VPN offerings, usually hosted on EC2 instances. And because of this, you do get full control, but you are fully responsible for maintaining high availability, scaling, and security. Now, you can find offerings on the marketplace to make this a lot easier to implement. You really wanna focus on security requirements more so than the network requirements when you're going through these scenarios. For instance, if they mention IPsec, immediately Client VPN is out, and more than likely third-party VPN is out. If they talk about hub-and-spoke, think CloudHub. Okay, that's gonna do it for this section on VPNs. Let's go ahead and end things here, and then I will see you in the next lesson.