5

I am attempting to connect two AWS regions. AWS's documentation suggests starting up an instance on both sides to run software IPSec (OpenSWAN or StrongSWAN), giving both instances an elastic IP and using that as a tunnel. That's all well and good, but now we have a single point of failure on both sides.

AWS released a VPC Connectivity Guide in July that details the possible options for connecting two VPCs together. I've deep-linked that PDF to page 15, where it explains the options.

Every option it lists has significant downsides, since in most cases all traffic goes through a single (crashable) instance. So far it seems that the best options is to use a software tunnel on one side, and a Virtual Private Gateway on the other. They say, at least you get redundancy on one side. That still seems suboptimal.

Is there a way to connect two Virtual Private Gateways together so I get the best of both worlds - Amazon-managed redundancy and the simplicity of keeping all of this inside my VPC configuration? Or are VGWs essentially client-only?

STRML
  • 151
  • 1
  • 2

1 Answers1

6

No, there is no way at this time to connect two Virtual Private Gateways in different regions. I'm sure it's a feature that's coming, given the VPC peering is available for VPCs in a single region.

As for "You are responsible for implementing HA solutions for all VPN endpoints (if required)", I discussed in a previous answer there are various techniques for handling the failure of a VPN/NAT instance. Recently I was talking with a colleague who not only setup a full mesh VPN with autoscaling and scripting to re-provision failed VPN/NAT instances, but also had additional scripts that modified the VPC route tables for immediate takeover of the routes by a different AZ until the failed VPN/NAT instance finished respawning. They also failed the route back once the VPC/NAT instance was up and the ENI reattached. There are many "NAT monitor" scripts on github that do similar things. There is also an AWS article that describes the process.

Decent high-availability? Yes. Simple configuration? Unfortunately, not.

Community
  • 1
dialt0ne
  • 3,027
  • 17
  • 27