I am planning to setup multiple Virtual Private Clouds (VPC) on AWS. These VPCs will be located in different geos. Each VPC will have public as well as private instances. I need to incorporate an efficient routing strategy for all the instances running on all VPCs. The cross VPC communication will happen over Ipsec tunnels. Any suggestion regarding the following concerns will be very useful to me.
- Should I create a hub-n-spoke structure where each VPC will have an Ipsec tunnel to the hub VPC, or should I create an Ipsec tunnel for each pair of VPC and form a clique?
- I have to keep an instance in each VPC which will act as Ipsec gateway and there's a risk that this instance becomes bottleneck or worse a single point of failure. Are there architecture options where I can avoid that?
- What IP addressing scheme I should follow so that in future I can move an instance from public subnet to private subnet and vice versa without affecting the overall routing?
Please also provide links to relevant docs / case studies that you think might help me in this scenario.
Thanks.