Policy based VPN in AWS
A customer wants to establish policy based VPN connectivity from AWS to their data center. I looked at various documentation and still cannot determine whether we can support this or not. Here are the links I’ve reviewed so far:
http://www.mycodingpains.com/establish-policy-based-vpn-connection-aws-hardware-vpn/ https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/GenericConfigNoBGP.html#DetailedViewCustomerGateway6
questions are:
Can we do this with AWS
What configuration setting makes the VPN setup policy based? Route based?
Thank you
- Newest
- Most votes
- Most comments
AWS Supports both Route based and Policy Based VPN (IPSec). If a customer wants to create Policy Based - that's perfectly fine, but there are some limitations.
We support 1 Security Association, customer needs to initiate the traffic (we are responder only), only one tunnel will be UP in Policy-Based.
Here you can find all the requirement: https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Introduction.html#CGRequirements
you are limited to 1 unique Security Association (SA) pair per tunnel (1 inbound and 1 outbound), and therefore 2 unique SA pairs in total for 2 tunnels (4 SAs). Some devices use policy-based VPN and will create as many SAs as ACL entries. Therefore, you may need to consolidate your rules and then filter so you don't permit unwanted traffic.
What is the device that customer is using on a customer site?
Here is sample config for Policy-based VPN for Cisco ASA: https://docs.aws.amazon.com/AmazonVPC/latest/NetworkAdminGuide/Cisco_ASA.html
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 10 months ago
