Which permission needs to be assigned to a user to be able to connect to a vpn connection?

AWS uses security credentials to identify you and to grant you access to your AWS resources. You can use features of AWS Identity and Access Management (IAM) to allow other users, services, and applications to use your AWS resources fully or in a limited way, without sharing your security credentials.

By default, IAM users don't have permission to create, view, or modify AWS resources. To allow an IAM user to access resources, such as a Client VPN endpoint, and perform tasks, you must create an IAM policy. This policy must grant the IAM user permission to use the specific resources and API actions they need. Then, attach the policy to the IAM user or the group to which the IAM user belongs. When you attach a policy to a user or group of users, it allows or denies the users permission to perform the specified tasks on the specified resources.

For example, the following policy enables read-only access. Users can view Client VPN endpoints and their components, but they cannot create, modify, or delete them.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeClientVpnRoutes",
                "ec2:DescribeClientVpnAuthorizationRules",
                "ec2:DescribeClientVpnConnections",
                "ec2:DescribeClientVpnTargetNetworks",
                "ec2:DescribeClientVpnEndpoints"
            ],
            "Resource": "*"
        }
    ]
}

You can also use resource-level permissions to restrict what resources users can use when they invoke Client VPN actions. For example, the following policy allows users to work with Client VPN endpoints, but only if the Client VPN endpoint has the tag purpose=test.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteClientVpnEndpoint",
                "ec2:ModifyClientVpnEndpoint",
                "ec2:AssociateClientVpnTargetNetwork",
                "ec2:DisassociateClientVpnTargetNetwork",
                "ec2:ApplySecurityGroupsToClientVpnTargetNetwork",
                "ec2:AuthorizeClientVpnIngress",
                "ec2:CreateClientVpnRoute",
                "ec2:DeleteClientVpnRoute",
                "ec2:RevokeClientVpnIngress"
            ],
            "Resource": "arn:aws:ec2:*:*:client-vpn-endpoint/*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/purpose": "test"
                }
            }
        }
    ]
}

For more information about IAM, see the IAM User Guide. For a list of Amazon EC2 actions, including Client VPN actions, see Actions, Resources, and Condition Keys for Amazon EC2 in the IAM User Guide.

Q: What are the VPN connectivity options for my VPC?

A: You may connect your VPC to your corporate data center using a Hardware VPN connection via the virtual private gateway.

Q: How do instances without public IP addresses access the Internet?

A: Instances without public IP addresses can access the Internet in one of two ways:

Instances without public IP addresses can route their traffic through a network address translation (NAT) gateway or a NAT instance to access the internet. These instances use the public IP address of the NAT gateway or NAT instance to traverse the internet. The NAT gateway or NAT instance allows outbound communication but doesn’t allow machines on the internet to initiate a connection to the privately addressed instances.

For VPCs with a hardware VPN connection or Direct Connect connection, instances can route their Internet traffic down the virtual private gateway to your existing datacenter. From there, it can access the Internet via your existing egress points and network security/monitoring devices.

Q: How does an AWS Site-to-Site VPN connection work with Amazon VPC?

A: An AWS Site-to-Site VPN connection connects your VPC to your datacenter. Amazon supports Internet Protocol security (IPsec) VPN connections. Data transferred between your VPC and datacenter routes over an encrypted VPN connection to help maintain the confidentiality and integrity of data in transit. An Internet gateway is not required to establish a Site-to-Site VPN connection.

Q: What is IPSec?

A: IPsec is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream.

Q: Which customer gateway devices can I use to connect to Amazon VPC?

A: You can create two types of AWS Site-to-Site VPN connections: statically routed VPN connections and dynamically-routed VPN connections. Customer gateway devices supporting statically-routed VPN connections must be able to:

Establish IKE Security Association using Pre-Shared Keys

Establish IPsec Security Associations in Tunnel mode

Utilize the AES 128-bit, 256-bit, 128-bit-GCM-16, or 256-GCM-16 encryption function

Utilize the SHA-1, SHA-2 (256), SHA2 (384) or SHA2 (512) hashing function

Utilize Diffie-Hellman (DH) Perfect Forward Secrecy in "Group 2" mode, or one of the additional DH groups we support

Perform packet fragmentation prior to encryption

In addition to the above capabilities, devices supporting dynamically-routed Site-to-Site VPN connections must be able to:

Establish Border Gateway Protocol (BGP) peering

Bind tunnels to logical interfaces (route-based VPN)

Utilize IPsec Dead Peer Detection

Q: Which Diffie-Hellman groups do you support?

A; We support the following Diffie-Hellman (DH) groups in Phase 1 and Phase 2.

Phase 1 DH groups 2, 14-24.

Phase 2 DH groups 2, 5, 14-24.

Q: What algorithms does AWS propose when an IKE rekey is needed?

A: By default, then VPN endpoint on AWS side will propose AES-128, SHA-1 and DH group 2. If you would like a specific proposal for rekey, we recommend that you use Modify VPN Tunnel Options to restrict the tunnel options to the specific VPN parameters you require.

Q: What customer gateway devices are known to work with Amazon VPC?

A: In The network administrator guide, you will find a list of the devices meeting the aforementioned requirements, that are known to work with hardware VPN connections, and that will support in the command line tools for automatic generation of configuration files appropriate for your device.

Q: If my device is not listed, where can I go for more information about using it with Amazon VPC?

A: We recommend checking the Amazon VPC forum as other customers may be already using your device.

Q: What is the approximate maximum throughput of a Site-to-Site VPN connection?

A: Each AWS Site-to-Site VPN connection has two tunnels and each tunnel supports a maximum throughput of up to 1.25 Gbps. If your VPN connection is to a Virtual Private Gateway, aggregated throughput limits would apply.

Q: Is there an aggregated throughput limit for Virtual Private Gateway?

A: Virtual Private Gateway has an aggregate throughput limit per connection type. Multiple VPN connections to the same Virtual Private Gateway are bound by an aggregate throughput limit from AWS to on-premises of up to 1.25 Gbps. For AWS Direct Connect connection on a Virtual Private Gateway, the throughput is bound by the Direct Connect physical port itself. To connect to multiple VPCs and and achieve higher throughput limits, use AWS Transit Gateway.

Q: What factors affect the throughput of my VPN connection?

A: VPN connection throughput can depend on multiple factors, such as the capability of your customer gateway, the capacity of your connection, average packet size, the protocol being used, TCP vs. UDP, and the network latency between your customer gateway and the virtual private gateway.

Q: What is the approximate maximum packets per second of a Site-to-Site VPN connection?

A: Each AWS Site-to-Site VPN connection has two tunnels and each tunnel supports a maximum packets per second of up to 140,000.  

Q: What tools are available to me to help troubleshoot my Site-to-Site VPN configuration?

A: The DescribeVPNConnection API displays the status of the VPN connection, including the state ("up"/"down") of each VPN tunnel and corresponding error messages if either tunnel is "down". This information is also displayed in the AWS Management Console.

Q: How do I connect a VPC to my corporate datacenter?

A: Establishing a hardware VPN connection between your existing network and Amazon VPC allows you to interact with Amazon EC2 instances within a VPC as if they were within your existing network. AWS does not perform network address translation (NAT) on Amazon EC2 instances within a VPC accessed via a hardware VPN connection.

Q: Can I NAT my customer gateway behind a router or firewall?

A: You will use the public IP address of your NAT device.

Q: What IP address do I use for my customer gateway address?

A: You will use the public IP address of your NAT device.

Q: How do I disable NAT-T on my connection?

A: You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish.

Q: I would like to have multiple customer gateways behind a NAT, what do I need to do to configure that?

A: You will need to disable NAT-T on your device. If you don’t plan on using NAT-T and it is not disabled on your device, we will attempt to establish a tunnel over UDP port 4500. If that port is not open the tunnel will not establish.

Q: How many IPsec security associations can be established concurrently per tunnel?

A: The AWS VPN service is a route-based solution, so when using a route-based configuration you will not run into SA limitations. If, however, you are using a policy-based solution you will need to limit to a single SA, as the service is a route-based solution.

Q: Can I advertise my VPC public IP address range to the internet and route the traffic through my datacenter, via the Site-to-Site VPN, and to my VPC?

A: Yes, you can route traffic via the VPN connection and advertise the address range from your home network.

Q: What is the maximum number of routes that my VPN connection will advertise to my customer gateway device?

A: Your VPN connection will advertise a maximum of 1,000 routes to the customer gateway device. For VPNs on a Virtual Private Gateway, advertised route sources include VPC routes, other VPN routes, and routes from DX Virtual Interfaces. For VPNs on an AWS Transit Gateway, advertised routes come from the route table associated to the VPN attachment. If more than 1,000 routes are attempted to be sent, only a subset of 1,000 will be advertised.  

Q: What is the maximum number of routes that can be advertised to my VPN connection from my customer gateway device?

A: You can advertise a maximum of 100 routes to your Site-to-Site VPN connection on a virtual private gateway from your customer gateway device or a maximum of 1000 routes to your Site-to-Site VPN connection on an AWS Transit Gateway. For a VPN connection with Static routes, you will not be able to add more than 100 static routes. For a VPN connection with BGP, the BGP session will reset if you attempt to advertise more than the maximum for the gateway type.

Q. Do VPN connections support IPv6 traffic?

A: Yes. VPN connections to an AWS Transit Gateway can support either IPv4 or IPv6 traffic which can be selected while creating a new VPN connection. To select IPv6 for VPN traffic, set the VPN tunnel option for Inside IP Version to IPv6. Note that tunnel endpoint and Customer Gateway IP addresses are IPv4 only.

Q: Which side of the VPN tunnel initiates the Internet Key Exchange (IKE) session?

A: By default your Customer Gateway (CGW) must initiate IKE. Alternatively, the AWS VPN endpoints can initiate by enabling the appropriate options.

Q: Do VPN connections support private IP addresses?

A: Yes. Private IP Site-to-Site VPN feature allows you to deploy VPN connections to an AWS Transit Gateway using private IP addresses. Private IP VPN works over an AWS Direct Connect transit virtual interface (VIF). You can select private IP addresses as your outside tunnel IP addresses while creating a new VPN connection. Note that tunnel endpoint and Customer Gateway IP addresses are IPv4 only.

Q: Are there any differences between public and private IP VPN protocol interactions?

A: No, the IPSec encryption and key exchange work the same way for private IP Site-to-site VPN connections as public IP VPN connections.

Q: Do I require a Transit gateway for Private IP VPN?

A: Yes, you need a Transit gateway to deploy private IP VPN connections. Also, a private IP VPN attachment on Transit Gateway requires a Direct Connect attachment for transport. You need to specify a Direct Connect attachment id while configuring a private IP VPN connection to a Transit gateway. Multiple private IP VPN connections can use the same Direct Connect attachment for transport.

Q: Do private IP VPNs support static routing and BGP?

A: Yes, private IP VPNs support static routing as well as dynamic routing using BGP. If your customer gateway device supports Border Gateway Protocol (BGP), specify dynamic routing when you configure your Site-to-Site VPN connection. If your customer gateway device does not support BGP, specify static routing. We recommend that you use BGP capable devices, when available, because the BGP protocol offers robust liveness detection checks that can assist failover to the second VPN tunnel if the first tunnel goes down.

Q: What is the Transit gateway route-table association and propagation behavior for the private IP VPN attachments?

A: The route-table association and propagation behavior for a private IP VPN attachment is the same as any other Transit gateway attachment. You can associate a Transit gateway route-table to the private IP VPN attachment and propagate routes from Private IP VPN attachment to any of the Transit gateway route-tables.

Q: What throughput can I get with Private IP VPN?

A: Just like regular Site-to-site VPN connections, each private IP VPN connection supports 1.25Gbps of bandwidth. You can use ECMP (Equal Cost Multi-path) across multiple private IP VPN connections to increase effective bandwidth. As an example, to send 10Gbps of DX traffic over a private IP VPN, you can use 4 private IP VPN connections (4 connections x 2 tunnels x 1.25Gbps bandwidth) with ECMP between a pair of Transit gateway and Customer gateway.

Q: Can I ECMP traffic across a private IP VPN and public IP VPN connections?

A: No, you cannot ECMP traffic across private and public IP VPN connections. ECMP for private IP VPN will only work across VPN connections that have private IP addresses.

Q: What is the MTU (Maximum Transmission Unit) of Private IP VPN?

A: Private IP VPN connections support 1500 bytes of MTU.

Q: Can a private IP VPN be associated with a different owner account than Transit gateway account owner?

A: No, both Transit gateway and Site-to-site VPN connections must be owned by the same AWS account.

Q: In which AWS Regions is AWS Site-to-Site VPN service and Private IP VPN feature available?

A: AWS Site-to-Site VPN service is available in all commercial regions except for Asia Pacific (Beijing) and Asia Pacific (Ningxia) AWS Regions. The Private IP VPN feature is supported in all AWS Regions where AWS Site-to-Site VPN service is available.

What permission needs to be assigned to a user to be able to connect to a VPN connection?

What can be configured to allow secure remote connections to Web applications without requiring a VPN?

What protocol can assure that we can access a network device remotely and your access must be secure?