AWS VPN Cloud Hub Implementation Guide

Overview

AWS VPN Cloud Hub enables you to securely connect multiple remote networks through a single Virtual Private Gateway (VGW) using IPsec VPN connections. This hub-and-spoke model allows branch offices and remote locations to communicate with each other through AWS, creating a scalable and cost-effective network architecture.

Architecture Overview

graph TB subgraph "AWS Cloud" VGW["Virtual Private Gateway
(VPN Hub)"] VPC["VPC
10.0.0.0/16"] IGW["Internet Gateway"] RT["Route Table"] VGW ---|Attached| VPC VPC ---|Connected| IGW VPC ---|Uses| RT end subgraph "Branch Office 1" CGW1["Customer Gateway 1
Public IP: 203.0.113.10"] LAN1["Local Network
192.168.1.0/24"] CGW1 ---|Serves| LAN1 end subgraph "Branch Office 2" CGW2["Customer Gateway 2
Public IP: 203.0.113.20"] LAN2["Local Network
192.168.2.0/24"] CGW2 ---|Serves| LAN2 end subgraph "Remote Office" CGW3["Customer Gateway 3
Public IP: 203.0.113.30"] LAN3["Local Network
192.168.3.0/24"] CGW3 ---|Serves| LAN3 end CGW1 -.->|IPsec VPN| VGW CGW2 -.->|IPsec VPN| VGW CGW3 -.->|IPsec VPN| VGW style VGW fill:#ff9a56 style VPC fill:#74b9ff style CGW1 fill:#a8e6cf style CGW2 fill:#a8e6cf style CGW3 fill:#a8e6cf
Architecture Explanation: This diagram shows the AWS VPN Cloud Hub architecture where multiple branch offices connect to a central Virtual Private Gateway in AWS. Each branch office has its own Customer Gateway that establishes an IPsec VPN tunnel to the VGW. The VGW acts as the central hub, enabling communication between all connected sites. Traffic between branch offices flows through the AWS backbone, providing reliable and secure connectivity.

Detailed Network Flow

sequenceDiagram participant B1 as Branch Office 1
(192.168.1.0/24) participant CGW1 as Customer Gateway 1 participant AWS as AWS VPN Hub
(Virtual Private Gateway) participant CGW2 as Customer Gateway 2 participant B2 as Branch Office 2
(192.168.2.0/24) Note over B1,B2: Inter-Branch Communication Flow B1->>CGW1: Send packet to 192.168.2.100 CGW1->>AWS: Encrypt & tunnel packet Note over AWS: Route packet based on
propagated routes AWS->>CGW2: Forward encrypted packet CGW2->>B2: Decrypt & deliver packet Note over B1,B2: Response Flow B2->>CGW2: Response packet CGW2->>AWS: Encrypt & tunnel response AWS->>CGW1: Forward encrypted response CGW1->>B1: Decrypt & deliver response
Network Flow Explanation: This sequence diagram illustrates how traffic flows between branch offices through the AWS VPN Cloud Hub. When Branch Office 1 wants to communicate with Branch Office 2, the packet is encrypted by Customer Gateway 1, sent through the VPN tunnel to AWS, where the Virtual Private Gateway routes it to the appropriate destination tunnel (Customer Gateway 2), which then decrypts and delivers it to Branch Office 2. The response follows the reverse path.

Implementation Command Flow

graph TD A[1. Create VPC] --> B[2. Create Internet Gateway] B --> C[3. Create Customer Gateways] C --> D[4. Create Virtual Private Gateway] D --> E[5. Attach VGW to VPC] E --> F[6. Create VPN Connections] F --> G[7. Configure Route Propagation] G --> H[8. Update Route Tables] H --> I[9. Configure Customer Gateway Devices] I --> J[10. Verify Connectivity] style A fill:#ff9a56 style D fill:#74b9ff style F fill:#a8e6cf style J fill:#fd79a8
Command Flow Explanation: This flowchart shows the sequential steps required to implement AWS VPN Cloud Hub. Each step builds upon the previous one, starting with basic VPC infrastructure, creating the hub components (VGW), establishing connections to remote sites (Customer Gateways and VPN Connections), and finally configuring routing and on-premises devices to enable full connectivity.

Route Propagation Architecture

graph LR subgraph "Route Propagation Flow" VGW["Virtual Private Gateway
Route Propagation Enabled"] RT1["Main Route Table"] RT2["Custom Route Table"] subgraph "Propagated Routes" R1["192.168.1.0/24 → CGW1"] R2["192.168.2.0/24 → CGW2"] R3["192.168.3.0/24 → CGW3"] end VGW -->|Auto-propagates| RT1 VGW -->|Auto-propagates| RT2 RT1 --> R1 RT1 --> R2 RT1 --> R3 RT2 --> R1 RT2 --> R2 RT2 --> R3 end style VGW fill:#ff9a56 style RT1 fill:#74b9ff style RT2 fill:#74b9ff
Route Propagation Explanation: This diagram shows how BGP route propagation works in VPN Cloud Hub. When route propagation is enabled on the Virtual Private Gateway, routes learned from Customer Gateways via BGP are automatically propagated to associated route tables. This eliminates the need for manual route management and enables dynamic routing as networks are added or changed.

Step-by-Step Implementation

Prerequisites

Before starting:
  1. Create the VPC 
    aws ec2 create-vpc --cidr-block 10.0.0.0/16 --tag-specifications 'ResourceType=vpc,Tags=[{Key=Name,Value=VPN-Hub-VPC}]'
    Expected Output: { "Vpc": { "VpcId": "vpc-0a1b2c3d4e5f67890", "State": "pending", "CidrBlock": "10.0.0.0/16", "DhcpOptionsId": "dopt-default", "InstanceTenancy": "default", "IsDefault": false, "Tags": [ { "Key": "Name", "Value": "VPN-Hub-VPC" } ] } }
    Configuration Parameters:
    • --cidr-block: Defines the IP address range for the VPC. Use a private range that doesn't conflict with your branch offices
    • --tag-specifications: Adds metadata tags for resource identification and billing
    Alternative Options:
    • Use --instance-tenancy dedicated for dedicated hardware (higher cost)
    • Add multiple tags for better organization and cost allocation
    What this creates: This is the foundational network container in AWS that will house your VPN hub infrastructure. The VPC provides isolation and security boundaries for your cloud resources.
  2. Create Internet Gateway 
    aws ec2 create-internet-gateway --tag-specifications 'ResourceType=internet-gateway,Tags=[{Key=Name,Value=VPN-Hub-IGW}]'
    Expected Output: { "InternetGateway": { "InternetGatewayId": "igw-0a1b2c3d4e5f67890", "State": "available", "Tags": [ { "Key": "Name", "Value": "VPN-Hub-IGW" } ], "Attachments": [] } }
    Attach Internet Gateway to VPC 
    aws ec2 attach-internet-gateway --internet-gateway-id igw-0a1b2c3d4e5f67890 --vpc-id vpc-0a1b2c3d4e5f67890
    Why this is needed: The Internet Gateway enables the VPC to communicate with the internet, which is required for the Virtual Private Gateway to establish IPsec tunnels with your Customer Gateways over the public internet.
  3. Create Customer Gateways
    Each remote location needs a Customer Gateway resource that represents the physical device or software VPN endpoint at that location.

    Customer Gateway 1 (Branch Office 1)

    aws ec2 create-customer-gateway \
    --type ipsec.1 \
    --public-ip 203.0.113.10 \
    --bgp-asn 65001 \
    --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=Branch-Office-1-CGW}]'
    Expected Output: { "CustomerGateway": { "CustomerGatewayId": "cgw-0a1b2c3d4e5f67890", "State": "available", "Type": "ipsec.1", "IpAddress": "203.0.113.10", "BgpAsn": 65001, "Tags": [ { "Key": "Name", "Value": "Branch-Office-1-CGW" } ] } }

    Customer Gateway 2 (Branch Office 2)

    aws ec2 create-customer-gateway \
    --type ipsec.1 \
    --public-ip 203.0.113.20 \
    --bgp-asn 65002 \
    --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=Branch-Office-2-CGW}]'

    Customer Gateway 3 (Remote Office)

    aws ec2 create-customer-gateway \
    --type ipsec.1 \
    --public-ip 203.0.113.30 \
    --bgp-asn 65003 \
    --tag-specifications 'ResourceType=customer-gateway,Tags=[{Key=Name,Value=Remote-Office-CGW}]'
    Configuration Parameters:
    • --type ipsec.1: Specifies IPsec VPN type (currently the only supported type)
    • --public-ip: The static public IP address of your on-premises VPN device
    • --bgp-asn: Border Gateway Protocol Autonomous System Number for dynamic routing
    BGP ASN Options:
    • Use private ASNs (64512-65534) for internal networks
    • Each Customer Gateway should have a unique ASN
    • AWS uses ASN 64512 by default for the Virtual Private Gateway
    Order importance: Customer Gateways must be created before VPN connections. Each represents a physical location that will connect to your AWS VPN hub.
  4. Create Virtual Private Gateway 
    aws ec2 create-vpn-gateway \
    --type ipsec.1 \
    --amazon-side-asn 64512 \
    --tag-specifications 'ResourceType=vpn-gateway,Tags=[{Key=Name,Value=VPN-Cloud-Hub}]'
    Expected Output: { "VpnGateway": { "VpnGatewayId": "vgw-0a1b2c3d4e5f67890", "State": "pending", "Type": "ipsec.1", "AmazonSideAsn": 64512, "Tags": [ { "Key": "Name", "Value": "VPN-Cloud-Hub" } ] } }
    Configuration Parameters:
    • --type ipsec.1: VPN gateway type for IPsec connections
    • --amazon-side-asn: AWS side ASN for BGP routing (default: 64512)
    ASN Considerations:
    • Must be different from Customer Gateway ASNs
    • Standard range: 64512-65534 (private), 1-64511 (public)
    • Cannot use 65000 (reserved by AWS)
    Core component: The Virtual Private Gateway is the central hub that all Customer Gateways will connect to. This is what enables the hub-and-spoke architecture.
  5. Attach Virtual Private Gateway to VPC 
    aws ec2 attach-vpn-gateway --vpn-gateway-id vgw-0a1b2c3d4e5f67890 --vpc-id vpc-0a1b2c3d4e5f67890
    Expected Output: { "VpcAttachment": { "State": "attaching", "VpcId": "vpc-0a1b2c3d4e5f67890" } }
    Wait for attachment to complete: 
    aws ec2 describe-vpn-gateways --vpn-gateway-ids vgw-0a1b2c3d4e5f67890
    Attachment Process: The VGW attachment process typically takes 1-2 minutes. The state will change from "attaching" to "attached". This attachment is required before creating VPN connections.
  6. Create VPN Connections

    VPN Connection 1 (to Branch Office 1)

    aws ec2 create-vpn-connection \
    --type ipsec.1 \
    --customer-gateway-id cgw-0a1b2c3d4e5f67890 \
    --vpn-gateway-id vgw-0a1b2c3d4e5f67890 \
    --options StaticRoutesOnly=false \
    --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=Branch-Office-1-VPN}]'
    Expected Output: { "VpnConnection": { "VpnConnectionId": "vpn-0a1b2c3d4e5f67890", "State": "pending", "CustomerGatewayConfiguration": "...", "Type": "ipsec.1", "CustomerGatewayId": "cgw-0a1b2c3d4e5f67890", "VpnGatewayId": "vgw-0a1b2c3d4e5f67890", "Options": { "StaticRoutesOnly": false, "LocalIpv4NetworkCidr": "0.0.0.0/0", "RemoteIpv4NetworkCidr": "0.0.0.0/0" }, "VgwTelemetry": [ { "OutsideIpAddress": "203.0.113.100", "Status": "DOWN", "AcceptedRouteCount": 0 }, { "OutsideIpAddress": "203.0.113.101", "Status": "DOWN", "AcceptedRouteCount": 0 } ] } }

    VPN Connection 2 (to Branch Office 2)

    aws ec2 create-vpn-connection \
    --type ipsec.1 \
    --customer-gateway-id cgw-0b2c3d4e5f678901 \
    --vpn-gateway-id vgw-0a1b2c3d4e5f67890 \
    --options StaticRoutesOnly=false \
    --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=Branch-Office-2-VPN}]'

    VPN Connection 3 (to Remote Office)

    aws ec2 create-vpn-connection \
    --type ipsec.1 \
    --customer-gateway-id cgw-0c3d4e5f67890123 \
    --vpn-gateway-id vgw-0a1b2c3d4e5f67890 \
    --options StaticRoutesOnly=false \
    --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=Remote-Office-VPN}]'
    Configuration Parameters:
    • --options StaticRoutesOnly=false: Enables BGP dynamic routing (recommended for Cloud Hub)
    • Each VPN connection creates two IPsec tunnels for redundancy
    • CustomerGatewayConfiguration: Contains XML config for on-premises device setup
    Static vs Dynamic Routing:
    • Dynamic (BGP): Routes automatically propagated, supports Cloud Hub
    • Static: Manual route management, limited Cloud Hub functionality
    Connection establishment: Each VPN connection takes 5-10 minutes to establish. The CustomerGatewayConfiguration XML contains the settings needed to configure your on-premises VPN devices.
  7. Enable Route Propagation Get Route Table ID: 
    aws ec2 describe-route-tables --filters "Name=vpc-id,Values=vpc-0a1b2c3d4e5f67890"
    Expected Output: { "RouteTables": [ { "RouteTableId": "rtb-0a1b2c3d4e5f67890", "VpcId": "vpc-0a1b2c3d4e5f67890", "Routes": [ { "DestinationCidrBlock": "10.0.0.0/16", "GatewayId": "local", "State": "active" } ], "PropagatingVgws": [], "Tags": [] } ] }
    Enable Route Propagation: 
    aws ec2 enable-vgw-route-propagation \
    --route-table-id rtb-0a1b2c3d4e5f67890 \
    --gateway-id vgw-0a1b2c3d4e5f67890
    Route Propagation Benefits:
    • Automatically adds routes learned via BGP to route tables
    • Enables dynamic network discovery between branch offices
    • Reduces manual route management overhead
    • Essential for Cloud Hub functionality
    Critical step: Route propagation must be enabled for the Cloud Hub to function. Without this, branch offices cannot discover and communicate with each other.
  8. Verify Route Propagation 
    aws ec2 describe-route-tables --route-table-ids rtb-0a1b2c3d4e5f67890
    Expected Output (after BGP routes are learned): { "RouteTables": [ { "RouteTableId": "rtb-0a1b2c3d4e5f67890", "Routes": [ { "DestinationCidrBlock": "10.0.0.0/16", "GatewayId": "local", "State": "active" }, { "DestinationCidrBlock": "192.168.1.0/24", "GatewayId": "vgw-0a1b2c3d4e5f67890", "State": "active" }, { "DestinationCidrBlock": "192.168.2.0/24", "GatewayId": "vgw-0a1b2c3d4e5f67890", "State": "active" }, { "DestinationCidrBlock": "192.168.3.0/24", "GatewayId": "vgw-0a1b2c3d4e5f67890", "State": "active" } ], "PropagatingVgws": [ { "GatewayId": "vgw-0a1b2c3d4e5f67890" } ] } ] }
    What to look for: After VPN connections are established and BGP is working, you should see routes for each branch office network (192.168.x.0/24) automatically appear in the route table with the Virtual Private Gateway as the target.
  9. Monitor VPN Connection Status 
    aws ec2 describe-vpn-connections --vpn-connection-ids vpn-0a1b2c3d4e5f67890
    Expected Output (when tunnels are UP): { "VpnConnections": [ { "VpnConnectionId": "vpn-0a1b2c3d4e5f67890", "State": "available", "VgwTelemetry": [ { "OutsideIpAddress": "203.0.113.100", "Status": "UP", "LastStatusChange": "2025-07-02T10:30:00.000Z", "AcceptedRouteCount": 1, "StatusMessage": "IPSEC IS UP" }, { "OutsideIpAddress": "203.0.113.101", "Status": "UP", "LastStatusChange": "2025-07-02T10:30:30.000Z", "AcceptedRouteCount": 1, "StatusMessage": "IPSEC IS UP" } ] } ] }
    Status Indicators:
    • Status: UP - Tunnel is established and passing traffic
    • AcceptedRouteCount > 0 - BGP routes are being learned
    • Both tunnels UP - Full redundancy is available
  10. Configure Customer Gateway Devices
    Important: Use the CustomerGatewayConfiguration XML from the create-vpn-connection output to configure your on-premises VPN devices. Each device type (Cisco, Juniper, pfSense, etc.) requires specific configuration syntax.
    Get Configuration for Branch Office 1: 
    aws ec2 describe-vpn-connections \
    --vpn-connection-ids vpn-0a1b2c3d4e5f67890 \
    --query 'VpnConnections[0].CustomerGatewayConfiguration' \
    --output text > branch-office-1-config.xml
    Example Configuration Section (Generic): # Tunnel 1 Configuration interface tunnel1 ip address 169.254.10.1 255.255.255.252 tunnel source [Your-Public-IP] tunnel destination 203.0.113.100 crypto map aws-vpn-map # BGP Configuration router bgp 65001 bgp router-id [Your-Public-IP] neighbor 169.254.10.2 remote-as 64512 neighbor 169.254.10.2 activate network 192.168.1.0 mask 255.255.255.0 # IPsec Configuration crypto isakmp policy 1 encryption aes 128 hash sha authentication pre-share group 2 lifetime 28800 crypto isakmp key [Pre-Shared-Key] address 203.0.113.100 crypto ipsec transform-set aws-transform-set esp-aes esp-sha-hmac mode tunnel crypto map aws-vpn-map 1 ipsec-isakmp set peer 203.0.113.100 set transform-set aws-transform-set match address aws-vpn-acl
    Key Configuration Elements:
    • Tunnel Interface: Creates GRE tunnel for BGP traffic
    • BGP Configuration: Establishes dynamic routing with AWS
    • IPsec Parameters: Encryption and authentication settings
    • Pre-shared Key: Authentication secret (unique per tunnel)
    Device-Specific Notes:
    • AWS provides configurations for major vendor devices
    • Always configure both tunnels for redundancy
    • Ensure local firewall allows IPsec traffic (ESP, IKE)

Advanced Configuration Options

Custom Route Table Configuration

# Create custom route table for specific subnets aws ec2 create-route-table \ --vpc-id vpc-0a1b2c3d4e5f67890 \ --tag-specifications 'ResourceType=route-table,Tags=[{Key=Name,Value=VPN-Hub-Custom-RT}]' # Associate with subnet aws ec2 associate-route-table \ --route-table-id rtb-0b2c3d4e5f678901 \ --subnet-id subnet-0a1b2c3d4e5f67890 # Enable route propagation on custom table aws ec2 enable-vgw-route-propagation \ --route-table-id rtb-0b2c3d4e5f678901 \ --gateway-id vgw-0a1b2c3d4e5f67890
Use Case: Custom route tables allow granular control over which subnets can communicate with branch offices. This is useful for security segmentation or when you want to limit VPN access to specific resources.

Static Route Configuration (Alternative to BGP)

# Create VPN connection with static routing aws ec2 create-vpn-connection \ --type ipsec.1 \ --customer-gateway-id cgw-0a1b2c3d4e5f67890 \ --vpn-gateway-id vgw-0a1b2c3d4e5f67890 \ --options StaticRoutesOnly=true \ --tag-specifications 'ResourceType=vpn-connection,Tags=[{Key=Name,Value=Static-VPN}]' # Add static routes to VPN connection aws ec2 create-vpn-connection-route \ --vpn-connection-id vpn-0a1b2c3d4e5f67890 \ --destination-cidr-block 192.168.1.0/24 # Manually add routes to route table aws ec2 create-route \ --route-table-id rtb-0a1b2c3d4e5f67890 \ --destination-cidr-block 192.168.1.0/24 \ --gateway-id vgw-0a1b2c3d4e5f67890
Static Routing Considerations:

Troubleshooting and Monitoring

Common Issues and Solutions

graph TD A[VPN Connection Issues] --> B{Tunnel Status?} B -->|DOWN| C[Check Customer Gateway Config] B -->|UP| D{BGP Status?} C --> E[Verify Pre-shared Keys] C --> F[Check Firewall Rules] C --> G[Validate IPsec Parameters] D -->|Not Established| H[Check BGP Configuration] D -->|Established| I{Route Propagation?} H --> J[Verify ASN Numbers] H --> K[Check Network Advertisements] I -->|Disabled| L[Enable Route Propagation] I -->|Enabled| M[Check Route Tables] style A fill:#ff6b35 style C fill:#74b9ff style H fill:#a8e6cf style L fill:#fd79a8
Troubleshooting Flow: This decision tree helps identify and resolve common VPN Cloud Hub issues. Start by checking tunnel status, then BGP establishment, and finally route propagation. Each path leads to specific configuration items to verify and correct.

Monitoring Commands

# Check all VPN connections status aws ec2 describe-vpn-connections \ --query 'VpnConnections[*].[VpnConnectionId,State,VgwTelemetry[*].[OutsideIpAddress,Status,AcceptedRouteCount]]' \ --output table # Monitor route propagation aws ec2 describe-route-tables \ --filters "Name=vpc-id,Values=vpc-0a1b2c3d4e5f67890" \ --query 'RouteTables[*].Routes[?GatewayId==`vgw-0a1b2c3d4e5f67890`].[DestinationCidrBlock,State]' \ --output table # Check BGP route advertisements aws ec2 describe-vpn-connections \ --vpn-connection-ids vpn-0a1b2c3d4e5f67890 \ --query 'VpnConnections[0].Routes[*].[DestinationCidrBlock,State,Source]' \ --output table
Monitoring Best Practices:

Security Best Practices

Security Recommendations:

Cost Optimization

# Estimate monthly costs # VPN Connection: $36/month per connection # Data Transfer: $0.09/GB outbound from AWS # Virtual Private Gateway: No additional charge # Example calculation for 3 branch offices: # 3 VPN connections × $36 = $108/month # + Data transfer costs based on usage
Cost Factors:

Conclusion

AWS VPN Cloud Hub provides a scalable, secure, and cost-effective solution for connecting multiple remote locations. The hub-and-spoke architecture eliminates the need for complex mesh VPN configurations while providing centralized management and monitoring capabilities.

Key benefits include:

Important Notes: