VPN over Direct Connect with Transit Gateway
I have a customer that is trying to setup a Direct Connect into both a commercial account and a GovCloud account and associate it with a Transit Gateway.
It looks like the recommended way to do this is to create a Direct Connect Gateway in the commercial account and that will get automatically propagated to the associated GovCloud account. From there you can associate a Transit Gateway to the corresponding Direct Connect Gateway.
My question is how do you set this up if you need to have VPN over Direct Connect for the GovCloud account (and potentially not need it for the commercial account)? I see other posts that talk about configuring VPN over Direct Connect and then associating the VPN with the Transit Gateway. Would you use this method for the GovCloud account and then the DX -> DXGW -> TGW method for the commercial account?
Thanks
- Le plus récent
- Le plus de votes
- La plupart des commentaires
In the end it's all about the virtual interfaces that you create on top of the DX connection:
-
For your GovCloud account: As you want to run VPN over DX, you should create a Public VIF (https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-public-vif). This way VPN connectivity between the customer site and the AWS VPN endpoint in GovCloud will run over this Public VIF, as the CIDR with the AWS VPN endpoints is announced over this VIF. That VPN connection can then be connected to a TGW within GovCloud or you can leave it standalone. A Public VIF will not use DX Gateway.
-
For your Commercial account: As you don't want to use VPN over DX here, but instead connect the DX Gateway directly to a TGW, you would create a Transit VIF (https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html#create-transit-vif).
Keep in mind that from an operational perspective, it's usually not a good idea to use the commercial account associated with a GovCloud account for anything. Usually you're better off using a completely separately commercial account, which can be part of an Organizations structure.
Contenus pertinents
- demandé il y a 2 mois
- demandé il y a un an
- demandé il y a 7 mois
- demandé il y a un an
- Comment connecter différentes succursales à l'aide de AWS Site-to-Site VPN et d'AWS Direct Connect ?
AWS OFFICIELA mis à jour il y a un an - AWS OFFICIELA mis à jour il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an
