Site-to-Site VPN

5 minutes 5 Questions

AWS Site-to-Site VPN is a fully managed service that creates secure, encrypted connections between your on-premises network or branch office and your AWS Virtual Private Cloud (VPC). This connectivity solution uses IPsec (Internet Protocol Security) tunnels to establish the encrypted link over the …

Site-to-Site VPN - AWS SysOps Administrator Associate Guide

Why Site-to-Site VPN is Important

Site-to-Site VPN is a critical networking component that enables secure communication between your on-premises data center and your AWS Virtual Private Cloud (VPC). For SysOps Administrators, understanding this technology is essential because it forms the backbone of hybrid cloud architectures, allowing organizations to extend their existing infrastructure into AWS securely.

What is Site-to-Site VPN?

AWS Site-to-Site VPN creates an encrypted IPsec connection between your on-premises network and your AWS VPC over the public internet. This connection consists of two main components:

• Virtual Private Gateway (VGW) - The AWS-side endpoint attached to your VPC
• Customer Gateway (CGW) - Represents your on-premises VPN device configuration in AWS

Each Site-to-Site VPN connection provides two VPN tunnels for high availability, each terminating in a different Availability Zone.

How Site-to-Site VPN Works

1. Setup Phase:
- Create a Virtual Private Gateway and attach it to your VPC
- Create a Customer Gateway pointing to your on-premises router's public IP
- Create a Site-to-Site VPN connection linking the VGW and CGW
- Download the configuration file and apply it to your on-premises router
- Update route tables to direct traffic through the VGW

2. Data Flow:
- Traffic from your on-premises network is encrypted by your router
- Data travels over the internet through IPsec tunnels
- AWS decrypts the traffic at the Virtual Private Gateway
- Return traffic follows the reverse path

3. Key Technical Specifications:
- Maximum throughput: 1.25 Gbps per tunnel
- Supports static routing or dynamic routing with BGP
- Uses IKEv1 or IKEv2 for key exchange
- Supports AES 256-bit encryption

Route Propagation

When using BGP, you can enable route propagation on your VPC route tables. This automatically adds routes learned from your on-premises network, eliminating manual route management.

VPN CloudHub

If you have multiple Site-to-Site VPN connections to a single VGW, you can enable communication between your remote sites through AWS. This hub-and-spoke model is called AWS VPN CloudHub.

Accelerated Site-to-Site VPN

You can enable acceleration to route VPN traffic through AWS Global Accelerator, improving performance by using the AWS global network instead of the public internet for a portion of the journey.

Monitoring Site-to-Site VPN

• CloudWatch Metrics: TunnelState, TunnelDataIn, TunnelDataOut
• VPN tunnel logs: Can be sent to CloudWatch Logs for troubleshooting
• AWS Health Dashboard: For AWS-side issues

Common Troubleshooting Scenarios

• Tunnel is down: Check security group rules, NACLs, and on-premises firewall settings
• Asymmetric routing: Ensure both tunnels have consistent BGP attributes
• Intermittent connectivity: Verify Dead Peer Detection (DPD) settings match on both sides

Exam Tips: Answering Questions on Site-to-Site VPN

1. Remember the Two Tunnels: Every Site-to-Site VPN connection has two tunnels for redundancy. Questions about high availability often reference this.

2. Know the Throughput Limits: Each tunnel supports up to 1.25 Gbps. If a question mentions higher bandwidth requirements, consider AWS Transit Gateway or multiple VPN connections.

3. BGP vs Static Routing: BGP is preferred for dynamic, automatic failover. Static routing requires manual configuration but is simpler for basic setups.

4. Cost-Effective Solution: When exam questions ask for a cost-effective way to connect on-premises to AWS, Site-to-Site VPN is typically the answer over AWS Direct Connect.

5. Security Groups and NACLs: Remember that Site-to-Site VPN traffic is subject to security groups and NACLs in your VPC.

6. Transit Gateway Integration: For connecting multiple VPCs to on-premises networks, look for answers involving Transit Gateway with Site-to-Site VPN attachments.

7. Accelerated VPN: If questions mention improving VPN performance or global users, accelerated Site-to-Site VPN using Global Accelerator is likely the answer.

8. Customer Gateway Device: The customer is responsible for configuring and maintaining the on-premises VPN device. AWS provides configuration templates for common vendors.

9. Encryption: Site-to-Site VPN provides encryption in transit. Questions about securing data between on-premises and AWS often have VPN as the answer.

10. CloudWatch for Monitoring: When asked about monitoring VPN tunnel status, CloudWatch metrics (especially TunnelState) is the correct approach.

Test mode:

Exam (Timed)

Practice (With explanations)

Start practice test

🎓 Unlock Premium Access

AWS Certified SysOps Administrator - Associate + ALL Certifications

🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
4720 Superior-grade AWS Certified SysOps Administrator - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
SOA-C02: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!