Different outside IP per tunnel on a site-to-site VPN connection


When building an AWS site to site VPN each tunnel of the VPN connection gives me a different outside IP address for the AWS Virtual Private Gateway, which is a good practice for redundancy reasons, as explained in AWS documentation.

However, I am forced to use a single IP for the Customer Gateway, which is limiting the redundancy on the customer side. I would need to be able to provide a different outside IP for each tunnel of the same VPN connection. Otherwise I am limiting the resiliency of my site to site VPN.

Is there any way to achieve this?

2 Answers

You can only use a single CGW for each VPN. To have a redundancy on the CGW side, you can create two VPN connections, each with different CGW.

You can either configure both tunnels for each VPN (you will have a total of 4 tunnels, each 2 tunnels terminated on a single CGW) or a single tunnel for each VPN (total of 2 tunnels, 1 tunnel terminated on each CGW).

The design is discussed here https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html

profile pictureAWS
answered 9 months ago
profile pictureAWS
reviewed 9 months ago
profile picture
reviewed 9 months ago
  • Thanks for the response. Understood. If I have to create 2 CGWs with 2 VPN connections:

    • AWS would use different time for the endpoint update, hence AWS recommend two tunnels so that when one tunnel goes down during the endpoint update, the other tunnel stays up.

    • Yes, it would increase the cost by around $36 (the VPN cost) but not double it.

  • Good, thanks I cannot have both tunnels on the same VPN connection because I need to use a different pubic IP per tunnel on the CGW side. So I have e.g. CGW A with VPN Connection A and CGW B with VPN Connection B, and use a single tunnel on each VPN Connection. In this case, could AWS update at the same time my only active tunnel of both VPN connections?

  • About the design shown here https://docs.aws.amazon.com/vpn/latest/s2svpn/vpn-redundant-connection.html AWS is providing a different public IP for each tunnel on the same VPN connection. In my setup I am forced to do the same (for similar reasons). Therefore I need to setup a different AWS customer gateway for each public IP on my side. This means that on each VPN connection only one of the tunnels is configured and online. I know AWS would use a different time for the update of each endpoint. So in the diagram of the link above, since I would have only Tunnel 1 on each VPN connection, could it be the case that AWS is doing updates at the same time on Tunnel 1 of VPN Connection 1 and Tunnel 1 of VPN Connection 2?


@Borja did you manage to find out? I'm currently trying to implement a similar approach and would pretty much like to know if the two tunnels from the different VPNs are in the same AZ or not.

answered 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions