We are setting up a site-to-site VPN using Transit Gateway with a VPC in AWS. The question that came up is at what point does the VPN encryption terminates on the AWS side. Is it at the Transit GW or at the perimeter of the VPC.
If it is at the Transit GW, can an outsider snoop the traffic between the Transit GW and the instance running inside the VPC. Would the use of Virtual Private GW help in any way?
The reason I am asking this question is that we have a need to make an unencrypted connection from the on-premise network to the instance sitting in VPC.
Any insight would be highly appreciated.
Thx
You always have the Virtual Private Gateway when using AWS VPN. It's actually the termination point on the AWS side regardless of whether you attach it to a Transit Gateway or directly to a VPC.
The transit gateway is already secured and there's virtually no chance (because I still believe nothing is 100% secure) that someone will snoop in at that level.
The VPC gets attached to the TGW as a different leg, and it's up to the routing table(s) to direct your traffic.
So it's at the VPGW that you terminate the VPN, and from then on the traffic is as-is.
If you're concerned you can always encrypt it up to whatever destination you have in the VPC and add additional levels of authentication and other security measures as needed.
https://docs.aws.amazon.com/vpn/latest/s2svpn/SetUpVPNConnections.html#vpn-create-target-gateway