0

We have a situation where we have multiple EC2 instances each running a VPN. Both the remote VPN server and remote subnet are run by a third-party and we have no say in the way they are setup.

We don't believe these are transferable to AWS client Lan-to-Lan VPN

The VPNs all route to the same physical subnet with the same CIDR block. There is some rate limiting for these VPNs (on the remote side) and we don't want to push all of our traffic for that CIDR block through the same subnet. Besides this we would like to have some form of health-check and fail-over so that if one VPN connection goes bad, we can re-route through another.

enter image description here

Does AWS have any form of transparent load-balanced routing? ...as opposed to an application load balancer. Likewise I believe AWS's Network load balancer acts as an endpoint routing specific ports to multiple providers.

Just to make this more complex, the VPN clients include a NAT meaning that the routing would need to be stateful.

This is something I'm aware is available on enterprise level hardware (cisco routers etc.) but I'm not sure if Amazon exposes any such feature.

Nestor Daniel Ortega Perez
  • 193
  • 8
Philip Couling
  • 1,535
  • 1
  • 17
  • 32
  • Could you sketch out a diagram? I'm struggling to follow the architecture description. – shearn89 Mar 16 '22 at 16:30
  • Route53 could work, if you use DNS names. Or maybe a network load balancer? Have your clients target the NLB instead of the EC2s? – shearn89 Mar 16 '22 at 16:32
  • @shearn89 unfortunately the creators of this VPN like to use a lot of static IPs and don't put domain names on any of it. Not only do we need to use their VPN we also need to use their software so the only piece we control is the VPN client and the routing. – Philip Couling Mar 16 '22 at 16:37
  • I'm not familiar with AWS or so, but in general, if you want to have a route/routes as your backup, you have to use "Distance" in your routing configuration. – Zareh Kasparian Mar 16 '22 at 20:33
  • Where is the rate limiting taking place? In your EC2 servers or on the target VPN server? – Tim Mar 17 '22 at 08:09
  • I think I understand more now. If you want to be able to put something in the ??? box that can balance your connections to the two VPN Client boxes, a Network Load Balancer would do it. Incidentally, what problem does this VPN set up actually solve? Is there a better solution that doesn't involve a 3rd party VPN service? – shearn89 Mar 17 '22 at 08:30
  • @shearn89 desipite the name I believe [network load balancer](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/introduction.html) routes specific ports to specific endpoints. We're looking for something to route the entire subnet (all IPs in it, all ports, ideally both TCP and UDP). – Philip Couling Mar 17 '22 at 09:18
  • Yes, they operate at the network layer not application (hence the name). I didn't get that you wanted to route the whole subnet! Okay. – shearn89 Mar 17 '22 at 09:28

0 Answers0