1.

AWS Site-to-Site VPN to an Amazon VPC

Traffic Encryption Options in
2. AWS Site-to-Site VPN to a Transit Gateway (Public VIF)
AWS Direct Connect
3. AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway

4. MACsec Security in AWS Direct Connect

Reviewed for technical accuracy March 3, 2025

© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture
 Configuration steps

AWS Site-to-Site VPN to an Amazon VPC 1

Create an AWS Direct Connect connection. For
dedicated connections, set up a cross-connect
This method achieves traffic encryption by combining the benefits of the end-to-end secure IPSec connection, with between the AWS device and your device (or partner
device) at the location. For hosted connections, you
low latency and consistent network experience of AWS Direct Connect when reaching resources in your Amazon VPC. must accept the hosted connection before you can
use it.
Once the connection is established, create an AWS
2 Direct Connect public virtual interface (VIF) over the
AWS Region AWS Direct Connect existing connection. Configure your customer
public VIF gateway to bring up the VIF.
Once the border gateway protocol (BGP) peer on the
VPC AWS Site-to-Site VPN 3 VIF is established, AWS advertises its public IP range
10.0.0.0/16 to the customer gateway device over the public VIF.

Subnet route Create an AWS Site-to-Site VPN to the virtual

Availability Zone A 4 private gateway associated to the virtual private
workload subnet 1 Destination Target cloud (VPC). AWS provides two AWS VPN endpoints
10.0.0.0/24 10.0.0.0/16 local attached to the virtual private gateway, which have
corporate network public IP addresses that are reachable over the public
E 192.168.0.0/16 vgw-id VIF.
192.168.0.0/16
Configure your customer gateway with the VPN
AWS Direct Connect location 5 parameters to bring up the AWS Site-to-Site VPN
connection.
Amazon EC2 instance Sample traffic flow
C B A client located in the corporate network needs to
A
server
A reach the IP address of an Amazon EC2 instance in
Direct the VPC, so the traffic is routed through the
D Connect
virtual private AWS customer or customer gateway (CGW).
Availability Zone B customer
gateway device partner device gateway The customer gateway determines that the best
workload subnet 2 B route to the VPC is through the AWS Site-to-Site
user
10.0.1.0/24 VPN tunnel. The traffic is then encrypted based on
cryptographic parameters for the IPSec tunnel,
with the destination of the encrypted packet being
the Site-to-Site VPN endpoint public IP address.
Subnet route
The customer gateway determines that the best
EC2 instances Destination Target C route to the AWS VPN endpoint public IP address
10.0.0.0/16 local is through the Direct Connect public VIF.

192.168.0.0/16 vgw-id The AWS VPN endpoint receives the encrypted

D IPSec traffic and decrypts it. Because the original IP
destination address is the Amazon EC2 instance in
the VPC, the traffic is routed through the VPC
fabric to the EC2 instance.
Reviewed for technical accuracy March 3, 2025 Return traffic from the EC2 instance to the client
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture E located in the corporate network follows a reverse
but identical path.
 Configuration steps

AWS Site-to-Site VPN to AWS Transit Gateway (Public VIF) 1

Create an AWS Direct Connect connection. For
dedicated connections, proceed to set up a cross-
This method achieves traffic encryption by combining the benefits of the end-to-end secure IPSec connection, with the low latency connect between the AWS device and your device
and consistent network experience of AWS Direct Connect when reaching resources in your Amazon VPCs through AWS Transit (or partner device) at the location. For hosted
connections, you must accept the connection
Gateway. This approach is suitable for customers that need to reach multiple VPCs in their AWS environment. before you can use it.
Once the connection is established, create an AWS
2 Direct Connect public virtual interface. Configure
AWS Region Spoke VPC A route AWS Direct Connect your customer gateway to bring up the VIF.
public VIF Once the BGP peer on the VIF is established, AWS
spoke VPC A Destination Target 3 advertises its public IP range to the customer
10.0.0.0/16 10.0.0.0/16 local AWS Site-to-Site VPN gateway device over the public VIF.
Availability Zone A Create an AWS Site-to-Site VPN and choose your
workload subnet 0.0.0.0/0 tgw-id 4 AWS Transit Gateway instance as the VPN
10.0.1.0/24 concentrator for the AWS side.
F
Configure the customer gateway with the VPN
5 parameters to bring up the AWS VPN connection
EC2 instance
VPC corporate and route traffic destined to the Transit Gateway
Transit Gateway association network through the AWS VPN connection.
subnet AWS Transit Gateway 192.168.0.0/16
E AWS Direct Connect location Sample traffic flow
10.0.0.0/24
C A client located in the corporate network needs to
Spoke VPC route A route network traffic to the IP address of an
elastic network interface CIDR Attachment B Amazon EC2 instance in the spoke VPC A, and
A
server routes the traffic through the customer gateway.
192.168.0.0/16 S2S VPN
spoke VPC B Direct The customer gateway determines that the best
10.1.0.0/16 VPN route Connect B route to the VPC is through the AWS Site-to-Site
D AWS customer or customer
Availability Zone A CIDR Attachment device Partner device gateway VPN tunnel. The traffic is then encrypted based on
Transit Gateway VPN cryptographic parameters for the IPSec tunnel,
subnet 10.0.0.0/24 Spoke VPC A attachment user with the destination of the encrypted packet being
10.1.0.0/24 the AWS VPN endpoint public IP address.
10.1.0.0/24 Spoke VPC B
VPC The customer gateway determines that the best
elastic network interface association
C route to the AWS VPN endpoint public IP address
is through the Direct Connect public VIF.
Workload subnet Spoke VPC B route
10.1.1.0/24 The AWS VPN endpoint attached to the Transit
Destination Target D Gateway receives the encrypted IPSec traffic and
10.1.0.0/16 local forwards it to the Transit Gateway.
EC2 instance The traffic is decrypted, forwarded to the spoke
0.0.0.0/0 tgw-id E VPC A, and routed to the Amazon EC2 instance.

Return traffic from the EC2 instance to the

Reviewed for technical accuracy March 3, 2025 F corporate network follows a reverse but identical
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture path.
 Configuration steps

AWS Site-to-Site VPN Private IP VPN to AWS Transit Gateway 1

Create an AWS Direct Connect connection. For
dedicated connections, proceed to set up the cross-
AWS Site-to-Site VPN Private IP VPN connections are created over Direct Connect using private IP addresses, enabling enhanced connect between the AWS device and your device
(or partner device) at the location. For hosted
security and network privacy at the same time. Private IP VPNs are deployed on top of Transit VIFs and Direct Connect gateways as connections, you must accept the hosted
underlying transport. connection before you can use it.
Once the connection is established, create a Direct
2 Connect transit virtual interface (VIF) and Direct
AWS Region
Spoke VPC A route Connect gateway. Configure your customer
gateway to bring up the VIF.
spoke VPC A Destination Target
10.0.0.0/16 Associate your AWS Transit Gateway to the Direct
10.0.0.0/16 local
AWS Site-to-Site VPN 3 Connect gateway, specifying the Transit Gateway
Availability Zone A CIDR block as the allowed prefix on this
0.0.0.0/0 tgw-id attachment - make sure this CIDR block does not
workload subnet
10.0.0.0/24 overlap with any VPC CIDR block or on-premises
D
CIDR range.
corporate data center
Create the AWS Site-to-Site VPN using the Direct
192.168.0.0/16 4
EC2 instance AWS Transit Gateway Connect gateway and Transit VIF as underlying
Transit Gateway C AWS Direct Connect transport.
subnet location
VPN route Bring up the AWS Site-to-Site VPN tunnels and
10.0.1.0/28 5 route traffic destined to the Transit Gateway via
CIDR Attachment the AWS Site-to-Site VPN connection.
VPN B
elastic network interface 10.0.0.0/16 spoke VPC A attachment Sample traffic flow
10.1.0.0/16 spoke VPC B transit A
spoke VPC B server A client located in the corporate network needs to
10.1.0.0/16 Spoke VPC route
gateway
association Direct Connect
VIF
customer
A route network traffic to the IP address of an
Direct
Connect router gateway Amazon EC2 instance in the spoke VPC A, and
Availability Zone A CIDR Attachment routes the traffic through the customer gateway.
gateway
Transit Gateway 192.168.1.0/16 S2S VPN The customer gateway determines that the best
subnet
user B route to the VPC is via the AWS Site-to-Site VPN
10.1.1.0/28
connection. The traffic flows through the IPSec
tunnels with the selected encryption method,
using the Transit VIF and Direct Connect gateway
elastic network interface
as underlying transport network.
workload subnet Spoke VPC B route
The traffic arrives to the Transit Gateway. As per
10.1.0.0/24
Destination Target C the Transit Gateway VPN route table, the traffic is
forwarded to the spoke VPC A, and then routed to
10.1.0.0/16 local
the EC2 instance.
EC2 instance
0.0.0.0/0 tgw-id The return traffic from the EC2 instance to the
D client located in the corporate network follows a
reverse but identical path as described in steps A-C.
Reviewed for technical accuracy March 3, 2025
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture For more information about Private IP VPNs, see
Introducing AWS Site-to-Site Private IP VPNs.
 Configuration steps
MACsec Security in AWS Direct Connect 1
To configure MACsec in an AWS Direct Connect
dedicated connection, ensure that the device at
This method achieves encryption of traffic using MACsec security (IEEE 802.1AE), delivering a native, near line-rate, and your end supports MACsec. Additionally, the Direct
Connect location also must support MACsec.
point-to-point encryption for 10 Gbps and 100 Gbps links.
Create a 10G/100G AWS Direct Connect dedicated
2 connection, choosing the option for a MACsec
enabled port.
Create a Connection Key Name (CKN)/ Connectivity
AWS Region 3
Spoke VPC A route Association Key (CAK) pair for the MACsec secret
AWS Direct Connect key, making sure that the key-pair is compatible
spoke VPC A Destination Target transit VIF with your device (or Partner device).
10.0.0.0/16
10.0.0.0/16 local Associate the CKN/CAK pair with the connection
Availability Zone A 4 via the AWS Console, AWS Command Line
0.0.0.0/0 tgw-id
workload subnet
Interface (CLI), or API.
10.0.1.0/24 D Set up the cross-connect and complete the
5 physical connection to your device (or Partner
VPC
corporate network device). Update the device at your end with the
association
EC2 instance 192.168.0.0/16 CKN/CAK pair.
Transit Gateway AWS Transit Gateway
Create a transit VIF to a Direct Connect gateway
subnet AWS Direct Connect 6 on the new MACsec-enabled connection,
10.0.0.0/24 C location
Spoke VPC route associated with your AWS Transit Gateway.

CIDR Attachment
B
Elastic network interface A Sample traffic flow
192.168.0.0/16 DX gateway
server A client located in the corporate network needs to
spoke VPC B cross-connect MACsec
encrypted A route network traffic to the IP address of an EC2
10.1.0.0/16 Direct Connect route AWS (MACsec encrypted)
AWS Direct customer or customer instance in the spoke VPC A, and routes the traffic
CIDR Attachment device partner device
Availability Zone A Connect gateway to the customer gateway.
VPC
Transit Gateway association 10.0.0.0/24 spoke VPC A gateway The customer gateway determines that the best
subnet user B route to the VPC is via the transit VIF, indicating
10.1.0.0/24 10.1.0.0/24 spoke VPC B
gateway the traffic should be sent over the Direct Connect
association connection.
NOTE:
elastic network interface The connection between the customer or partner device As per the Transit Gateway Direct Connect route
Spoke VPC B route
at the AWS Direct Connect Location and the on-
C table, the traffic is forwarded to the spoke VPC A,
workload subnet
Destination Target premises customer gateway is only MACsec enabled if and then routed to the EC2 instance.
10.1.1.0/24
the Layer-2 circuit was extended all the way.
10.1.0.0/16 local Return traffic from the EC2 instance to the client
D located in the corporate network follows a reverse
If the Layer-2 circuit terminates on the customer or
EC2 instance 0.0.0.0/0 tgw-id but identical path, as described in steps A-D.
partner device at the AWS Direct Connect Location, the
responsibility for that segment of the circuit lies with
the customer or partner.
For more information about MACsec in AWS Direct
Reviewed for technical accuracy March 3, 2025
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved. AWS Reference Architecture Connect, see Adding MACsec security to AWS Direct
Connect connections.