Why public VIF must be used in AWS Direct Connect + VPN setup?

Asked 31/1, 2021 at 15:48 Answered 27/1, 2023 at 17:2

Solved amazon-web-services aws-direct-connect aws-vpn

I am unsure why public VIF must be used in AWS Direct Connect + VPN setup. Usually if you are connecting to Virtual Private Gateway you should use private VIF as shown in AWS Managed VPN. Why public VIF must be used in this case?

Diagram on AWS Direct Connect + VPN:

Diagram on AWS Managed VPN:

Edit 1:
Got a better understanding by watching AWS re:Invent 2018: AWS VPN Solutions (NET304). We need public VIF because AWS Site-to-Site VPN creates two public endpoints on a Virtual Private Gateway which are visible to public VIF only. Diagram from that talk:

Implement answered 31/1, 2021 at 15:48 Comment(0)

The reason is that the AWS site-to-site service part of the solution does not reside within the VPC, it directly creates the relationship between the customer gateway and the virtual private gateway.

When you create this connection, within tunnel details you will find that you get 2 public IP addresses (to be clear a private VIF will only communicate with a single VPCs network range(s)).

The public VIF on the other hand will advertise all public IP address ranges found within Amazon. As the service resolves to a public IP address that falls in this range, the public VIF would advertise a more desirable route to use your new Direct Connect connection.

Addy answered 31/1, 2021 at 18:23 Comment(3)

VGW prefers DX over Site-to-Site VPN. If you would use private VIF you would get 2 public IP addresses in which case traffic could go through the internet instead of DX? Is that what the second diagram is showing - that DX is not used and istead internet is used? – Pismire 31/1, 2021 at 20:0

So essentially the first diagram is showing when a public VIF is used to your on-premise. In this scenario it is advertising the routes for the AWS VPN. If you look at how your on-premise connects to your VPC via VPN it establishes a IPSec tunnel over the public internet. For this reason your on-premise will need to connect to a VIF which advertises the IP ranges covering your VPN. You can see the public IPs in tunnel details within the console. The private VIF meanwhile establishes a direct connection into the VPC, bypassing the VPN. Private VIFs will only advertise VPC CIDRs. – Addy 31/1, 2021 at 20:10

No problem have a great day – Addy 31/1, 2021 at 20:57

Public VIFs enable direct network access to services that are not reachable via a private IP address within our own VPC. like S3, Kinesis, etc.

We can only access resources with private ip in our VPC via Privates VIFs. like RDS, Ec2, etc.

Viscoid answered 31/1, 2021 at 16:55 Comment(1)

I understand that but why in that case VPN requires public VIF? If we are accessing S3 then traffic does not need to go through our VPC thus diagram should have private VIF ? – Pismire 31/1, 2021 at 18:21

since about 06-2022 AWS added support for VPN via private vif.

https://aws.amazon.com/de/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/

Before that you have to get public IPs from AWS, also for your onPrem VPN gateways. Another option was to move from AWS products (vpn gateway or transit gateway) to virtual instances from other vendors or just linux with VPN sofware on it.

Unfinished answered 27/1, 2023 at 17:2 Comment(1)

did you mean Transit VIF? – Fourlegged 16/8, 2023 at 14:0

Recommended topics

Hot tags