Based on the AWS Managed VPN and AWS Direct Connect options described earlier, you can communicate securely from one site to another using AWS VPN CloudHub. AWS VPN CloudHub works on a simple star model that you can use with or without VPC. Use this design if you have multiple branches and existing Internet connections and want to implement a practical and potentially cost-effective star model for primary or backup connections between these remote offices.
The image below illustrates the AWS VPN CloudHub architecture, with dashed blue lines indicating the network traffic between remote sites routed through their AWS VPN connections.
AWS VPN CloudHub manages an Amazon VPC virtual private gateway with multiple gateways and each uses unique BGP Autonomous System Numbers (ASNs). Your gateways will promote the correct routes (BGP prefixes) through their VPN connections.
Amazon VPC gives you the flexibility to fully control both sides of your Amazon VPC connectivity by establishing a VPN connection between your remote network and a software VPN device running on your Amazon VPC network.
This option is recommended if you need to manage both ends of the VPN connection for compliance or if you want to use gateway devices that are currently not supported by the Amazon VPC VPN solution. The following figure illustrates this option.
You can choose from an ecosystem of various partners and open source communities that have produced software VPN devices running on Amazon EC2. These include products from well-known security companies such as Check Point, Astaro, OpenVPN Technologies and Microsoft, as well as popular open-source tools such as OpenVPN, Openswan and IPsec-Tools. This choice includes responsibility for managing the software device, focusing on configuration, patches, and upgrades.