By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How do I configure my Site-to-Site VPN with dc and disaster recovery

0

When I connect with aws site site VPN A and VPN B created and try to connect with cisco router. And cisco router VPN A and VPN B have same subnet. How can i control AWS VPN A communicate with Cisco VPN A. When Cisco VPN A down then VPN B communicate with AWS VPN B.

Topics
Networking & Content Delivery
Tags
Networking & Content DeliveryAWS Transit GatewayVPC Virtual Private GatewayAWS Virtual Private Network (VPN)AWS Client VPN
Language
English
joni
asked 5 months ago447 views
3 Answers
1

Hi Joni,

I understand that you would like to build VPN A & B connecting to AWS for high availability and disaster recovery purposes.

For high availability at on-prem, I would suggest building VPN A connection from cisco router 1 and terminate on VGW/TGW. Similarly, you can build another VPN B connection from cisco router 2 (either at same on-prem location or different DC) terminating on VGW/TGW. This ensures that there is no single point of failure and location redundancy respectively. Since you mentioned that you will be using same subnet on both VPN connections A & B, please make sure to have either of the following -

  1. active/passive failover configuration (VPN A active and VPN B as passive)
  2. Configure more specific routing on VPN A so that it acts as primary for both forward and return traffic, and configure less specific routes on VPN B so that it acts as back up if VPN A goes DOWN.

On AWS side, please be aware that AWS Site-to-Site VPN connections comes with two tunnels for redundancy purposes.

Also, please refer to the link [1] which has an architecture diagram on AWS Site-to-Site VPN connection as primary and AWS Site-to-Site VPN connection as secondary to understand the traffic flow and documentation [2] on S2S failover.

I hope this helps. Please let me know if you have any questions.

References: [1] https://d1.awsstatic.com/architecture-diagrams/ArchitectureDiagrams/hybrid-connectivity-to-transit-gateway-ra.pdf?ntwd_hyb5 [2] https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html

AWS
Vamsi Manthapuram
answered 5 months ago
0

By combining your topic subject wording and the information that you provided in the question, I would assume your topology is as below:

AWS=====VPN A=====DC===(Subnet X)

AWS ====VPN B =====DR===(Subnet X)

If you use TGW as VPN termination point on AWS, it depends on the routing you use:

  1. If static route, you will need to configure more specific route (e.g. Subnet X/24) with VPN A as target, and less specific route (e.g. subnet X/23 or less) with VPN B as target on TGW
  2. If BGP, on the DC router, you will need to configure the DR router to prepend additional AS-PATH when advertise the subnet X's prefix to AWS via VPN B.

Above design only consider to have active/standby for traffic flow from AWS to DC. You also need to consider the design on DC side to ensure you don't have asymmetric routing for traffic flows from DC to AWS.

AWS
Man Le
answered 5 months ago
0

Hello joni,

I will Assume that both Tunnel are terminated on the Same VGW and the Same CPE Router.

If you need AWS to prefer a VPN on the Other you will need to use BGP Routing and use the AS Path Prepending option. Just prepend the AS on the Backup link.

That will allow AWS to know the Main Link and the Backup Link you choose.

AWS
Shmosa
answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content