Site-to-Site VPN Sharing

We have a site-to-site VPN configured between our data center and one of our VPCs. We would like to now reuse the same VPN tunnel for other VPCs, and we would prefer to not create a new VPN tunnel for each VPC we want to connect.

We thought of VPC peering but the documentation mentions that VPN traffic is not supported over peering connections. We’re considering aws transit gateway but we don’t like that we would have to configure a new tunnel instead of using the existing VPN we already have

Any recommendations for a good architecture that would be scalable in the future?

1 Answers

  • #498
    Up
    0
    Down

    We have a site-to-site VPN configured between our data center and one of our VPCs. We would like to now reuse the same VPN tunnel for other VPCs, and we would prefer to not create a new VPN tunnel for each VPC we want to connect.

    We thought of VPC peering but the documentation mentions that VPN traffic is not supported over peering connections. We’re considering aws transit gateway but we don’t like that we would have to configure a new tunnel instead of using the existing VPN we already have

    Any recommendations for a good architecture that would be scalable in the future?

    #499
    Up
    0
    Down

    This is a common requirement and you mentioned AWS Transit Gateway which would be the best solution for this type of architecture (especially at scale). You can terminate the VPN tunnel on the Transit Gateway and then that could be shared with many VPCs (each with its own routing rules if needed).

    There is also an option to migrate the existing VPN tunnel from the VPC to the Transit Gateway which would also make this simpler: https://aws.amazon.com/premiumsupport/knowledge-center/transit-gateway-migrate-vpn/

    There are a lot of advantages to using Transit Gateway in this scenario including multi-account support, the ability to grow to large scale, you can add multiple VPN tunnels or Direct Connect for failover, and you can integrate with security devices (incl. AWS Network Firewall) for inspection of this traffic if this was a requirement.

    Hope this helps!

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.