By using AWS re:Post, you agree to the Terms of Use

Transit VPC DR Cross-Region Replication Best Practices

0

We have an older transit VPC that we built manually (i.e. not using an AWS templated build). I am looking to replicate the resources running in that transit VPC (Edge, CSR Router, VPN host) to a different region for redundancy/DR.

I know peering connections can be created to possibly work for this, but the subnets cannot overlap...creating a need to then reconfigure our SD-WAN setup if we need to cut over. I was also wondering if I can simply create a DR transit VPC in the DR region and apply the same subnet CIDR as is configured in our current Transit VPC , and then simply image the instances needed into the DR Transit VPC and spin up with the same IP addressing they currently have if/when needed.

Just looking for general guidance/best practices, as the AWS documentation on the matter seems to suggest a few possible paths forward, but none of which seem to capture our specific needs.

1 Answers
0

Hello,

Since the transit VPC components you mention (Edge, CSR Router, VPN host) are not native AWS constructs there is no easy way to replicate these across the regions especially with same IPs as you indicated.

I would recommend going through the below link and specifically the table that shows Transit VPC Vs Transit Gateway solution comparison. You could consider using TransitGateway to terminate the VPN at each site, do the inter-region TGW Peering for the connectivity between the regions. You could still have Inspection VPCs at both regions that can host your fleet of Firewall appliances behind a GWLB, this VPC can do East-West or North-South traffic inspection.

https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/transit-vpc-solution.html

As for connectivity between the regions below are some of your options:

  1. VPC Inter-region Peering (Non-transitive connection)
  2. TGW <> TGW Inter-region peering (Supports only Static routing currently)
  3. IPSEC VPN between the CSRs (You can run BGP over IPSEC)

There are many factors involved here (Cost, Security, ease of implementation, operations etc) so you would need to carefully evaluate each of the options and decide which one suits for your particular use-case.

profile picture
answered a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions