AWS Virtual Private Gateway
Overview
A virtual private gateway establishes a connection to the cloud while creating a VPN tunnel. The AWS virtual private gateways come into the picture when we want to establish a VPN connection to Amazon VPC (Virtual Private Cloud). The gateway on the customer(our) side is known as Customer Gateway, and the gateway on the AWS side of the VPN tunnel is named Virtual Private Gateway.
Introduction to AWS Virtual Private Gateway
AWS Virtual Private Gateway works as a VPN connector on the AWS side. It allows for the creation of a VPN tunnel from on-premises servers/data centers to an AWS virtual private cloud.
AWS Virtual Private Gateway establishes a secure connection between your on-premises server and cloud-hosted VPC. On establishing this connection, you get access to all the resources of your AWS VPC using its private IP address from your on-premises data center.
A virtual private gateway can connect to multiple VPCs, these VPCs should share the same region and same account. It establishes a direct connection between multiple VPCs.
Working of AWS Virtual Private Gateway with Example
Let's look at the basic architecture we have on our AWS Virtual private cloud.
- A VPC is created in a specified AWS region.
- Within the VPC, subnets are created. They can be public or private subnets.
- In the common architecture, we create two subnets, a public subnet, and a private subnet.
- The public subnet is used to host the webserver, open to the internet for client's/user's access.
- The private subnet contains instances that have a database server with limited access.
- The two subnets are usually created in different availability zones to ensure security.
- The instances present in the subnets can connect to the Internet using Nat gateways.
Suppose you want to connect your on-premises office data center to your database in the private subnet. Instead of connecting to the database instance, you can establish a VPN connection to your VPC from your on-premises data center.
On establishing this VPN connection, you can connect to your database instance directly using its private IP instead of setting up a new EC2 instance in the public subnet. This is made possible using the virtual private gateway, which serves as a VPN connector on the AWS Side. We have a Customer Gateway for VPN connections on the customer side.
The AWS virtual private gateway connects to the AWS VPC on one side and can connect to any number of customer gateways on the other. The VPN establishes a connection using Internet Protocol security.
AWS Direct Connect
The connection between AWS VPC and the on-premises data center can also be established directly by using AWS Direct Connect.
- AWS Direct Connects helps us to establish a connection between AWS VPC and the on-premises data center without using the Internet.
- It provides a virtual network with extended bandwidth.
- It uses fiber optical cables to connect to direct connections locations.
Creating a Virtual Private Gateway
Before working to create a virtual private gateway, we need to create a VPC (Virtual Private Cloud) first.
Create a Virtual Private Cloud
You can create a VPC using the following steps:
- Log in to the AWS Management Console and search for VPC. The VPC service gets listed.
- Click on the VPC service, and you will be redirected to the below page. Click on the create VPC button to create a new VPC.
- Under the VPC creation page, you must choose some configurations and make selections based on your needs.
- Resources: You can choose VPC only if you are interested in creating only a VPC.
- Name: Add a name to your VPC. The name can be as per your choice. It acts like a tag to search among multiple VPCs.
- You can give IPv4 CIDR manually or automatically allocated by AWS services.
- Tenancy can be kept as default.
- You can add any other tags needed (like production, development environment, etc.)
- After filling in all the required details, you can click on the Create VPC button.
- A green notification message confirms the successful creation of the VPC. The state of the VPC turns to available.
Creating a Virtual Private Gateway for VPC
You can create a VPG using the following steps:
If you look at the navigation bar on the left, you will be able to find some suboptions under the VPN. Here you will find an option that reads Virtual Private Gateways. Select the option. You will get a page like the one shown below. You can see there are no virtual private gateways present here. So let's create one.
- Click on the Create Virtual Private Gateway button.
- You are taken to a page where you must fill in the details required for creating a VPG. Give your Virtual private gateway a name, and the rest can be set as defaults. After filling in the details, click the Create Virtual Private Gateway button.
- Your Virtual Private Gateway is created, and a message pops up for successful creation. The status is available.
Attach Virtual Private Gateway to VPC
- Select the Virtual private gateway you want to attach. From the Actions dropdown, select Attach to VPC.
- You are redirected to the page as shown where you need to select the VPC you want the gateway to be attached to. Finally, click on the Attach to VPC option
- The virtual private gateway gets attached to the VPC. You can see the VPC column is updated in the image below.
Associating and Disassociating Virtual Private Gateways
We must first create a Direct Connect Gateway to associate and disassociate a virtual private gateway.
Create a Direct Connect Gateway
-
log in to the AWS management console, and search for Direct Connect in the search bar. AWS Direct Connect service appears. Select it.
-
You are taken to a page as shown below. Here click on the button which reads Create Direct Connect Gateway.
-
Fill in the details needed like name and ASN. The name can be any name of your choice.
- ASN stands for Autonomous System Number. You can leave that as default. ASN can be any number in the range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294.
Click on Create Direct Connect Gateway.
The AWS Direct Connect Gateway has been created, and its status is available.
Associating an AWS Virtual Private Gateway
The following steps are used to associate a virtual private gateway.
- Select the Direct Connect Gateway you want to associate and click on it.
- You are redirected to another page. Here you need to click on Associate Gateway.
- From the dropdown menu, select the virtual private gateway you want to associate with the Direct Connect Gateway and then click on Associate Gateway.
- The virtual private gateway gets successfully associated with the direct connect gateway. The status reads associated.
Disassociating a Virtual Private Gateway
- Select the AWS virtual private gateway which you want to disassociate. Click on the Disassociate button.
- Virtual private gateway gets disassociated from the direct connect gateway successfully.
Creating a Private Virtual Interface to the Direct Connect Gateway
A Private Virtual Interface to the Direct Connect Gateway can be created in multiple ways using the AWS Management Console, the AWS CLI, or SDKs. Here we look at creating a Private Virtual Interface using the AWS Management Console.
Create Connection
- Search for Direct Connect in the search bar. Click on the Direct Connect option.
- On the page where you are redirected, click create a connection.
- Fill in the required details for creating a connection.
- Type: Select the type of connection. Here we will choose classic.
- Name: Give a name of your choice to the connection.
- Location: Select the location where you want to establish the connection.
- Service Provider: Choose a service provider for your connection.
- After filling in the details, click on create connection.
- The connection is created successfully. This establishes a direct physical connection, so some email confirmation works are required post-creation to confirm the creation.
Create a Virtual Interface
- Search for Virtual Interfaces in the search bar. Under the Features section, you will find the Virtual Interfaces option.
- You will be redirected to a new page. Here you can see there are no virtual interfaces present. Click on create virtual interface to create one.
- Fill in the details required for creating the virtual interface.
- Type: We are creating a private virtual interface so that the type will be private.
- Name: Give a name of your choice to the virtual interface you are creating.
- Connection: Here, choose the direct connection from the dropdown for which you want to create the interface.
- Virtual Interface Owner: Choose another AWS account for this and add account details.
- Direct Connect Gateway: Choose the direct connect gateway for which you want to create the virtual interface.
- VLAN: Enter an ID for your Virtual LAN.
- BGP ASN: It stands for Border Gateway Protocol Autonomous System Number (of the on-premises peer router here). For this input box, any value between 1 and 2147483647 is acceptable.
- The additional settings can be left as default. You can add or remove tags if needed.
- Finally, click on create virtual interface The virtual interface gets created with the required specifications.
Creating a virtual private interface using CLI
For creating via CLI, we use the create-private-virtual-interface command.
The output can be something like this:
Associating a Virtual Private Gateway Across Accounts
Follow the steps to associate an AWS virtual private gateway across multiple accounts.
Create an Association Proposal
- Click on the AWS virtual private gateway for which you want to create an association proposal.
- Under the selected virtual private gateway page, click the Associate Direct Connect Gateway button.
- Select Another account under this details page. Fill in the details like direct connect gateway ID and AWS account ID. In the account ID, add the ID of the owner account. Finally, click on the Associate Direct Connect Gateway button.
Accept or Reject the Association Proposal
- Select the Direct to connect gateway whose association proposals you want to work with.
- Under the association proposals tab of the page, you can see the list of proposals. You can select any proposal and click on the Accept button to accept the proposal or the Reject button to reject the proposal.
Delete an Association Proposal
You can even delete an association proposal.
- Move to the Virtual private Gateways page.
- Under the pending Direct Connect Gateway proposals tab, we can see a list of pending proposals.
- A proposal can be deleted by selecting it from the list and clicking on the Delete Association Proposal button.
Difference Between Virtual Private Gateway and Transit Gateway
What is Transit Gateway?
Transit Gateway is used to establish a connection between multiple VPCs and on-premises data-center. It is a fully managed service, which connects AWS VPCs, AWS accounts, and on-premises data centers to a central hub.
Differences
Let's discuss some differences between Virtual Private Gateway and Transit Gateway.
Parameter | AWS virtual private gateway | AWS Transit gateway |
---|---|---|
Architecture | An AWS virtual private network allows us to create a VPN tunnel connecting AWS VPCs and on-premises data centers. | AWS Transit Gateway establishes a connection by connecting AWS VPCs, and on-premises networks to a central hub. This provides a comparatively simpler design. |
Scaling | On scaling using AWS virtual private gateway, complexity increases. | Transit gateway provides a comparatively simpler architecture, making the scaling process less complex. |
Speed | Direct connection is established using AWS virtual private gateway, so there is no extra latency. | Using a transit gateway involves connecting to a central hub first, so a slight delay is experienced in moving the packets. |
Availability | AWS virtual private gateway can be created anywhere across the globe. | AWS Transit gateway can be created in limited areas only. |
Control | Virtual private gateway provides comparatively lesser control over the traffic entering the VPC network. | Transit gateway gives better control and visibility to the traffic connecting with the VPC. |
Conclusion
In this article, we explored the following:
- Virtual private gateway establishes a connection between the on-premises data center and AWS VPC.
- Using this established connection, we can access all the resources in the VPC from our on-premises center using their private IPs.
- Using AWS virtual private gateway, we can connect to resources without the need to create any EC2 instance in the public subnets of the VPC.
- We can create AWS virtual private gateway and attach it to a Virtual private cloud (VPC).
- A virtual private gateway can be used to establish connections across multiple accounts.
- It can be created anywhere across the globe with minimum latency. We can use virtual private gateway to establish connection between multiple VPCs using Direct Connect.
- AWS Management Console options to create VPG, associate it with Direct Connect gateways, and attach it to VPCs. These steps can also be accomplished using AWS CLI or AWS SDKs.