How do I connect different branch offices using AWS Site-to-Site VPN and AWS Direct Connect?

2 minute read

I want to establish connectivity between branch offices using AWS Site-to-Site VPN and AWS Direct Connect.

Short description

AWS Site-to-Site VPN provides secured connectivity between AWS resources and the on-premises network such as a data center or a branch office.

AWS Direct Connect provides connectivity to AWS resources by establishing a link between your internal network and the AWS Direct Connect location.

Use Site-to-Site VPN and AWS Direct Connect's transit virtual interface (VIF) to establish connectivity between the branch offices.

Resolution

Establish the Site-to-Site VPN connection through a transit gateway from your branch office (for example, Branch office 1). Then, establish AWS Direct Connect from the second branch office (for example, Branch office 2) to the same transit gateway that you used to set up Site-to-Site VPN.

Branch office 1

Complete these steps to set up the AWS Direct Connect connection through the transit gateway:

Request AWS Direct Connect between an AWS Direct Connect location and Branch office 1.
Create an AWS Direct Connect transit VIF to the Direct Connect gateway.
Associate the transit gateway to the AWS Direct Connect gateway.
Note: List Branch office 2's network prefixes in Allowed prefixes.
Using Border Gateway Protocol (BGP), advertise Branch office 1's CIDR from an on-premises device towards the transit VIF. For more information on configuring your on-premises device, see the device's third-party documentation for details.

Branch office 2

Complete these steps to set up a Site-to-Site VPN connection in this branch:

Establish Site-to-Site VPN through the same transit gateway used for the transit VIF in Branch office 1.
Using BGP, advertise Branch office 2's network prefixes from the customer gateway device towards the Site-to-Site VPN.

Note:

Make sure that the Site-to-Site VPN attachment and the AWS Direct Connect gateway attachment associate with the same transit gateway routing table.
The Autonomous System Number (ASN) for Transit Gateway, AWS Direct Connect gateway, and the branch offices must be unique.

Topics

Networking & Content Delivery

Relevant content

VPN over Direct Connect with Direct Connect Gateway
Accepted Answer
AWS-User-5823424
asked 3 years ago
Can I split an AWS Direct Connect connection and assign specific bandwidths to different resources?
Accepted Answer
AWS-User-9154974
asked 4 years ago
What is difference b/w 'Transit GW', 'Direct Connect GW' and 'Direct Connection'?
Accepted Answer
meallhour
asked 10 months ago
AWS Client VPN over Direct Connect
goyalaws
asked 7 months ago
Seeking Guidance on Setting Up Connectivity with AWS Direct Connect and VPN Clients
Accepted Answer
Ali Md
asked 2 months ago
How do I troubleshoot Direct Connect and VPN failover issues?
AWS OFFICIALUpdated 10 months ago
How do I troubleshoot BGP connection failure over AWS VPN or Direct Connect?
AWS OFFICIALUpdated a year ago
How do I establish an encrypted connection over an AWS Direct Connect connection?
AWS OFFICIALUpdated 9 months ago
How do I configure Direct Connect and VPN failover with Transit Gateway?
AWS OFFICIALUpdated a year ago
BGP Negotiation over AWS Site-to-Site VPN and Direct Connect: Troubleshooting Strategies for Efficient Networking
EXPERT
Vinay Gugueoth
published 9 months ago