Establishing a Site-to-Site VPN Connection: Prerequisites

Prerequisites for Site-to-Site VPN Connection

Prev Question Next Question

Question

You have been instructed to establish a successful site-to-site VPN connection from your on-premises network to the VPC (Virtual Private Cloud)

As an architect, which of the following pre-requisites should you ensure to establish the site-to-site VPN connection? Choose 2 answers from the options given below.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer - B and C.

This is mentioned in the AWS Documentation.

Option A is incorrect since the NAT instance is not required to route traffic via the VPN connection.

Option D is incorrect since the Virtual Private Gateway is managed by AWS.

For more information on VPN connections, please refer to the below link-

https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html
Virtual Private Gateway

A virtual private gateway is the VPN concentrator on the Amazon side of the VPN connection. You create a virtual private gateway and attach
it to the VPC from which you want to create the VPN connection.

When you create a virtual private gateway, you can specify the private Autonomous System Number (ASN) for the Amazon side of the
gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN (64512). You cannot change the ASN after
you've created the virtual private gateway. To check the ASN for your virtual private gateway, view its details in the Virtual Private
Gateways screen in the Amazon VPC console, or use the describe-vpn-gateways AWS CLI command.

Note

If you create your virtual private gateway before 2018-06-30, the default ASN is 17493 in the Asia Pacific (Singapore) region,

10124 in the Asia Pacific (Tokyo) region, 9059 in the EU (Ireland) region, and 7224 in all other regions.
Customer Gateway

A customer gateway is a physical device or software application on your side of the VPN connection.

To create a VPN connection, you must create a customer gateway resource in AWS, which provides information to AWS about your customer
gateway device. The following table describes the information you'll need to create a customer gateway resource.

Item Description

Internet-routable IP address (static) of The public IP address value must be static. If your customer gateway is behind a network
the customer gateway's external address translation (NAT) device that's enabled for NAT traversal (NAT-T), use the public IP
interface. address of your NAT device, and adjust your firewall rules to unblock UDP port 4500.

To establish a successful site-to-site VPN connection from your on-premises network to the VPC (Virtual Private Cloud), the following prerequisites should be ensured:

  1. A virtual private gateway attached to the VPC: A virtual private gateway is the VPN concentrator on the AWS side of the VPN connection. It enables communication between your VPC and your on-premises network through the VPN connection. You need to attach a virtual private gateway to your VPC before setting up a site-to-site VPN connection.

  2. A public IP address on the customer gateway for the on-premises network: Your on-premises network should have a public IP address on its customer gateway. This public IP address is used to identify your on-premises network in the VPN connection. Without a public IP address, your on-premises network cannot establish a VPN connection with your VPC.

In addition to the above, you also need to have the following configurations in place:

  1. An Internet Gateway (IGW) attached to the VPC: An Internet Gateway is a horizontally scaled, redundant, and highly available VPC component that allows communication between instances in your VPC and the internet. An IGW must be attached to the VPC before setting up a VPN connection.

  2. A security group that allows inbound and outbound traffic: You need to configure a security group to allow inbound and outbound traffic to and from the VPC. The security group should allow traffic from the on-premises network to the VPC and vice versa.

Therefore, options C and B are the correct prerequisites to establish a site-to-site VPN connection from your on-premises network to the VPC. Option A is incorrect because routing traffic through a NAT instance is not a requirement for establishing a VPN connection. Option D is incorrect because you do not need an Elastic IP address to the Virtual Private Gateway to establish a VPN connection. However, you might use an Elastic IP address to the Virtual Private Gateway for specific use cases.