How to create redundant site-to-site VPN connections with a Transit Gateway

0

Hello

We have the following setup on our infrastructure https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html with redundant site-to-site VPN connections, using only 1 virtual private gateway and 2 customer gateways, and this for each of our VPCs.

We want to migrate our network infrastructure using a Transit Gateway, so I am trying to replicate that system using a Transit Gateway.

Here's what I did :

  • created 2 Customer Gateways and attached them to the Transit Gateway. Hence we have 1 VPN connection linked to transit gateway for each customer gateway
  • set up IPSec tunnels on our on premise side
  • added a route in transit gateway routing table, for IP cidr 10.50.0.0/16, pointing to one of the VPN attachment .

Everything works fine so far. However, I think that in order to have real redundancy, I'd need to setup some kind of dynamic routing, so that packets with destination 10.50.0.0/16 can go to any one the VPN attachment with some failover mecanism. But it's not allowed to configure 2 routing rules with the same CIDR block, so I'm stuck.

Any way to achieve that ?

preguntada hace 2 meses179 visualizaciones
2 Respuestas
2

This looks like what your trying to achieve. The only way to achieve this is to use BGP for dynamic routing and fail over https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html

profile picture
EXPERTO
respondido hace 2 meses
profile picture
EXPERTO
revisado hace 2 meses
2

Can you swicth to BGP for dynamic routing? But it wouldn't work if you are using separate customer gateways.
"It’s important to note that when you use BGP, both the IPsec and the BGP sessions must be terminated on the same user gateway device, so it must be capable of terminating both IPsec and BGP sessions." Two recommended reads: https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-static-dynamic.html

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html

If you will end with static routes, install more specific static routes to the primary attachment. Then use 10.50.0.0/16 for your secondary. Two specific routes: 10.50.0.0/17 10.50.128.0/17

profile pictureAWS
EXPERTO
respondido hace 2 meses
profile picture
EXPERTO
revisado hace 2 meses
profile picture
EXPERTO
revisado hace 2 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas