Private networking is about ensuring sensitive data never travels unencrypted over the public internet, and that internal services are never exposed publicly. This matters for compliance, security, and reliability.
What is a VPN?
A VPN (Virtual Private Network) creates an encrypted tunnel over a public network (the internet). To the outside world, the traffic looks like encrypted noise. Inside the tunnel, the two endpoints communicate as if they were on the same private network.
Two main use cases:
- Remote access VPN: Individual users connect to a corporate network from anywhere
- Site-to-site VPN: Connect two networks (office + cloud, or two cloud regions)
VPN Protocols
IPSec
The industry-standard VPN protocol suite for site-to-site VPNs. Operates at Layer 3 (network layer). Two phases:
- IKE (Phase 1): Establish a secure channel and authenticate both peers
- IPSec (Phase 2): Negotiate encryption/integrity for data traffic
IPSec can use ESP (Encapsulating Security Payload) for encryption and AH (Authentication Header) for integrity.
WireGuard
A modern, lightweight VPN protocol. ~4,000 lines of code vs ~400,000 for IPSec. Faster handshake, better performance, easier to audit. Used by many cloud providers and popular VPN clients. Kernel-level implementation in Linux 5.6+.
OpenVPN
Open-source TLS-based VPN. Widely supported, flexible, runs on UDP or TCP port 443 (bypasses firewalls). Common for remote access VPNs. AWS Client VPN is based on OpenVPN.
AWS Site-to-Site VPN
Connects your on-premises network to an AWS VPC via an encrypted IPSec tunnel over the public internet:
- Virtual Private Gateway (VGW): The AWS-side VPN endpoint, attached to your VPC
- Customer Gateway (CGW): Represents your on-premises VPN device in AWS configuration
- Two tunnels: AWS provisions two tunnels for redundancy (different AZs)
- Routing: Static routes or dynamic BGP routing
- Bandwidth: Up to 1.25 Gbps per tunnel
On-premises network: 192.168.0.0/16
AWS VPC: 10.0.0.0/16
VPN tunnel: 192.168.0.0/16 ↔ (encrypted IPSec) ↔ 10.0.0.0/16AWS Direct Connect
A dedicated physical connection between your data centre and AWS — no public internet involved:
- 1 Gbps or 10 Gbps dedicated connections
- Consistent bandwidth and latency (no internet congestion)
- Lower data transfer costs for high-volume workloads
- Required for compliance workloads that prohibit internet paths
- Not encrypted by default — layer IPSec on top if needed
- 3–6 months lead time for physical installation; use VPN while waiting
VPC Peering
Connects two VPCs privately using AWS's internal network — no internet, VPN, or gateway needed:
- Traffic stays on AWS backbone
- Works across accounts and regions
- Not transitive: If VPC-A peers VPC-B, and VPC-B peers VPC-C, traffic from VPC-A cannot reach VPC-C via VPC-B
- CIDR blocks must not overlap
- Route tables must be updated in both VPCs
AWS Transit Gateway
Solves the scalability problem of VPC peering. A Transit Gateway is a hub that connects multiple VPCs, VPNs, and Direct Connects in a hub-and-spoke topology:
- Up to 5,000 VPC attachments per Transit Gateway
- Traffic between VPCs routed through the TGW (transitive routing supported)
- Route tables on TGW control which attachments can reach each other
- Can peer TGWs across regions for global private connectivity
AWS PrivateLink
Expose a service (your own or an AWS service) to other VPCs without peering or public internet. The service consumer accesses it via an Interface VPC Endpoint — traffic never leaves the AWS network. Used for SaaS multi-tenancy and secure service access.
Next: Cloud networking architecture — how all of this applies in a production AWS VPC design.