Outbound routing from different regions

0

Hello AWS Team.

Please tell me, is it possible to connect a VPS from one region to Virtual Private Gateway and Site-to-Site VPN in another region? For example we have one VPC in Europe and second VPC in US. We have VPN and connection to our on premises infrastructure in US, but don't have in Europe. We made peering between VPCs, so we can connect one VPC from another VPC inside AWS cloud. Question is Сan we configure our AWS cloud so that we can connect to a VPC in Europe through our VPN connection to a VPC in US? Thank you.

Aleksei
asked 11 days ago47 views
2 Answers
2

Yes, you can configure your AWS resources to enable connectivity between VPCs in different regions (US and Europe). As mentioned in another answer, VPC Peering will not work for this as the VPC in Europe won't be able to use the S2S VPN connection in the US VPC. You should consider using AWS Transit Gateway with inter-region peering instead. This will allow the VPC in Europe to reach on-premise infrastructure in the US via the S2S VPN.

At a high-level, you will need to do the following:

  • Create a Transit Gateway in both regions where you have VPCs deployed following design best practices
  • Attach your VPCs to their corresponding Transit Gateways
  • Create an inter-region peering attachment between Transit Gateways
  • Configure route tables on each transit gateway
    • Transit Gateway in US should have a route to Europe VPC CIDR
    • Transit Gateway in Europe should have a route to US VPC and on-premise CIDR
    • Europe VPC route table should have a route to on-premise CIDR pointing to the Transit Gateway attachment
  • Configure on-premise router with a route to Europe VPC CIDR
  • Modify the the S2S VPN target used to connect to on-premise as outlined here

You can reference this blog article for a more comprehensive description of this type of architecture. Note that there are costs (attachment hours and data processing charges) associated with using AWS Transit Gateway, please reference the pricing page for additional details.

AWS
answered 11 days ago
profile picture
EXPERT
reviewed 9 days ago
profile picture
EXPERT
reviewed 10 days ago
1

VPC Peering is non-transitive so you wont be able to connect from on-premises via VPN and then peering to a VPC in Europe. Its called out here:

If VPC A has a VPN connection to a corporate network, resources in VPC B can't use the VPN connection to communicate with the corporate network.

profile pictureAWS
EXPERT
answered 11 days ago
profile picture
EXPERT
reviewed 9 days ago
profile picture
EXPERT
reviewed 10 days ago
profile pictureAWS
EXPERT
reviewed 11 days ago
  • Note that you can "share" a VPN between multiple VPCs using Transit Gateway; and you can peer Transit Gateways between regions - so technically you can do this but it will increase the cost of the solution.

  • Correct, in addition to the additional cost it also creates regional dependency. It would be much better to create a new VPN for EU region.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions