How should I encrypt data-in-motion between my data center and the AWS Global Transit VPC?
In AWS, security is a shared responsibility model – meaning that AWS has some of the security burden and subscribing organizations also share some of the security burden. While AWS has responsibility for the underlying infrastructure, hardware, virtualization layer, facilities and staff, the subscriber organization is responsible for securing and encrypting data in motion, dealing with who can access what VPCs, firewall and egress rules, as examples. In other words, you retain control over the security you want to implement to protect your users, applications, data, and networks. It’s up to you.
Securing Direct Connect and Internet Connections to your Global Transit VPC
Organizations typically use AWS Direct Connect or public Internet connectivity to enable traffic from their private, on-premises datacenter to their AWS cloud, and specifically to their Global Transit Hub VPC. While these are common and proven deployment designs, the security considerations for each are often unique to every individual organization based on industry, regulations and security posture. One “security size” does not fit all.
AWS Direct Connect is a private link into AWS regions that provides bandwidth. The service is not natively encrypted when initially deployed. Many customers will need to consider regulatory or best practices which may drive requirements to encrypt all data in motion to their Transit VPC or any public cloud resource.
So, what does AWS provide natively? There is some good news if you are using public Internet links to connect to your Transit Hub VPC. For Internet links terminating on AWS Virtual Gateway (VGW), the links are already encrypted. That said, you need to be aware that there is a native AWS limitation in that the VGW can only support 20 connections. This means the VGW cannot terminate more than 20 connections so be sure you plan with this limitation in mind.
Similarly, the links when connecting a Transit Hub VPC to any spoke VPC are also encrypted. The consideration for these segments that you need to be aware of is the lack of VPC segmentation or isolation. Each VPC can talk to another VPC, by default, which may not align with your design goals.
What are your options?
AWS provides a native solution to add VPN capabilities between the VGW (in the transit hub VPC) and on-premise environment when using Direct Connect. This improves security by encrypting the data in motion. Follow these instructions to enable this capability.
At Aviatrix, we complement this by enabling encryption between the Aviatrix Gateway deployed in the Transit Hub and the VGW – ensuring the entire link is encrypted. Additionally, customers also use Aviatrix to encrypt connections between the Transit hub Gateway and Spoke VPC that are part of the transit network.
Securing the link from the on-premise environment to the Transit Hub is just one aspect of security that organizations should consider in meeting their responsibility within the shared security model for AWS cloud.