AWS Virtual Private Gateway

Overview & Architecture
Direct Connect Integration
Setup Command Flow
Configuration Examples
Monitoring & Troubleshooting

1AWS Virtual Private Gateway Overview

graph TB subgraph "AWS Region" subgraph "VPC (10.0.0.0/16)" A[Private Subnet
10.0.1.0/24] B[Public Subnet
10.0.2.0/24] C[Database Subnet
10.0.3.0/24] end VGW[Virtual Private Gateway
vgw-12345678] CGW[Customer Gateway
cgw-87654321] VGW --> A VGW --> B VGW --> C end subgraph "On-Premises Network" D[Corporate Network
192.168.0.0/16] E[On-Premises Router
203.0.113.12] end subgraph "VPN Connection" F[IPSec Tunnel 1
169.254.10.1/30] G[IPSec Tunnel 2
169.254.10.5/30] end E --> F E --> G F --> CGW G --> CGW CGW --> VGW style VGW fill:#FF9900,stroke:#333,stroke-width:3px,color:#fff style CGW fill:#667eea,stroke:#333,stroke-width:2px,color:#fff style F fill:#f9f,stroke:#333,stroke-width:2px style G fill:#f9f,stroke:#333,stroke-width:2px

Virtual Private Gateway Architecture Explanation

This diagram illustrates the fundamental architecture of AWS Virtual Private Gateway (VGW). The VGW serves as the AWS-side endpoint for VPN connections, acting as a bridge between your VPC and on-premises networks.

Key Components:

Virtual Private Gateway (VGW): The AWS-managed VPN concentrator that terminates VPN connections on the AWS side
Customer Gateway (CGW): Represents your on-premises VPN device configuration in AWS
VPN Connection: Contains two IPSec tunnels for redundancy, each with unique IP addresses
Route Propagation: Automatically propagates routes between on-premises and VPC networks

2Direct Connect Integration Architecture

graph TB subgraph "AWS Region" subgraph "VPC-1 (10.0.0.0/16)" A1[App Subnet
10.0.1.0/24] A2[DB Subnet
10.0.2.0/24] end subgraph "VPC-2 (10.1.0.0/16)" B1[Web Subnet
10.1.1.0/24] B2[Cache Subnet
10.1.2.0/24] end VGW1[Virtual Private Gateway
VPC-1] VGW2[Virtual Private Gateway
VPC-2] subgraph "Direct Connect Gateway" DXGW[Direct Connect Gateway
dxgw-12345678] end VGW1 --> DXGW VGW2 --> DXGW end subgraph "Direct Connect Location" DX[Direct Connect
Connection
1 Gbps] VLAN1[VLAN 100
Transit VIF] VLAN2[VLAN 200
Private VIF] end subgraph "On-Premises" CORP[Corporate Network
192.168.0.0/16] RTR[Border Router
BGP AS 65000] end subgraph "Backup VPN" CGW[Customer Gateway] VPN1[VPN Tunnel 1] VPN2[VPN Tunnel 2] end DXGW --> DX DX --> VLAN1 DX --> VLAN2 VLAN1 --> RTR VLAN2 --> RTR RTR --> CORP CGW --> VPN1 CGW --> VPN2 VPN1 --> VGW1 VPN2 --> VGW1 RTR --> CGW style DXGW fill:#FF9900,stroke:#333,stroke-width:3px,color:#fff style DX fill:#4CAF50,stroke:#333,stroke-width:3px,color:#fff style VGW1 fill:#2196F3,stroke:#333,stroke-width:2px,color:#fff style VGW2 fill:#2196F3,stroke:#333,stroke-width:2px,color:#fff

Direct Connect Gateway Integration Explanation

This advanced architecture shows how Virtual Private Gateways integrate with AWS Direct Connect through a Direct Connect Gateway, providing dedicated network connectivity with VPN backup.

Integration Benefits:

Centralized Connectivity: Direct Connect Gateway allows multiple VPCs to share a single Direct Connect connection
High Bandwidth: Direct Connect provides dedicated bandwidth (1 Gbps to 100 Gbps)
Lower Latency: Consistent network performance compared to internet-based VPN
Hybrid Redundancy: VPN serves as backup when Direct Connect experiences issues
Cost Optimization: Reduces data transfer costs for high-volume workloads

sequenceDiagram participant OnPrem as On-Premises Router participant DX as Direct Connect participant DXGW as DX Gateway participant VGW as Virtual Private Gateway participant VPC as VPC Resources participant CGW as Customer Gateway (VPN Backup) Note over OnPrem,VPC: Primary Path via Direct Connect OnPrem->>DX: BGP Route Advertisement (192.168.0.0/16) DX->>DXGW: Forward BGP Routes DXGW->>VGW: Propagate Routes to VGW VGW->>VPC: Install Routes in Route Tables Note over OnPrem,VPC: Traffic Flow VPC->>VGW: Traffic to 192.168.0.0/16 VGW->>DXGW: Route via DX Gateway DXGW->>DX: Forward via Direct Connect DX->>OnPrem: Deliver to On-Premises Note over OnPrem,VPC: Failover Scenario DX--xDXGW: Direct Connect Failure OnPrem->>CGW: Failover to VPN Backup CGW->>VGW: VPN Tunnel Active VGW->>VPC: Update Route Tables

Traffic Flow and Failover Sequence

This sequence diagram demonstrates the traffic flow through Direct Connect and the automatic failover mechanism to VPN backup.

Flow Details:

Route Advertisement: BGP dynamically advertises network prefixes between on-premises and AWS
Primary Path: Traffic flows through Direct Connect for optimal performance
Automatic Failover: When Direct Connect fails, traffic automatically switches to VPN backup
Route Preference: Direct Connect routes have higher preference than VPN routes

3Command Setup Flow

Complete Setup Command Flow

Step 1: Create Customer Gateway → Define on-premises endpoint

Step 2: Create Virtual Private Gateway → AWS-side VPN concentrator

Step 3: Attach VGW to VPC → Connect gateway to your VPC

Step 4: Create VPN Connection → Establish encrypted tunnels

Step 5: Configure Route Tables → Enable traffic flow

Step 6: Create Direct Connect Gateway → (Optional) For DX integration

graph TD A[Start Setup] --> B[Create Customer Gateway
aws ec2 create-customer-gateway] B --> C[Create Virtual Private Gateway
aws ec2 create-virtual-private-gateway] C --> D[Attach VGW to VPC
aws ec2 attach-vpn-gateway] D --> E[Create VPN Connection
aws ec2 create-vpn-connection] E --> F[Download VPN Config
aws ec2 describe-vpn-connections] F --> G[Configure Route Tables
aws ec2 create-route] G --> H[Enable Route Propagation
aws ec2 enable-vgw-route-propagation] H --> I{Direct Connect?} I -->|Yes| J[Create DX Gateway
aws directconnect create-direct-connect-gateway] I -->|No| K[Setup Complete] J --> L[Associate VGW with DXGW
aws directconnect create-direct-connect-gateway-association] L --> K style A fill:#4CAF50,stroke:#333,stroke-width:2px,color:#fff style K fill:#FF5722,stroke:#333,stroke-width:2px,color:#fff style B fill:#2196F3,stroke:#333,stroke-width:2px,color:#fff style C fill:#FF9900,stroke:#333,stroke-width:2px,color:#fff style E fill:#9C27B0,stroke:#333,stroke-width:2px,color:#fff

Setup Command Flow Explanation

This flowchart shows the logical sequence of AWS CLI commands needed to establish a complete VPN and Direct Connect integration.

Command Dependencies:

Sequential Dependencies: Each step depends on outputs from previous commands
Resource IDs: Commands use resource IDs returned from previous operations
Conditional Paths: Direct Connect setup is optional but recommended for production
Validation Points: Each step should be verified before proceeding

4Detailed Configuration Commands

Step 1: Create Customer Gateway

aws ec2 create-customer-gateway \
    --type ipsec.1 \
    --public-ip 203.0.113.12 \
    --bgp-asn 65000 \
    --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=OnPremises-CGW},{Key=Environment,Value=Production}]'

{ "CustomerGateway": { "CustomerGatewayId": "cgw-0123456789abcdef0", "State": "available", "Type": "ipsec.1", "IpAddress": "203.0.113.12", "BgpAsn": 65000, "Tags": [ { "Key": "Name", "Value": "OnPremises-CGW" }, { "Key": "Environment", "Value": "Production" } ] } }

Customer Gateway Configuration Parameters

--type: Must be "ipsec.1" for IPSec VPN connections. This is currently the only supported type.

--public-ip: The internet-routable IP address of your on-premises VPN device. This must be a static IP address.

--bgp-asn: Border Gateway Protocol Autonomous System Number. Use 65000-65534 for private ASNs, or your public ASN if you have one.

Alternative Options: You can use --device-name to specify the VPN device model for optimized configuration downloads.

Step 2: Create Virtual Private Gateway

aws ec2 create-vpn-gateway \
    --type ipsec.1 \
    --amazon-side-asn 64512 \
    --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=Production-VGW},{Key=Environment,Value=Production}]'

{ "VpnGateway": { "VpnGatewayId": "vgw-0987654321fedcba0", "State": "pending", "Type": "ipsec.1", "AmazonSideAsn": 64512, "Tags": [ { "Key": "Name", "Value": "Production-VGW" }, { "Key": "Environment", "Value": "Production" } ] } }

Virtual Private Gateway Configuration Parameters

--type: Specifies "ipsec.1" for IPSec VPN connections.

--amazon-side-asn: AWS's BGP ASN. Default is 64512, but you can specify any private ASN (64512-65534) or use Amazon's default.

State Management: The gateway starts in "pending" state and transitions to "available" when ready.

Next Step: Wait for the state to become "available" before attaching to VPC.

Step 3: Attach VGW to VPC

aws ec2 attach-vpn-gateway \
    --vpn-gateway-id vgw-0987654321fedcba0 \
    --vpc-id vpc-12345678

{ "VpcAttachment": { "State": "attaching", "VpcId": "vpc-12345678" } }

VGW Attachment Process

--vpn-gateway-id: The VGW ID returned from the previous create-vpn-gateway command.

--vpc-id: Target VPC where the VGW will be attached. Each VGW can attach to only one VPC at a time.

State Transition: Attachment state progresses from "attaching" to "attached".

Important Note: Once attached, the VGW becomes available for route propagation and VPN connections.

Step 4: Create VPN Connection

aws ec2 create-vpn-connection \
    --type ipsec.1 \
    --customer-gateway-id cgw-0123456789abcdef0 \
    --vpn-gateway-id vgw-0987654321fedcba0 \
    --options StaticRoutesOnly=false \
    --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=Production-VPN},{Key=Environment,Value=Production}]'

{ "VpnConnection": { "VpnConnectionId": "vpn-0abcdef1234567890", "State": "pending", "Type": "ipsec.1", "CustomerGatewayId": "cgw-0123456789abcdef0", "VpnGatewayId": "vgw-0987654321fedcba0", "Options": { "StaticRoutesOnly": false }, "VgwTelemetry": [ { "OutsideIpAddress": "203.0.113.100", "Status": "DOWN", "LastStatusChange": "2025-07-02T10:00:00Z", "StatusMessage": "IPSEC IS DOWN", "AcceptedRouteCount": 0 }, { "OutsideIpAddress": "203.0.113.101", "Status": "DOWN", "LastStatusChange": "2025-07-02T10:00:00Z", "StatusMessage": "IPSEC IS DOWN", "AcceptedRouteCount": 0 } ] } }

VPN Connection Configuration

--options StaticRoutesOnly=false: Enables BGP for dynamic routing. Set to true if you prefer static routes.

VgwTelemetry: Shows the status of both IPSec tunnels. Initially DOWN until on-premises device is configured.

Tunnel Redundancy: AWS provides two tunnels with different outside IP addresses for high availability.

Next Step: Download VPN configuration for your on-premises device.

Step 5: Download VPN Configuration

aws ec2 describe-vpn-connections \
    --vpn-connection-ids vpn-0abcdef1234567890 \
    --query 'VpnConnections[0].CustomerGatewayConfiguration' \
    --output text > vpn-config.txt

VPN Configuration Download

CustomerGatewayConfiguration: Contains device-specific configuration for popular VPN devices including Cisco, Juniper, and pfSense.

Configuration Contents: Includes pre-shared keys, tunnel IP addresses, and BGP settings.

Security Note: Store this configuration securely as it contains sensitive authentication information.

Step 6: Configure Route Tables

aws ec2 create-route \
    --route-table-id rtb-12345678 \
    --destination-cidr-block 192.168.0.0/16 \
    --gateway-id vgw-0987654321fedcba0

{ "Return": true }

Static Route Configuration

--destination-cidr-block: On-premises network CIDR that should be routed through the VGW.

--gateway-id: The VGW that will handle traffic to the destination network.

Route Priority: More specific routes take precedence over less specific ones.

Step 7: Enable Route Propagation (BGP)

aws ec2 enable-vgw-route-propagation \
    --route-table-id rtb-12345678 \
    --gateway-id vgw-0987654321fedcba0

{ "Return": true }

Route Propagation Configuration

Dynamic Routing: Enables automatic route updates via BGP protocol.

Route Table Updates: On-premises routes are automatically added to the specified route table.

Advantage: No manual route updates needed when on-premises networks change.

Monitoring: Use describe-route-tables to verify propagated routes.

Step 8: Direct Connect Gateway (Optional)

aws directconnect create-direct-connect-gateway \
    --name Production-DXGW \
    --amazon-side-asn 64512

{ "DirectConnectGateway": { "DirectConnectGatewayId": "dxgw-0123456789abcdef0", "DirectConnectGatewayName": "Production-DXGW", "AmazonSideAsn": 64512, "OwnerAccount": "123456789012", "DirectConnectGatewayState": "pending" } }

Direct Connect Gateway Configuration

--amazon-side-asn: Should match your VGW ASN for consistent BGP operations.

Cross-Account: DX Gateway can be shared across multiple AWS accounts.

Scalability: Single DX Gateway can connect to multiple VPCs and Direct Connect connections.

Step 9: Associate VGW with Direct Connect Gateway

aws directconnect create-direct-connect-gateway-association \
    --direct-connect-gateway-id dxgw-0123456789abcdef0 \
    --virtual-interface-id dxvif-123456789 \
    --allowed-prefixes cidr=10.0.0.0/16

{ "DirectConnectGatewayAssociation": { "DirectConnectGatewayId": "dxgw-0123456789abcdef0", "VirtualInterfaceId": "dxvif-123456789", "AssociationState": "associating", "AllowedPrefixes": [ { "Cidr": "10.0.0.0/16" } ] } }

VGW-DXGW Association

--allowed-prefixes: Specifies which VPC CIDRs can be advertised through Direct Connect.

Association State: Progresses from "associating" to "associated".

Route Control: Provides granular control over route advertisement.

Final Step: This completes the hybrid connectivity setup with both VPN and Direct Connect options.

5Monitoring & Verification

graph LR subgraph "Monitoring Commands" A[describe-vpn-connections
Check tunnel status] B[describe-route-tables
Verify routes] C[describe-vpn-gateways
Check VGW state] D[describe-customer-gateways
Verify CGW config] end subgraph "CloudWatch Metrics" E[VPN Tunnel State] F[VPN Connection State] G[Tunnel IP Addresses] end subgraph "Troubleshooting" H[BGP Route Count] I[Tunnel Telemetry] J[Error Messages] K[Last Status Change] end A --> E A --> I B --> H C --> F D --> G E --> J F --> K style A fill:#4CAF50,stroke:#333,stroke-width:2px,color:#fff style E fill:#FF9900,stroke:#333,stroke-width:2px,color:#fff style H fill:#2196F3,stroke:#333,stroke-width:2px,color:#fff

Monitoring and Troubleshooting Framework

This diagram shows the essential monitoring commands and their relationships to CloudWatch metrics and troubleshooting data points.

Monitoring Best Practices:

Regular Health Checks: Monitor tunnel status and BGP route counts
Automated Alerts: Set up CloudWatch alarms for tunnel failures
Performance Monitoring: Track latency and throughput metrics
Log Analysis: Review VPN logs for connection issues

Essential Monitoring Commands

aws ec2 describe-vpn-connections \
    --vpn-connection-ids vpn-0abcdef1234567890 \
    --query 'VpnConnections[0].VgwTelemetry[*].[OutsideIpAddress,Status,AcceptedRouteCount,LastStatusChange]' \
    --output table

---------------------------------------------------------- | DescribeVpnConnections | +------------------+-------+--------------------+----------+ | 203.0.113.100 | UP | 5 |2025-07-02| | 203.0.113.101 | UP | 5 |2025-07-02| +------------------+-------+--------------------+----------+

🎯 Key Takeaways

AWS Virtual Private Gateway provides secure, scalable connectivity between your on-premises infrastructure and AWS VPCs. The integration with Direct Connect offers enhanced performance and reliability for production workloads.

Production Recommendations:

Always configure both VPN tunnels for high availability
Use BGP for dynamic routing in production environments
Implement Direct Connect with VPN backup for critical workloads
Monitor tunnel health and route propagation regularly
Test failover scenarios in non-production environments

Table of Contents