What is the difference between AWS site-to-site VPN and AWS client VPN?
I know that site-to-site is using IPSec (layer 3), but client is using TLS (application layer). It seems like both are actually site to site vpns after reading articles/ docs online.
I guess the protocol (IPSec vs TLS) is their only difference, which has implications on when you would use which one. I would guess that both are equally good, and you should always use TLS on the application layer anyway, even on top of client VPN.
How do you decide which one to use, and why?
Solution 1:
In general the protocol doesn't have much to do with it. You can have IPSec tunnels in both site-to-site or client (aka road warrior) configurations, just like you can have OpenVPN (TLS) tunnels in both site-to-site or client setups. It's a matter of configuration and purpose, not the protocol used.
Site-to-Site VPN
- typically 1-to-1 configurations
- both sides in general have similar configuration
- both sides have fixed IP address
- either side can initiate or restart the connection
- both typically have a network behind them (e.g. two office networks connected)
- you can run a routing protocol (BGP, OSPF, ...) over the tunnel
- the networks can communicate both ways
Client-to-Site VPN
- typically N-to-1 configurations, with N clients connecting to 1 server
- server and client configs are different
- clients don't need fixed IP address
- only clients initiate the connections (because the server doesn't know the client's current IP)
- client is typically just a single laptop with no network behind it
- routing only permits one IP per client, no BGP or OSPF supported
- only client to the site behind the server connectivity is permitted, generally the site can't initiate connection to the client
That's roughly the difference between site to site and client to site VPNs.
In AWS the VPN Gateway uses IPsec protocol and the Client VPN uses OpenVPN protocol but that's just how AWS implemented the services. However in general it's perfectly possible to use either protocol in either setup.
Hope that helps :)
Solution 2:
you should always use TLS on the application layer anyway, even on top of client VPN
TLS is a protocol that has many different uses. The most common one is in HTTPS but many other protocols use it too as it's a standard way to encrypt network traffix. That's the application level.
In AWS Client VPN it's being used one level down - to encrypt the actual network layer traffic (level 3), regardless of what's passing through the tunnel. They chose to use TLS because it's a standard well known protocol.
Amazon could have implemented Client VPN with IPsec or even invent their own protocol but they chose TLS because it's a proven technology.
And yes, you can indeed use HTTPS over this VPN which is technically TLS over TLS but with different endpoints and certificates.