Skip to main content

Site-to-Site VPN

Stax enables you to connect your AWS resources to your on-premises environment with AWS Virtual Private Network (VPN). Stax supports the creation of Site-to-Site VPN Connections with either a Virtual Private Gateway or a Transit Gateway.

Site-to-Site VPN Connection Architecture

Stax will create a Customer Gateway to consolidate your Site-to-Site VPN Connections for use by your Stax Network. The Customer Gateway is provisioned in your Stax-managed AWS account and can be shared by many Virtual Private Gateways or Transit Gateways. Currently, Stax only supports dynamic routing for Border Gateway Protocol (BGP) when you configure your Site-to-Site VPN Connection.

site-to-site-vpn-01.svg

Site-to-Site VPN Connections with a Transit Gateway Architecture

With a Transit Gateway, the VPN Connection is associated with your Networking Hub's Transit Gateway. This enables connectivity to all VPCs within the Networking Hub.

site-to-site-vpn-02.svg

Site-to-Site VPN Connections with a Virtual Private Gateway Architecture

With a Virtual Private Gateway, the VPN Connection must connect to each VPC individually. The VPC must also exist in the same account as your Networking Hub.

site-to-site-vpn-03.svg

AWS Customer Gateway

This is the top-level resource that Stax will manage for Site-to-Site VPN Connections. When creating a Site-to-Site VPN Connection, you will need to choose either VPC or Hub. Each has considerations that impact the gateway's capabilities.

VPC:

  • Provides Site-to-Site VPN connectivity to an individual VPC by associating the AWS Customer Gateway with the VPC's Virtual Private Gateway

Hub

  • Provides VPN connectivity to the entire Stax Networking Hub by associating directly with the Hub's AWS Transit Gateway
  • ECMP can be used to get higher VPN bandwidth by aggregating multiple VPN tunnels

The maximum bandwidth per VPN tunnel is 1.25 Gbps. There are a number of other Site-to-Site VPN limits

to be aware of. These limits should be considered when designing your Stax networking and connections architecture.

Customer Gateway

Stax does not directly manage your Customer Gateway device or the configuration of your on-premises Site-to-Site VPN Connection. After you have created your Stax Site-to-Site VPN Connection, you must download the configuration file from the AWS VPC console directly. This file contains information your networking team need to complete the configuration of your on-premises Customer Gateway device. For more information refer to the AWS Customer Gateway device documentation.