All righty, cloud gurus.

Let's talk about network security via VPNs.

Now, the first thing I wanna start with
is just a review on what a VPN is.
A VPN is meant to establish encrypted connections
between computer devices over the public internet.
VPNs are a secure method to mimic the privacy
of an internal or private network connection.
Now, as far as AWS goes, true or false,
there are two primary VPN methods to connect to your VPC.
If you guess false, you're right.
There are actually four different primary methods to connect
to your AWS VPC, and let's cover those now.
The first is a Site-to-Site VPN.
And in a Site-to-Site VPN,
users must be on the on-premise network to access this.
Now with this setup, it is best for complex solutions,
because it offers the best security via IPsec.
Now, it's actually very simple
from an architectural standpoint.
We have a customer gateway device,
which maps to a customer gateway in our VPC,
and the customer gateway actually connects
to our internal network.
Now, we also have our virtual private gateway,
which is attached to our VPC,
and this is going to allow private communication
with our VPC resources.
When these are in place,
we can establish our VPN connection,
which again uses IPsec,
and we can then establish that communication
through that VPN connection,
both to and from our data center and AWS,
specifically our VPCs.
Again, this is gonna be the most complex solution
and it's going to offer the best security with IPsec.
This is very important that you know this.
Site-to-Site VPN is best because it offers IPsec security.
Now, let's talk about another solution called Client VPN.
Now, with Client VPN,
users can gain network access from anywhere,
and that's because it's done via a client endpoint.
What this is is a service that's an AWS managed solution
that offers native high availability and scalability.
So there's not a lot you have to manage,
you just have to configure it to a certain extent.
Now, this particular method offers TLS VPN sessions,
so it's not entirely as secure as IPsec.
So again, if you need IPsec connections,
you want to think Site-to-Site VPN.
Now, in this architecture, it's even simpler.
We have our employee laptop.
We establish our Client VPN endpoint using the service.
We have a virtual private gateway, which makes sense.
We attach that to our VPC, and then once those are in place,
we can establish our VPN connection
from our employee laptops, which can be anywhere,
into our VPC over a TLS VPN connection.
Now, access is gained via an OpenVPN based VPN client
that gets installed on our laptops.
It is extremely easy to use, and this solution is perfect
for small companies or simple architectures.
Okay, let's go ahead and start talking about VPN CloudHub.
Now, VPN CloudHub is basically a hub-and-spoke VPN solution.
It's going to allow communication
between two or more on-premise networks with our VPC.
Now, because of this architectural design,
it does require there are multiple customer gateway devices
with unique BGP ASNs.
Now, this is not a networking specialty,
so we're not gonna cover BGP and ASNs in depth,
but you do need to know for this they have to be unique
per customer gateway device.
Now, this solution is going to be best
for multiple sites that need a Site-to-Site VPN
for the same virtual gateway.
So in this example,
we have two different regional data centers, one in Chicago,
one in Kansas, and we have one VPC with our private subnet.
So to establish this,
we would establish the same pieces here,
our customer gateway, our virtual private gateway,
and then we can establish a VPN connection between those
using CloudHub by referencing
those different unique customer gateway devices.
So notice the unique ASNs here for each gateway device,
but we're using the same virtual gateway in our VPC.
So now our two different data centers
can leverage the same VPN connection via CloudHub,
and connect to our virtual gateway,
and then talk to our internal resources.
So really a good key word is to look for two
or more connecting to the same virtual gateway,
or something about hub-and-spoke
whenever you need to look at CloudHub.
Now, the last solution here is a third party VPN appliance.
Now, third party VPN appliances
are good for very simple use cases,
and especially when you just need something up
and running quickly.
These are going to be hosted on some type of compute,
usually EC2 instances, which are unmanaged,
and unmanaged in this use case or scenario
means unmanaged by AWS.
Now, with this, you do get full control over the software
and the instance hosting it, which is very unique.
If you do need that full control,
this might be the perfect option for you.
However, with full control comes full responsibility.
You have to maintain patches,
you have to implement your own high availability,
and you have to handle scalability.
AWS doesn't touch any of that, so that's all on you.
Now, usually this is gonna be open sourced
or something from the AWS marketplace.
For instance, on the marketplace, there are open VPN AMIs
that you can subscribe to
of different sizes based on your needs.
Now, for this architecture, again,
it's pretty similar as far as components go.
We have our customer gateway device,
we have our virtual private gateway,
and of course, we can implement a VPN connection
between those.
Now, the difference here
is that even though we're having a TLS VPN connection,
access is gained via third-party VPN software.
So while this VPN connection security
is the same, essentially, the access is different.
So you're going to be accessing it
via things like OpenVPN, for example.
But overall, they function the same.
It's just about how you want to implement,
and what kind of control you need.
So that covers the different scenarios
and the different options.
Let's go ahead and have a takeaway and exam tip section.
Now, the first thing we talked about was Site-to-Site VPN.
It's important you remember this is an IPsec VPN connection
that offers the most secure connection,
but also comes as the most complex solution.
These are perfect for on-premise only connections
that need the most security.
Now, we also talked about the Client VPN,
and this is an AWS managed VPN connection
that uses TLS VPN connections
from a software client from anywhere.
It does require a client endpoint to be created via AWS,
which your employees can connect to from, again, anywhere.
Now, we also talked about CloudHub.
Anything related to hub-and-spoke VPNs
are going to leverage CloudHub,
and they allow multiple separate Site-to-Site VPNs
to connect to a single virtual gateway.
Remember, each customer gateway device
requires its own unique BGP ASN.
You have to have that for this to work.
And then lastly, we just covered third party VPNs,
which are fully controllable VPN offerings,
usually hosted on EC2 instances.
And because of this, you do get full control,
but you are fully responsible
for maintaining high availability, scaling, and security.
Now, you can find offerings on the marketplace
to make this a lot easier to implement.
You really wanna focus on security requirements
more so than the network requirements
when you're going through these scenarios.
For instance, if they mention IPsec,
immediately Client VPN is out,
and more than likely third-party VPN is out.
If they talk about hub-and-spoke, think CloudHub.
Okay, that's gonna do it for this section on VPNs.
Let's go ahead and end things here,
and then I will see you in the next lesson.