VPN over public VIF

Hello ,

I am having a bit of hard time to fully understand the concept of a VPN over a public VIF, in the first presentaiton of the course in the considerations slide it says that in order to have a VPN over DX you need it to be over a Public Virtual Interface.

As I currently understand it, VPN's purpose is to connect our data center to an AWS VPC,  in the VPN over web scenario in the course we created a VPC VPGW infront of a  CGW .

In the following links - https://aws.amazon.com/premiumsupport/knowledge-center/public-private-interface-dx/

-https://docs.aws.amazon.com/aws-technical-content/latest/aws-vpc-connectivity-options/aws-direct-connect-plus-vpn-network-to-amazon.html
They create a Private Virtual Interface , which is connected to one or more Virtual Private Gateway of one ore more VPC's , not a Public Virtual Interface.

What am I please missing ? 

Also, can perhaps a Public Virtual Interface be connected both to VPCs and both to S3 etc or you need public and private to connect directly both to VPCs and other services ? 

Thank you in advance !

Sorry for English and typos - not native speaker .

  • post-author-pic
    Derek M
    10-17-2018

    The hosted VPN gateway is made available over a public endpoint in the AWS network, so you have to connect to it with a Public Vif. If you were connecting to an EC2 instance-hosted VPN, you would need a Private VIF for VPC access. 

    https://aws.amazon.com/premiumsupport/knowledge-center/create-vpn-direct-connect/

  • post-author-pic
    Adrian C
    10-17-2018

    Lets start with WHY VPN over direct connect is needed. A Direct Connect (DX) is a dedicated connection, but it doesn't utilize encryption - you could snif the traffic.


    A private VIF connects from your data center into a VPC - so its a private connection, BUT, it's still NOT encrypted.

    A public VIF allows connection from your data center to 'public endpoint' resources at AWS .. so S3, DynamoDB, and VPN Gateways (which remember, have public IP addresses). - public VIF's are also NOT encrypted.

    A VPN over a public VIF .. essentially adds this layer of encryption over the top of the public VIF. It is just like a normal VPN, but rather than using the public internet to connect to the VPN endpoint at AWS it uses the DX connection & public VIF.

    You get the consistent performance benefits of DX and the encryption benefits of VPN.

    A single public VIF can be used to connect in the above way AND to connect to all public AWS services (S3 DynamoDB etc)

  • post-author-pic
    james.roeiter
    10-18-2018

    Thank you very much for your time, the provided video in the link truly cleared some  questions for me. 

    So as I understand it now - 
    Both in public and private VIF , you will have a customer gateway and a virtual private gateway attached to a VPC and in both we configure the route tables either by static routing or dynamic BPG routing , the difference is that :
    In public VIF we will also create a VPN connection (in the console under VPN connections) which will also make sure the communication is encrypted while in the private VIF we are able to connect it to a DirectGateway which will enable us an inter-region communication with multiple VPCs all connected from a single private VIF.
    Is it please correct?

  • post-author-pic
    Adrian C
    10-19-2018

    public VIF doesn't by default create a VPN connection. Public VIF is simply a public connection to the AWS public endpoint range (S3, DynamoDB, SQS, SNS etc). You 'can' create a VPN over a public VIF which gives you encrypted & private networking to/from a VPC.


    Direct Connect Gateway works as you suggest.

Looking For Team Training?

Learn More