US 9,813,379 B1
Virtual private gateways using compute instances
Upendra Bhalchandra Shevade, Herndon, VA (US); Gregory Rustin Rogers, Reston, VA (US); Kevin Christopher Miller, Herndon, VA (US); Bashuman Deb, Herndon, VA (US); and Michael Brooke Furr, Washington, DC (US)
Assigned to Amazon Technologies, Inc., Reno, NV (US)
Filed by Amazon Technologies, Inc., Reno, NV (US)
Filed on May 9, 2014, as Appl. No. 14/274,546.
Int. Cl. H04L 29/06 (2006.01); H04L 12/707 (2013.01); H04L 12/721 (2013.01)
CPC H04L 63/0272 (2013.01) [H04L 45/24 (2013.01); H04L 45/70 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A system, comprising:
one or more computing devices configured to:
receive a request via a programmatic interface to establish a VPN (virtual private network) connection between a customer data center of a particular customer and one or more customer compute instances (CI) of a first isolated virtual network (IVN), the first IVN established using resources of a provider network on behalf of the particular customer, wherein at least one of the one or more customer CIs is assigned a network address that is not accessible from the public Internet;
establish a second IVN within the provider network to be used for a virtual private gateway (VPG) for the VPN connection between the customer data center and the one or more customer CIs;
configure a plurality of protocol processing engines (PPEs) of the VPG, including a first PPE and a second PPE, within the second IVN, wherein the first PPE is implemented at a first compute instance of a virtual computing service of the provider network, and wherein the second PPE is implemented at a second compute instance of the virtual computing service;
establish a plurality of VPN tunnels from the plurality of PPEs to the customer data center, wherein the plurality of VPN tunnels comprises (a) a first VPN tunnel between the customer data center and the first PPE and (b) a second VPN tunnel between the customer data center and the second PPE, wherein the first VPN tunnel corresponds to a primary internal path between the first PPE and the one or more customer CIs, and wherein the second VPN tunnel corresponds to a secondary internal path between the second PPE and the one or more customer CIs;
transmit routing information pertaining to the one or more customer CIs to the customer data center via at least one VPN tunnel of the first and second VPN tunnels; and
route a packet received from the customer data center at the first PPE to a destination network address within the first IVN corresponding to at least one of the one or more customer CIs.