AWS Site-to-Site VPN

Concepts Covered

• AWS Site-to-Site VPN
• IPsec tunnels
• Customer gateways
• Virtual private gateways
• Transit Gateway VPN attachments
• Static and dynamic routing
• BGP
• Tunnel redundancy
• VPN versus Direct Connect
• Hybrid connectivity exam traps

1. Plain-English Mental Model

AWS Site-to-Site VPN creates encrypted network tunnels between your network and AWS.

The simple model is:

on-premises router -> encrypted IPsec tunnels over internet -> AWS VPN endpoint -> VPC or Transit Gateway

It is often the fastest way to connect an on-premises network to AWS securely. The connection uses IPsec tunnels over the internet.

Direct Connect is dedicated private connectivity. Site-to-Site VPN is encrypted internet-based connectivity.

VPN can connect to a virtual private gateway attached to one VPC, or to Transit Gateway when many VPCs need connectivity through a hub.

2. Why This Service Exists

Hybrid architectures need secure connectivity before everything is migrated.

A company may keep databases, identity systems, monitoring tools, users, or legacy applications on premises while AWS workloads grow. Those systems need private IP connectivity across environments.

Site-to-Site VPN exists because it is usually faster to provision than Direct Connect and provides encryption by design.

For SAA-C03, Site-to-Site VPN appears in questions about encrypted tunnels, quick hybrid connectivity, VPN backup to Direct Connect, customer gateways, virtual private gateways, Transit Gateway VPN attachments, BGP routing, static routing, and redundant tunnels.

The exam contrast is usually VPN versus Direct Connect, or virtual private gateway versus Transit Gateway.

3. The Naive Approach And Where It Breaks

The naive pattern is to expose resources publicly:

on-premises app -> internet -> public AWS endpoint

This may work for public APIs, but it is not appropriate when internal systems need private network access to VPC resources.

Another naive pattern is to use one VPN tunnel and ignore redundancy. AWS Site-to-Site VPN connections provide two tunnels for high availability, but the customer side must be configured to use them correctly.

Another mistake is choosing VPN when the requirement emphasizes dedicated bandwidth and consistent low-variance performance. VPN depends on internet paths.

VPN is excellent for encrypted hybrid connectivity, backup, and speed of setup. It is not a dedicated private circuit.

4. Core Primitives

A customer gateway represents the customer-side VPN device or software endpoint in AWS configuration.

A virtual private gateway attaches to a VPC and can terminate VPN connectivity for that VPC.

A Transit Gateway can terminate VPN attachments when many VPCs need hub-and-spoke hybrid connectivity.

A Site-to-Site VPN connection normally includes two tunnels for redundancy.

IPsec provides encrypted tunnel security.

Static routing uses manually configured routes.

Dynamic routing uses BGP to exchange routes between customer gateway and AWS.

Tunnel options control parameters such as inside tunnel CIDRs, pre-shared keys, and encryption settings.

5. Architecture Use Cases

Use Site-to-Site VPN for quick encrypted connectivity from an office, data center, or partner network to AWS.

Use virtual private gateway when the requirement is one VPC:

on-premises -> VPN -> virtual private gateway -> VPC

Use Transit Gateway when many VPCs need hybrid access:

on-premises -> VPN -> Transit Gateway -> many VPCs

Use VPN as backup for Direct Connect when a lower-bandwidth encrypted fallback is acceptable.

Use VPN over Direct Connect when the requirement is encrypted traffic over a dedicated private connection.

Use BGP where dynamic routing and failover are needed.

7. Security Model

Site-to-Site VPN uses encrypted IPsec tunnels.

The customer gateway device must be secured, patched, monitored, and configured correctly.

Pre-shared keys and tunnel parameters are sensitive.

Routes determine which networks can communicate. Do not advertise broader prefixes than intended.

Security groups, NACLs, firewalls, and workload permissions still apply after traffic reaches the VPC.

If connecting many VPCs through Transit Gateway, route table segmentation is critical. VPN connectivity should not automatically mean access to every network.

8. Reliability And Resilience

AWS Site-to-Site VPN provides two tunnels for redundancy, but the customer device must support and use failover correctly.

Use two customer gateway devices where high availability requires customer-side redundancy.

BGP can improve route failover behavior compared with static routes.

VPN internet path quality can vary. For critical high-bandwidth workloads, Direct Connect may be needed.

Monitor tunnel status, BGP state, packet loss, and route changes.

Test failover. A VPN tunnel that looks redundant on paper may not fail over cleanly if customer routing is wrong.

9. Performance And Scaling

VPN performance depends on tunnel limits, encryption overhead, customer gateway capacity, and internet path behavior.

It is good for many hybrid needs, but not always for high-throughput migrations or low-variance latency requirements.

Transit Gateway simplifies scaling VPN connectivity to many VPCs.

For large data transfer or predictable performance, Direct Connect is often a better fit.

For many branch networks, AWS also has broader edge and WAN services outside the core SAA-C03 basics, but Site-to-Site VPN remains the foundational exam service.

10. Cost Model

Site-to-Site VPN costs include VPN connection hours and data transfer, with related Transit Gateway charges if used.

Customer-side network device, internet connectivity, and operations costs also matter.

VPN is usually cheaper and faster to start than Direct Connect.

Direct Connect has more setup and provider cost, but can be better for sustained high-throughput private connectivity.

Cost questions often combine VPN with Direct Connect backup: pay for dedicated connectivity where needed, use VPN for encrypted fallback.

12. SAA-C03 Exam Signals

"Encrypted connection over the internet to AWS" points to Site-to-Site VPN.

"Two IPsec tunnels" points to Site-to-Site VPN.

"Customer gateway and virtual private gateway" points to Site-to-Site VPN.

"Hybrid connectivity to many VPCs through a hub" points to Site-to-Site VPN with Transit Gateway or Direct Connect with Transit Gateway depending on performance needs.

"Dedicated private connection" points to Direct Connect.

"Consistent high bandwidth and private link" points to Direct Connect.

"VPN backup for Direct Connect" points to using both.

13. Common Exam Traps

Do not confuse VPN with Direct Connect.

Do not assume VPN has dedicated bandwidth.

Do not configure only one tunnel for production resilience.

Do not forget customer gateway device health.

Do not advertise overly broad routes.

Do not assume VPN connectivity bypasses VPC security groups or routing.

15. Related Topics

Review AWS Transit Gateway, AWS Direct Connect, VPC Networking Model, and AWS Network Firewall.

Official AWS references:

• What is AWS Site-to-Site VPN?
• How Site-to-Site VPN works
• Site-to-Site VPN routing options