Site to Site VPN

A Site-to-Site VPN creates a secure, encrypted connection between your corporate office (on-premises network) and your AWS VPC — over the public internet.

Key Point: Traffic travels over the public internet, but it's fully encrypted, making it safe and private.

Why Use It?

Benefit	Description
Secure Connection	Encrypted tunnel between office and AWS
Private Resource Access	Access EC2 instances from your office using private IPs
Cost-Effective	Uses existing internet — no dedicated physical line needed
Quick Setup	Much faster to provision than physical connections like AWS Direct Connect

The Two Core Components

1. Virtual Private Gateway (VGW) — The AWS Side

Lives inside AWS, attached to your VPC
Acts as the entry/exit point on the AWS side of the VPN tunnel
Think of it as: the door on the AWS side

Your VPC
  └── Virtual Private Gateway (VGW)
          └── VPN Tunnel →→→

2. Customer Gateway (CGW) — Your Office Side

Represents your on-premises network in AWS
Can be a physical router/firewall or a software VPN appliance
Think of it as: the door on your office side

→→→ VPN Tunnel
        └── Customer Gateway (CGW)
                └── Your Office Network

How It All Fits Together

Your Office                   Internet                    AWS
─────────────                ─────────────              ─────────────
Office Computer
      ↓
Customer Gateway (CGW)  ──── Encrypted Tunnel ────→  Virtual Private Gateway (VGW)
(Physical/Software)                                         ↓
                                                          VPC
                                                            ↓
                                                      EC2 Instances