# AWS Site-to-Site VPN architectural scenarios
<a name="site-site-architectures"></a>

The following are scenarios in which you might create multiple VPN connections with one or more customer gateway devices.

**Multiple VPN connections using the same customer gateway device**  
You can create additional VPN connections from your on-premises location to other VPCs using the same customer gateway device. You can reuse the same customer gateway IP address for each of those VPN connections.

**Multiple customer gateway devices to a single virtual private gateway (Site-to-Site VPN CloudHub)**  
You can establish multiple VPN connections to a single virtual private gateway from multiple customer gateway devices. This enables you to have multiple locations connected to the AWS VPN CloudHub. For more information, see [Secure communication between AWS Site-to-Site VPN connections using VPN CloudHub](VPN_CloudHub.md). When you have customer gateway devices at multiple geographic locations, each device should advertise a unique set of IP ranges specific to the location. 

**Redundant VPN connection using a second customer gateway device**  
To protect against a loss of connectivity if your customer gateway device becomes unavailable, you can set up a second VPN connection using a second customer gateway device. For more information, see [Redundant AWS Site-to-Site VPN connections for failover](vpn-redundant-connection.md). When you establish redundant customer gateway devices at a single location, both devices should advertise the same IP ranges.

The following are common Site-to-Site VPN architectures:
+ [Single and multiple VPN connections](Examples.md)
+ [Redundant AWS Site-to-Site VPN connections for failover](vpn-redundant-connection.md)
+ [Secure communications between VPN connections using VPN CloudHub](VPN_CloudHub.md)

# AWS Site-to-Site VPN single and multiple VPN connection examples
<a name="Examples"></a>

The following diagrams illustrate single and multiple Site-to-Site VPN connections.

**Topics**
+ [Single Site-to-Site VPN connection](#SingleVPN)
+ [Single Site-to-Site VPN connection with a transit gateway](#SingleVPN-transit-gateway)
+ [Multiple Site-to-Site VPN connections](#MultipleVPN)
+ [Multiple Site-to-Site VPN connections with a transit gateway](#MultipleVPN-transit-gateway)
+ [Site-to-Site VPN connection with Direct Connect](#vpn-direct-connect)
+ [Private IP Site-to-Site VPN connection with Direct Connect](#private-ip-direct-connect)

## Single Site-to-Site VPN connection
<a name="SingleVPN"></a>

The VPC has an attached virtual private gateway, and your on-premises (remote) network includes a customer gateway device, which you must configure to enable the VPN connection. You must update the VPC route tables so that any traffic from the VPC bound for your network goes to the virtual private gateway.

![\[A VPC with an attached virtual private gateway and a VPN connection to your on-premises network.\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/vpn-how-it-works-vgw.png)


For steps to set up this scenario, see [Get started with AWS Site-to-Site VPN](SetUpVPNConnections.md).

## Single Site-to-Site VPN connection with a transit gateway
<a name="SingleVPN-transit-gateway"></a>

The VPC has an attached transit gateway, and your on-premises (remote) network includes a customer gateway device, which you must configure to enable the VPN connection. You must update the VPC route tables so that any traffic from the VPC bound for your network goes to the transit gateway.

![\[A single Site-to-Site VPN connection with a transit gateway.\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/vpn-how-it-works-tgw.png)


For steps to set up this scenario, see [Get started with AWS Site-to-Site VPN](SetUpVPNConnections.md).

## Multiple Site-to-Site VPN connections
<a name="MultipleVPN"></a>

The VPC has an attached virtual private gateway, and you have multiple Site-to-Site VPN connections to multiple on-premises locations. You set up the routing so that any traffic from the VPC bound for your networks is routed to the virtual private gateway.

![\[Multiple Site-to-Site VPN layout\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/branch-offices-vgw.png)


When you create multiple Site-to-Site VPN connections to a single VPC, you can configure a second customer gateway to create a redundant connection to the same external location. For more information, see [Redundant AWS Site-to-Site VPN connections for failover](vpn-redundant-connection.md).

You can also use this scenario to create Site-to-Site VPN connections to multiple geographic locations and provide secure communication between sites. For more information, see [Secure communication between AWS Site-to-Site VPN connections using VPN CloudHub](VPN_CloudHub.md).

## Multiple Site-to-Site VPN connections with a transit gateway
<a name="MultipleVPN-transit-gateway"></a>

The VPC has an attached transit gateway, and you have multiple Site-to-Site VPN connections to multiple on-premises locations. You set up the routing so that any traffic from the VPC bound for your networks is routed to the transit gateway.

![\[Multiple Site-to-Site VPN connections with a transit gateway\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/branch-offices-tgw.png)


When you create multiple Site-to-Site VPN connections to a single transit gateway, you can configure a second customer gateway to create a redundant connection to the same external location.

You can also use this scenario to create Site-to-Site VPN connections to multiple geographic locations and provide secure communication between sites.

## Site-to-Site VPN connection with Direct Connect
<a name="vpn-direct-connect"></a>

The VPC has an attached virtual private gateway, and connects to your on-premises (remote) network through AWS Direct Connect. You can configure an Direct Connect public virtual interface to establish a dedicated network connection between your network to public AWS resources through a virtual private gateway. You set up the routing so that any traffic from the VPC bound for your network routes to the virtual private gateway and the Direct Connect connection. 

![\[Site-to-Site VPN connection with Direct Connect\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/vpn-direct-connect.png)


When both Direct Connect and the VPN connection are set up on the same virtual private gateway, adding or removing objects might cause the virtual private gateway to enter the ‘attaching’ state. This indicates a change is being made to internal routing that will switch between Direct Connect and the VPN connection to minimize interruptions and packet loss. When this is complete, the virtual private gateway returns to the ‘attached’ state.

## Private IP Site-to-Site VPN connection with Direct Connect
<a name="private-ip-direct-connect"></a>

With a private IP Site-to-Site VPN you can encrypt Direct Connect traffic between your on-premises network and AWS without the use of public IP addresses. Private IP VPN over Direct Connect ensures that traffic between AWS and on-premises networks is both secure and private, allowing customers to comply with regulatory and security mandates.

![\[Private IP Site-to-Site VPN connection with Direct Connect\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/private-ip-dx.png)


For more information, see the following blog post: [Introducing AWS Site-to-Site VPN Private IP VPNs](https://aws.amazon.com/blogs/networking-and-content-delivery/introducing-aws-site-to-site-vpn-private-ip-vpns/).

# Secure communication between AWS Site-to-Site VPN connections using VPN CloudHub
<a name="VPN_CloudHub"></a>

If you have multiple AWS Site-to-Site VPN connections, you can provide secure communication between sites using the AWS VPN CloudHub. This enables your sites to communicate with each other, and not just with the resources in your VPC. The VPN CloudHub operates on a simple hub-and-spoke model that you can use with or without a VPC. This design is suitable if you have multiple branch offices and existing internet connections and would like to implement a convenient, potentially low-cost hub-and-spoke model for primary or backup connectivity between these sites.

## Overview
<a name="vpn-cloudhub-overview"></a>

The following diagram shows the VPN CloudHub architecture. The dashed lines show network traffic between remote sites being routed over the VPN connections. The sites must not have overlapping IP ranges.

![\[CloudHub architecture diagram\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/AWS_VPN_CloudHub-diagram.png)


For this scenario, do the following:

1. Create a single virtual private gateway.

1. Create multiple customer gateways, each with the public IP address of the gateway. You must use a unique Border Gateway Protocol (BGP) Autonomous System Number (ASN) for each customer gateway. 

1. Create a dynamically routed Site-to-Site VPN connection from each customer gateway to the common virtual private gateway. 

1. Configure the customer gateway devices to advertise a site-specific prefix (such as 10.0.0.0/24, 10.0.1.0/24) to the virtual private gateway. These routing advertisements are received and re-advertised to each BGP peer, enabling each site to send data to and receive data from the other sites. This is done using the network statements in the VPN configuration files for the Site-to-Site VPN connection. The network statements differ slightly depending on the type of router you use.

1. Configure the routes in your subnet route tables to enable instances in your VPC to communicate with your sites. For more information, see [(Virtual private gateway) Enable route propagation in your route table](SetUpVPNConnections.md#vpn-configure-routing). You can configure an aggregate route in your route table (for example, 10.0.0.0/16). Use more specific prefixes between customer gateways devices and the virtual private gateway.

Sites that use Direct Connect connections to the virtual private gateway can also be part of the AWS VPN CloudHub. For example, your corporate headquarters in New York can have an Direct Connect connection to the VPC and your branch offices can use Site-to-Site VPN connections to the VPC. The branch offices in Los Angeles and Miami can send and receive data with each other and with your corporate headquarters, all using the AWS VPN CloudHub. 

## Pricing
<a name="vpn-cloudhub-pricing"></a>

To use AWS VPN CloudHub, you pay typical Amazon VPC Site-to-Site VPN connection rates. You are billed the connection rate for each hour that each VPN is connected to the virtual private gateway. When you send data from one site to another using the AWS VPN CloudHub, there is no cost to send data from your site to the virtual private gateway. You only pay standard AWS data transfer rates for data that is relayed from the virtual private gateway to your endpoint. 

For example, if you have a site in Los Angeles and a second site in New York and both sites have a Site-to-Site VPN connection to the virtual private gateway, you pay the per hour rate for each Site-to-Site VPN connection (so if the rate was \$1.05 per hour, it would be a total of \$1.10 per hour). You also pay the standard AWS data transfer rates for all data that you send from Los Angeles to New York (and vice versa) that traverses each Site-to-Site VPN connection. Network traffic sent over the Site-to-Site VPN connection to the virtual private gateway is free but network traffic sent over the Site-to-Site VPN connection from the virtual private gateway to the endpoint is billed at the standard AWS data transfer rate. 

For more information, see [Site-to-Site VPN Connection Pricing](http://aws.amazon.com/vpn/pricing/).

# Redundant AWS Site-to-Site VPN connections for failover
<a name="vpn-redundant-connection"></a>

To protect against a loss of connectivity in case your customer gateway device becomes unavailable, you can set up a second Site-to-Site VPN connection to your VPC and virtual private gateway by adding a second customer gateway device. By using redundant VPN connections and customer gateway devices, you can perform maintenance on one of your devices while traffic continues to flow over the second VPN connection. 

The following diagram shows two VPN connections. Each VPN connection has its own tunnels and its own customer gateway.

![\[Redundant VPN connections to two customer gateways for the same on-premises network.\]](http://docs.aws.amazon.com/vpn/latest/s2svpn/images/Multiple_Gateways_diagram.png)


For this scenario, do the following:
+ Set up a second Site-to-Site VPN connection by using the same virtual private gateway and creating a new customer gateway. The customer gateway IP address for the second Site-to-Site VPN connection must be publicly accessible.
+ Configure a second customer gateway device. Both devices should advertise the same IP ranges to the virtual private gateway. We use BGP routing to determine the path for traffic. If one customer gateway device fails, the virtual private gateway directs all traffic to the working customer gateway device.

Dynamically routed Site-to-Site VPN connections use the Border Gateway Protocol (BGP) to exchange routing information between your customer gateways and the virtual private gateways. Statically routed Site-to-Site VPN connections require you to enter static routes for the remote network on your side of the customer gateway. BGP-advertised and statically entered route information allow gateways on both sides to determine which tunnels are available and reroute traffic if a failure occurs. We recommend that you configure your network to use the routing information provided by BGP (if available) to select an available path. The exact configuration depends on the architecture of your network.

For more information about creating and configuring a customer gateway and a Site-to-Site VPN connection, see [Get started with AWS Site-to-Site VPN](SetUpVPNConnections.md).