Fatskills
Practice. Master. Repeat.
Study Guide: TECH **AWS Direct Connect & VPN (Site-to-Site, Client VPN) – Zero-Fluff Study Guide**
Source: https://www.fatskills.com/aws-certified-solutions-architect-associate/chapter/tech-aws-direct-connect-vpn-site-to-site-client-vpn-zero-fluff-study-guide

TECH **AWS Direct Connect & VPN (Site-to-Site, Client VPN) – Zero-Fluff Study Guide**

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~8 min read

AWS Direct Connect & VPN (Site-to-Site, Client VPN) – Zero-Fluff Study Guide

For AWS Solutions Architect – Associate (SAA-C03) & Real-World Deployments


1. What This Is & Why It Matters

You’re a cloud engineer at a company migrating from on-prem to AWS. Your CIO demands low-latency, secure, and reliable connectivity between your data center and AWS. Public internet VPNs are slow and unreliable. Direct Connect (DX) is expensive but fast. You need to choose the right hybrid connectivity for cost, performance, and security.

Why this matters in production:
- If you ignore this: Your users complain about slow database queries, failed backups, or VPN dropouts during peak hours. Your boss asks why AWS bills are skyrocketing from data transfer costs.
- If you master this: You design high-performance, cost-optimized hybrid architectures that keep users happy and costs predictable. You also ace the SAA exam’s hybrid networking questions.

Real-world scenario:
You inherit a legacy ERP system running on-prem. The finance team needs <10ms latency to AWS RDS for real-time reporting. A site-to-site VPN over the internet adds 50ms. Direct Connect is the only option—but how do you deploy it without breaking the bank?


2. Core Concepts & Components


? Direct Connect (DX)

  • Definition: A dedicated, private network connection from your on-prem data center to AWS (bypassing the public internet).
  • Production insight: If you don’t monitor DX port utilization, you’ll hit bottlenecks during backups or migrations. Use CloudWatch metrics (ConnectionBpsEgress, ConnectionBpsIngress).

? Direct Connect Gateway (DXGW)

  • Definition: A global router that lets you connect multiple VPCs (across regions) to a single DX connection.
  • Production insight: Without DXGW, you’d need separate DX connections per VPC—costly and complex. DXGW simplifies multi-VPC hybrid setups.

? Virtual Private Gateway (VGW)

  • Definition: The AWS-side VPN endpoint for site-to-site VPNs and Direct Connect private VIFs.
  • Production insight: If you delete a VGW, all VPN connections drop. Always detach it from VPCs first.

? Customer Gateway (CGW)

  • Definition: Your on-prem VPN device (router/firewall) that terminates the VPN connection to AWS.
  • Production insight: If your CGW doesn’t support BGP, you can’t use Direct Connect. Check AWS’s supported devices list.

? Site-to-Site VPN

  • Definition: An IPsec VPN tunnel over the public internet between your on-prem network and AWS.
  • Production insight: If you don’t enable Dead Peer Detection (DPD), VPN tunnels can hang for hours after a network blip.

? Client VPN

  • Definition: A managed OpenVPN-based service for remote users to access AWS or on-prem resources.
  • Production insight: If you don’t restrict Client VPN routes, users can access all VPCs—a security risk. Use authorization rules.

? Virtual Interface (VIF)

  • Definition: A logical connection over Direct Connect (Private VIF for VPC, Public VIF for AWS public services like S3).
  • Production insight: If you don’t tag VIFs, you’ll lose track of which connection belongs to which project.

? BGP (Border Gateway Protocol)

  • Definition: The routing protocol used by Direct Connect and site-to-site VPNs to exchange routes.
  • Production insight: If you don’t advertise the correct CIDR ranges, traffic won’t flow. Use aws ec2 describe-vpn-connections to verify.


3. Step-by-Step Hands-On: Deploy a Site-to-Site VPN


Prerequisites

✅ AWS account with admin IAM permissions
✅ On-prem VPN device (or a test EC2 instance with strongSwan for lab) ✅ A VPC with private subnets (e.g., 10.0.0.0/16) ✅ On-prem CIDR (e.g., 192.168.1.0/24)


Step 1: Create a Virtual Private Gateway (VGW)

aws ec2 create-vpn-gateway --type ipsec.1 --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=MyVGW}]'

Expected output:


{
  "VpnGateway": {
"VpnGatewayId": "vgw-12345678",
"State": "pending",
"Type": "ipsec.1" } }

Attach VGW to your VPC:


aws ec2 attach-vpn-gateway --vpn-gateway-id vgw-12345678 --vpc-id vpc-12345678


Step 2: Create a Customer Gateway (CGW)

aws ec2 create-customer-gateway \
  --type ipsec.1 \
  --public-ip 203.0.113.1 \  # Your on-prem VPN device public IP
  --bgp-asn 65000 \          # Your on-prem BGP ASN (use 65000 for lab)
  --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=MyCGW}]'

Expected output:


{
  "CustomerGateway": {
"CustomerGatewayId": "cgw-12345678",
"State": "available",
"Type": "ipsec.1" } }


Step 3: Create a Site-to-Site VPN Connection

aws ec2 create-vpn-connection \
  --type ipsec.1 \
  --customer-gateway-id cgw-12345678 \
  --vpn-gateway-id vgw-12345678 \
  --options '{"StaticRoutesOnly": false}' \  # Enable BGP
  --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=MyVPN}]'

Expected output:


{
  "VpnConnection": {
"VpnConnectionId": "vpn-12345678",
"State": "pending",
"CustomerGatewayConfiguration": "<?xml version=\"1.0\" encoding=\"UTF-8\"?><vpn_connection>...</vpn_connection>" } }

Download the config file (contains pre-shared keys, IPs, etc.):


aws ec2 get-vpn-connection-device-sample-configuration \
  --vpn-connection-id vpn-12345678 \
  --vpn-connection-device-type-id "generic" \
  --output text > vpn-config.txt


Step 4: Configure Your On-Prem VPN Device

Example for strongSwan (Linux):


sudo apt install strongswan -y
sudo cp vpn-config.txt /etc/ipsec.conf
sudo ipsec start
sudo ipsec up aws-vpn

Verify the tunnel is up:


sudo ipsec status

Expected output:


Security Associations (1 up, 0 connecting):
aws-vpn[1]: ESTABLISHED 10 seconds ago


Step 5: Add Static Routes (or Wait for BGP)

Option A: Static Routes (if StaticRoutesOnly=true)


aws ec2 create-vpn-connection-route \
  --vpn-connection-id vpn-12345678 \
  --destination-cidr-block 192.168.1.0/24

Option B: BGP (if StaticRoutesOnly=false)
- Your on-prem router should now advertise routes to AWS.
- Verify in AWS:


aws ec2 describe-vpn-connections --vpn-connection-ids vpn-12345678

Check the Routes section for learned CIDRs.


Step 6: Test Connectivity

From an on-prem server (e.g., 192.168.1.10):


ping 10.0.1.10  # A private EC2 instance in AWS

From AWS to on-prem:


ping 192.168.1.10

If it fails:
- Check security groups (allow ICMP).
- Check NACLs (allow inbound/outbound traffic).
- Check route tables (ensure VPC has a route to 192.168.1.0/24 via VGW).


4. ? Production-Ready Best Practices


? Security

  • Least privilege IAM: Restrict ec2:CreateVpnConnection to network admins only.
  • Pre-shared keys (PSK): Rotate them every 90 days (use AWS Secrets Manager).
  • Client VPN: Enforce MFA and restrict access with authorization rules: bash aws ec2 authorize-client-vpn-ingress \
    --client-vpn-endpoint-id cvpn-endpoint-12345678 \
    --target-network-cidr 10.0.0.0/16 \
    --access-group-id sg-12345678 # Only allow this security group

? Cost Optimization

  • Direct Connect vs. VPN:
  • DX: $0.30/hr + $0.02–$0.05/GB (cheaper for >10TB/month).
  • VPN: $0.05/hr + no data transfer cost (better for <1TB/month).
  • Use DX with VPN as backup: If DX fails, traffic automatically fails over to VPN.

? Reliability & Maintainability

  • Tag everything:
    bash aws ec2 create-tags --resources vgw-12345678 --tags Key=Environment,Value=Prod
  • Monitor VPN tunnels:
  • CloudWatch metric: TunnelState (1 = up, 0 = down).
  • Set an alarm for TunnelState < 1 for 5 minutes.
  • Use Direct Connect Gateway (DXGW) for multi-VPC: Avoid spaghetti DX connections.

?️ Observability

  • CloudWatch Logs: Enable VPN connection logs to debug tunnel flips.
  • VPC Flow Logs: Check for dropped packets between on-prem and AWS.
  • BGP monitoring: Use aws ec2 describe-vpn-connections to verify advertised routes.


5. ⚠️ Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not enabling BGP VPN works, but routes aren’t dynamic. Set StaticRoutesOnly=false when creating the VPN.
Using the same PSK for all tunnels Security risk; if one tunnel is compromised, all are. Generate unique PSKs per tunnel.
Not monitoring tunnel state VPN drops silently; users complain about timeouts. Set a CloudWatch alarm for TunnelState.
Forgetting to advertise routes On-prem can ping AWS, but AWS can’t ping on-prem. Check aws ec2 describe-vpn-connections for missing routes.
Using a single DX connection No redundancy; if DX fails, everything breaks. Deploy two DX connections in different locations.


6. ? Exam/Certification Focus (SAA-C03)


Typical Question Patterns

  1. "You need low-latency, high-bandwidth connectivity between on-prem and AWS. What’s the best option?"
  2. Direct Connect (if budget allows).
  3. ❌ VPN (too slow for large data transfers).

  4. "Your site-to-site VPN keeps dropping. What’s the most likely cause?"

  5. No Dead Peer Detection (DPD) (tunnel hangs after network blip).
  6. ❌ "The VGW is misconfigured" (less likely if it worked before).

  7. "How do you connect multiple VPCs to a single Direct Connect connection?"

  8. Direct Connect Gateway (DXGW).
  9. ❌ "Create a separate DX connection per VPC" (expensive and complex).

Key ⚠️ Trap Distinctions

Concept Direct Connect Site-to-Site VPN Client VPN
Latency Low (dedicated line) High (public internet) Medium (user’s ISP)
Cost $$$ (port + data) $ (hourly + no data cost) $ (hourly + data cost)
Use Case Large data transfers, low latency Small offices, backup Remote employees
Redundancy Requires 2nd DX Automatic (2 tunnels) Automatic (2 tunnels)


7. ? Hands-On Challenge (with Solution)


Challenge:

You have a site-to-site VPN between AWS and on-prem. Traffic from AWS to on-prem (192.168.1.0/24) works, but on-prem to AWS (10.0.0.0/16) fails. What’s the issue?

Solution:

  1. Check the VPC route table:
    bash
    aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-12345678"
  2. If there’s no route for 192.168.1.0/24 via the VGW, add it:
    bash
    aws ec2 create-route --route-table-id rtb-12345678 --destination-cidr-block 192.168.1.0/24 --gateway-id vgw-12345678
  3. Check on-prem routes:
  4. Ensure your on-prem router has a route for 10.0.0.0/16 via the VPN tunnel.

Why it works:
- AWS doesn’t automatically add routes for on-prem CIDRs. You must manually add them to the VPC route table.


8. ? Rapid-Reference Crib Sheet

Command/Concept What It Does Key Notes
aws ec2 create-vpn-gateway Creates a VGW Attach to VPC with attach-vpn-gateway.
aws ec2 create-customer-gateway Registers on-prem VPN device Needs public IP and BGP ASN.
aws ec2 create-vpn-connection Sets up VPN tunnel Download config with get-vpn-connection-device-sample-configuration.
aws ec2 describe-vpn-connections Checks VPN status Look for TunnelState and Routes.
Direct Connect Port Speed 1Gbps or 10Gbps 1Gbps = ~$0.30/hr, 10Gbps = ~$2.25/hr.
BGP ASN 64512–65534 (private) AWS uses 64512 by default.
VPN Tunnel IPs 169.254.x.x AWS assigns these automatically.
⚠️ Default VPN Tunnel Timeout 8 hours Rekey happens automatically.
Client VPN Port 443 (TCP) Uses OpenVPN.
Direct Connect Data Transfer Cost $0.02–$0.05/GB Cheaper than VPN for >10TB/month.
⚠️ VGW Deletion Breaks all VPNs Detach from VPC first.


9. ? Where to Go Next

  1. AWS Direct Connect Documentation – Official guide.
  2. AWS Site-to-Site VPN Workshop – Hands-on lab.
  3. AWS Client VPN Setup Guide – Step-by-step.
  4. AWS Hybrid Networking Whitepaper – Deep dive on DX vs. VPN.

Final Pro Tip:

Always test failover!
- For Direct Connect, simulate a failure by disabling one DX port.
- For VPN, unplug the on-prem router and verify traffic fails over to the second tunnel.

Now go build something resilient! ?



ADVERTISEMENT