- 新しい順
- 投票が多い順
- コメントが多い順
Hi Joni,
I understand that you would like to build VPN A & B connecting to AWS for high availability and disaster recovery purposes.
For high availability at on-prem, I would suggest building VPN A connection from cisco router 1 and terminate on VGW/TGW. Similarly, you can build another VPN B connection from cisco router 2 (either at same on-prem location or different DC) terminating on VGW/TGW. This ensures that there is no single point of failure and location redundancy respectively. Since you mentioned that you will be using same subnet on both VPN connections A & B, please make sure to have either of the following -
- active/passive failover configuration (VPN A active and VPN B as passive)
- Configure more specific routing on VPN A so that it acts as primary for both forward and return traffic, and configure less specific routes on VPN B so that it acts as back up if VPN A goes DOWN.
On AWS side, please be aware that AWS Site-to-Site VPN connections comes with two tunnels for redundancy purposes.
Also, please refer to the link [1] which has an architecture diagram on AWS Site-to-Site VPN connection as primary and AWS Site-to-Site VPN connection as secondary to understand the traffic flow and documentation [2] on S2S failover.
I hope this helps. Please let me know if you have any questions.
References: [1] https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/hybrid-connectivity-to-transit-gateway-ra.pdf?ntwd_hyb5 [2] https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html
By combining your topic subject wording and the information that you provided in the question, I would assume your topology is as below:
AWS=====VPN A=====DC===(Subnet X)
AWS ====VPN B =====DR===(Subnet X)
If you use TGW as VPN termination point on AWS, it depends on the routing you use:
- If static route, you will need to configure more specific route (e.g. Subnet X/24) with VPN A as target, and less specific route (e.g. subnet X/23 or less) with VPN B as target on TGW
- If BGP, on the DC router, you will need to configure the DR router to prepend additional AS-PATH when advertise the subnet X's prefix to AWS via VPN B.
Above design only consider to have active/standby for traffic flow from AWS to DC. You also need to consider the design on DC side to ensure you don't have asymmetric routing for traffic flows from DC to AWS.
Hello joni,
I will Assume that both Tunnel are terminated on the Same VGW and the Same CPE Router.
If you need AWS to prefer a VPN on the Other you will need to use BGP Routing and use the AS Path Prepending option. Just prepend the AS on the Backup link.
That will allow AWS to know the Main Link and the Backup Link you choose.
関連するコンテンツ
- AWS公式更新しました 9ヶ月前
- AWS公式更新しました 2年前