Skip to main content
caldwell2000

2 years ago

VPN over a Private Virtual Interface?

Can anyone help me understand how you can create a VPN over a public virtual interface between regions? I'm having trouble with the "And use VPN over the public VIF" statement.

Q:) You are excited that your company has just purchased a Direct Connect link from AWS as everything you now do on AWS should be much faster and more reliable. Your company is based in Sydney, Australia so obviously the Direct Connect Link to AWS will go into the Asia Pacific (Sydney) region. Your first job after the new link purchase is to create a multi-region design across the Asia Pacific(Sydney) region and the US West (N. California) region. You soon discover that all the infrastructure you deploy in the Asia Pacific(Sydney) region is extremely fast and reliable, however the infrastructure you deploy in the US West(N. California) region is much slower and unreliable. Which of the following would be the best option to make the US West(N. California) region a more reliable connection?

Incorrect

Correct answer

Create a public virtual interface to the US West region's public end points and use VPN over the public virtual interface to protect the data.

Image of derekm1215
derekm1215
2 years ago
Public VIFs allow you to connect to your VPC VPN endpoints and communicate between the regions securely and more reliably. This is similar to configuring a network between two datacenters and configuring a VPN over that.
Image of caldwell2000
caldwell2000
2 years ago
Thanks Derek.  I understand that very well, but I don't get the part where the answer suggest "and VPN over the public VIF".  Does that make sense to you?  You generally use VPN only when connecting from your on-Premise location to a VPC. I could see maybe using IPSec, but not VPN over a VIF.
Image of derekm1215
derekm1215
2 years ago
You could go about this two ways. You can use a Private VIF which would give you direct access to your resources, but not to things like S3 and Glacier. You need the Public VIF to connect to those. Since you also need to have access to your infrastructure in your VPC, you could either have  a Private VIF, or just configure a VPN over the Public VIF. This is the simplest and most secure option to get all of your resources. 


https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/

https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/



Image of caldwell2000
caldwell2000
2 years ago
Thanks Derek. Appreciate the quick response.