We need to create a site-to-site VPN connection from our AWS VPC (in this case, a DMZ VPC dedicated to this connection only and peered with the production VPC). AWS's VPC Connection does not meet the customer requirements, because it requires the tunnels be initiated from the customer's Cisco ASA, and they want the initiation to come from our/AWS's side.
I'm looking at implementing this requirement with something like the following. Does this seem like a viable plan?
- Autoscaling group of 2 instances (static size), each in separate AZ
- Would get Elastic IPs from a pool whitelisted by the customer, assigned by a lambda function in response to autoscaling events
- Running Openswan and initiating the VPN tunnels to the customer Cisco ASA
- Configured to act as a NAT (got good tips here around iptables and source/dest check: How to configure a custom NAT for use in Amazon VPC)
- VPC route table - obviously I would add the route table entry for the customer subnet to go through the VPN/NAT instance. Ho wever, while AWS allows multiple route table entries for the same CIDR block, I don't know if that would work as expected in thi s case. (I doubt it.) Again, I'd probably use the lambda function that changes the route table entry when the current gateway instance is terminated. So, the second instance would be in warm standby, with a live VPN tunnel but not receiving traffic until the route table is updated.
- Obvious (I hope) network security setup: Network ACL and security group rules limit public access to customer Cisco ASA IPs
