I understand you could not have public ip address on the firewall where VPN will be terminated . You also have Direct Connect connection between on-premise (Edge device) to AWS. Also have Site to Site VPN connection from on-premise-DC to SSDC.
Answer to your below question:- you have public VIF connecting your on-premise DC and AWS, you can set up a VPN over Direct connect. Also, from your SSDC you will be able to access sideCar vpc.
SSDC ====VPN=====On-premDC ========VPN over Directconnect======SideCarVPC. To access SideCar VPC from SSDC. I assume route based VPN, between SSC and on-premDC. Incase, if its policy based VPN, Please include SideCar VPC as remote network in SSDC and in on-premise include SideCar VPC as local network. anyway VPN between on-prem dc to AWS is policy based based vpn. It will send the traffic over the tunnel with bgp routes. https://docs.aws.amazon.com/whitepapers/latest/aws-vpc-connectivity-options/aws-direct-connect-aws-transit-gateway-vpn.html
How private IP VPN works
Private IP Site-to-Site VPN works over an AWS Direct Connect transit virtual interface (VIF). It uses an AWS Direct Connect gateway and a transit gateway to interconnect your on-premises networks with AWS VPCs. A private IP VPN connection has termination points at the transit gateway on the AWS side, and at your customer gateway device on the on-premises side. You can assign private IP addresses (RFC1918) to both the transit gateway and the customer gateway device ends of the IPsec tunnels.
You attach a private IP VPN connection to a transit gateway. You then route traffic between the VPN attachment and any VPCs (or other networks) that are also attached to the transit gateway. You do that by associating a route table with the VPN attachment. In the reverse direction, you can route traffic from your VPCs to the private IP VPN attachment by using route tables that are associated with the VPCs.
The route table that's associated with the VPN attachment can be the same or different from the one associated with the underlying AWS Direct Connect attachment. This gives you the ability to route both encrypted and unencrypted traffic simultaneously between your VPCs and your on-premises networks.
You will be able to create public VIF for different AWS account other than you have direct connect connection. When you create Public VIf, you need to select which account you want to create the VIF by selecting "virtual interface owner" same account or different account. https://docs.aws.amazon.com/directconnect/latest/UserGuide/create-vif.html
- asked a year ago
- Accepted Answer
- Accepted Answer
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 9 days ago
- How can I configure a Site-to-Site VPN connection with dynamic routing between AWS and Microsoft Azure?AWS OFFICIALUpdated 9 days ago
- EXPERTpublished 3 months ago