How AWS Site-to-Site VPN works
A Site-to-Site VPN connection consists of the following components:
The VPN connection offers two VPN tunnels between a virtual private gateway or transit gateway on the AWS side, and a customer gateway on the on-premises side.
For more information about Site-to-Site VPN quotas, see AWS Site-to-Site VPN quotas.
Virtual private gateway
A virtual private gateway is the VPN concentrator on the Amazon side of the Site-to-Site VPN connection. You create a virtual private gateway and attach it to a virtual private cloud (VPC) with resources that must access the Site-to-Site VPN connection.
The following diagram shows a VPN connection between a VPC and your on-premises network using a virtual private gateway.
When you create a virtual private gateway, you can specify the private Autonomous
System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN,
the virtual private gateway is created with the default ASN (64512). You cannot
change the ASN after you've created the virtual private gateway. To check the ASN
for your virtual private gateway, view its details in the Virtual private
gateways page in the Amazon VPC console, or use the describe-vpn-gateways
Transit gateway
A transit gateway is a transit hub that you can use to interconnect your VPCs and your on-premises networks. For more information, see Amazon VPC Transit Gateways. You can create a Site-to-Site VPN connection as an attachment on a transit gateway.
The following diagram shows a VPN connection between multiple VPCs and your on-premises network using a transit gateway. The transit gateway has three VPC attachments and a VPN attachment.
Your Site-to-Site VPN connection on a transit gateway can support either IPv4 traffic or IPv6 traffic inside the VPN tunnels. For more information, see IPv4 and IPv6 traffic in AWS Site-to-Site VPN.
You can modify the target gateway of a Site-to-Site VPN connection from a virtual private gateway to a transit gateway. For more information, see Modify the target gateway of an AWS Site-to-Site VPN connection.
Customer gateway device
A customer gateway device is a physical device or software application on your side of the Site-to-Site VPN connection. You configure the device to work with the Site-to-Site VPN connection. For more information, see AWS Site-to-Site VPN customer gateway devices.
By default, your customer gateway device must bring up the tunnels for your Site-to-Site VPN connection by generating traffic and initiating the Internet Key Exchange (IKE) negotiation process. You can configure your Site-to-Site VPN connection to specify that AWS must initiate the IKE negotiation process instead. For more information, see AWS Site-to-Site VPN tunnel initiation options.
Customer gateway
A customer gateway is a resource that you create in AWS that represents the customer gateway device in your on-premises network. When you create a customer gateway, you provide information about your device to AWS. For more information, see Customer gateway options for your AWS Site-to-Site VPN connection.
To use Amazon VPC with a Site-to-Site VPN connection, you or your network administrator must also configure the customer gateway device or application in your remote network. When you create the Site-to-Site VPN connection, we provide you with the required configuration information and your network administrator typically performs this configuration. For information about the customer gateway requirements and configuration, see AWS Site-to-Site VPN customer gateway devices.