Skip to main content

Secure Communication in a Hybrid Cloud – A Case of Site-to-Site VPN on AWS

Legacy companies hosting their application workloads in their data centers or on-prem architectures always struggle to scale their existing services. This requires them to invest in additional servers, increase RAM/CPUs, add more storage, and potentially upgrade their internet bandwidth, all of which incur substantial capital expenditure. Moreover, the ongoing operational costs, such as power consumption, maintenance, and upkeep, further add to the financial burden of these upgrades.

It’s quite natural to start migrating your workloads toward the cloud, and there always comes a time when you need to securely connect your on-premises servers with cloud resources. In this blog, we will be utilizing an AWS service called ‘Site to Site (S2S) VPN,’ which helps in securely creating a virtual path between end devices.

After reading this blog, you will learn the following:

  • What is Hybrid Cloud
  • Secure communication in a Hybrid Cloud
  • Site-to-Site VPN
  • Requirements for Site-to-Site VPN

Why use a Hybrid Cloud Architecture?

For businesses that are just getting started with AWS Cloud, a good option is to move some of the services from on-premise to the cloud. With this approach, it is highly likely that applications that have been moved to the cloud need to communicate with the ones located in our on-premise data center in a secure manner. For this purpose, we can use services like Direct Connect or Site-to-Site VPN provided by AWS to establish connectivity between the applications running in the on-premise data center and the VPC in AWS in which our applications are running.

Secure Communication in a Hybrid Cloud Architecture

We have the following approaches for secure communication in a hybrid cloud environment for AWS cloud:

  • Direct Connect
  • Site-to-Site VPN
  • Transit/VPN Gateways
  • AWS VPN CloudHub

Why use AWS Site-to-Site VPN?

The two most commonly used services today out of the ones mentioned above are the AWS Direct Connect and AWS Site-to-Site VPN. Both of these are useful options and have their benefits.

With Direct Connect, AWS provides private connectivity from the customer’s on-premise data center to their resources provisioned in the AWS cloud. This dedicated link is provided by Internet service providers and AWS Direct Connect partners, and acquiring this dedicated private connection can sometimes take weeks or months. Therefore, for businesses that are just starting with using AWS cloud and their on-premise location in a hybrid model, establishing a Site-to-Site VPN between AWS and their on-premise resources is the quickest and cost-effective solution which just requires an Internet connection and a Public IP address available in the customer on-premise location.

For this purpose, AWS provides a Site-to-Site VPN service, which is also referred to as the AWS Managed VPN. The VPN configured using this service is an IPSec VPN which is a type of VPN; some other examples of VPNs include SSL and L2TP. At a high level, the IPSec requires 2 endpoints to form a VPN tunnel, which are referred to as the VPN Peers.

An IPsec VPN tunnel is made up of 2 phases called the IKE phase 1 and IKE phase 2, where IKE stands for Internet Key Exchange.

  • IKE phase 1 is used to authenticate the 2 IPSec peers and for setting up a secure channel between these peers.
  • IKE phase 2 is used for negotiating and then establishing IPSec security associations. After a successful security association is established, the VPN tunnel is complete, and data can traverse between the sides of the tunnel.

When the VPN is configured, AWS creates 2 VPN tunnels for each connection, with each one having a separate Public IP address. This is to provide redundancy on the AWS side. From AWS perspective, it considers an S2S VPN tunnel to be down when both IKE phase 1 and phase 2 are down, after which AWS marks it as down and automatically shifts the network traffic to the 2nd IP in the S2S VPN from the AWS side.

Requirements of Site-to-Site VPN on AWS

For establishing secure communication between on-premise and AWS VPC using AWS-managed Site-to-Site VPN, the following components need to be set up on the AWS side:

  • CGW (Customer Gateway)
    • This is a physical device that is located in the on-premise data center. From the VPN tunnel’s perspective, this is the VPN peer on the customer’s end. The device can be any firewall, router, or server having the functionality of setting up a VPN available.
  • VPG (Virtual Private Gateway)
    • This is the S2S VPN connector on the AWS side. It is kind of a logical network device which is completely managed by AWS and acts as the VPN endpoint (IPSec VPN peer) on the AWS end of the VPN tunnel.
  • Site-to-Site VPN Connection
    • This is the name of a service on the AWS side configuring, which is an essential part of the process as we choose here the important design decisions on the AWS side in terms of network routing while choosing between static or dynamic routing using BGP.

After the configuration has been completed on both sides of the VPN, a secure connection will be established between on-prem & cloud infrastructure to allow secure and encrypted data communication through the VPN tunnel, with active redundancy provided on the AWS side for the VPN peer on its side.


Using AWS Site-to-Site VPN is the quickest way for businesses to migrate to the cloud and evaluate their options simultaneously. This approach not only helps in a smooth transition to the cloud but also offers security by providing private and encrypted connectivity between networks in the cloud and on-premises data centers.

Using AWS Site-to-Site VPN, we can securely connect our on-premise data center and our resources running in the AWS Cloud very easily and quickly while maintaining our data’s integrity during communication between the two sides due to a secure encrypted VPN tunnel.

About The Author(s)


Related Articles

Related Articles