AWS Site to Site VPN in Control Tower- AWS Network Architecture

Introduction-AWS Site To Site VPN In Control Tower

This blog lists one of the Architecture design, ‘AWS site to site VPN in control tower’, which we did for a client for connecting ON premise to AWS environment in a control tower environment.

For connecting on-prem networks with AWS, AWS Transit gateway-based approach is considered. This approach takes advantage of an AWS-managed VPN endpoint for connecting to multiple VPCs in the same region without the additional cost and management of multiple IPSec VPN connections to multiple Amazon VPCs.

In this article, we would discuss the site-to-site VPN and different options we explored for site-to-site VPN using

Transit gateway and Egress options can be used.

  • Customer gateway
  • Transit gateway
  • VPN transit gateway attachment
  • Network services transit gateway route table
  • Different options for Egress architecture


Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center. It provides the benefits of using the scalable infrastructure of AWS. Each VPC can further be set up with different options to make the environment more secure

Transit Gateway Architecture

AWS Transit Gateway is an AWS-managed high availability and scalability regional network transit hub used to interconnect VPCs and customer networks using the route tables. AWS Transit Gateway + VPN, using the Transit Gateway VPN attachment, provides the option of creating an IPsec VPN connection between your remote network and the Transit Gateway over the internet.

Figure 1: AWS Transit Gateway with Redundant VPN

This provides an optimum way to connect multiple VPC endpoints to an on-prem network. With the AWS Control Tower in place, accounts will be created for projects/applications. Each of these accounts will have a separate VPC and these can be connected to a transit gateway running in the infrastructure account to provide on-prem connectivity if required.

We will be using dynamic routing between the on-prem firewalls and AWS Transit Gateway.

Transit Gateway Setup in AWS Site to Site VPN in Control Tower

In the client’s AWS environment, a transit gateway will be created in the Infrastructure-shared-prod account, which will provide connectivity between different Spoke VPCs as well as connectivity with the on-prem network.

So helps to connect multiple VPCs together.

There are 2 separate network zones considered for Production and Dev accounts. These will have separate route tables in the transit gateway to provide network isolation between Production and Dev.

The below diagram shows the connectivity between the transit gateway and different route tables for production and dev/sandbox accounts.

Transit gateway in control tower accounts can be managed easily so it can talk to different accounts and each can talk to the transit gateway. In this case, we have kept a single one for Dev and production instance

In this case, client was not looking for a segregated approach hence this works to keep it as a single Transit gateway

If you set up multiple transit gateway it requires that many setups of gateway and monitoring to be done. Hence can be easily managed if you are just starting out or for POC or a new product launch until it grows.

Transit Gateway Setup in AWS Site to Site VPN in Control Tower

Egress Architecture

This is to manage the Traffic which is sent out from the VPC account

For the outbound internet traffic below options are considered for different phases and will be carried out based on the client’s network requirements.

No outbound internet traffic for AWS Site to Site VPN in Control Tower

  • All communication would be via transit gateway
  • For initial workloads, all outbound internet traffic will be blocked. This can later be changed as needed to allow traffic to go out

No outbound internet traffic for AWS Site to Site VPN in Control Tower

Lightweight outbound internet traffic through VPN – Intermediate state

  • This involves VPC still talking to just transit gateway and a VPN Connection protected by a firewall that manages all inbound and outbound traffic from the internet.
  • An On-prem firewall using existing security controls will be used for the outbound internet traffic. This means you could restrict the sites which could be accessed by the end users.
  • Outbound internet traffic will be routed from AWS to the on-prem firewall through a VPN

Centralized internet egress – Future State

Here we added Egress VPC to another account. This is done to avoid deploying a NAT Gateway in every spoke VPC which can become expensive, so centralizing it is a viable option. To centralize, we will create an egress VPC in the shared network account. Then route all egress traffic from the spoke VPCs via a NAT Gateway sitting in this VPC leveraging Transit Gateway. The router table which sends all traffic to Egress VPC which further manages all inbound and outbound communication to internet.

This phase will be implemented when there are significant workloads and the intermediate solutions would need to be scaled to support the growing infrastructure/network traffic.

When you attach a VPC to a transit gateway, any resources in Availability Zones where there is no transit gateway attachment cannot reach the transit gateway. If there is a route to the transit gateway in a subnet route table, traffic is forwarded to the transit gateway only when the transit gateway has an attachment in a subnet in the same Availability Zone.

Figure 6: Centralized egress model


So with this, we have concluded the multiple options and a phased wise approach you could use to get started with On-premise Connectivity to your AWS environment. This is specific to using a control tower and helps to get started with a less restricted approach.

Looking for help to manage your AWS infrastructure and get a review done please come and talk to us to get a detailed report.


Get In Touch If You Have A Business Query

Related Posts


Table of Contents