How to create redundant site-to-site VPN connections with a Transit Gateway

0

Hello

We have the following setup on our infrastructure https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html with redundant site-to-site VPN connections, using only 1 virtual private gateway and 2 customer gateways, and this for each of our VPCs.

We want to migrate our network infrastructure using a Transit Gateway, so I am trying to replicate that system using a Transit Gateway.

Here's what I did :

  • created 2 Customer Gateways and attached them to the Transit Gateway. Hence we have 1 VPN connection linked to transit gateway for each customer gateway
  • set up IPSec tunnels on our on premise side
  • added a route in transit gateway routing table, for IP cidr 10.50.0.0/16, pointing to one of the VPN attachment .

Everything works fine so far. However, I think that in order to have real redundancy, I'd need to setup some kind of dynamic routing, so that packets with destination 10.50.0.0/16 can go to any one the VPN attachment with some failover mecanism. But it's not allowed to configure 2 routing rules with the same CIDR block, so I'm stuck.

Any way to achieve that ?

Jeremy
asked a month ago89 views
2 Answers
2

This looks like what your trying to achieve. The only way to achieve this is to use BGP for dynamic routing and fail over https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html

profile picture
EXPERT
answered a month ago
profile picture
EXPERT
reviewed a month ago
2

Can you swicth to BGP for dynamic routing? But it wouldn't work if you are using separate customer gateways.
"It’s important to note that when you use BGP, both the IPsec and the BGP sessions must be terminated on the same user gateway device, so it must be capable of terminating both IPsec and BGP sessions." Two recommended reads: https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-static-dynamic.html

https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-transit-gateway-vpn.html

If you will end with static routes, install more specific static routes to the primary attachment. Then use 10.50.0.0/16 for your secondary. Two specific routes: 10.50.0.0/17 10.50.128.0/17

profile pictureAWS
EXPERT
AmerO
answered a month ago
profile picture
EXPERT
reviewed a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions