By using AWS re:Post, you agree to the Terms of Use

Architecting for large number of site-to-site VPN connections


A customer would like to move their service from on-prem to AWS. Their service requires a site-to-site VPN to the client's physical location. The customer has hundreds of clients, and each of the clients may have anywhere between 1-50 locations. This adds up to a lot of site-to-site VPN connections.

I have been brainstorming on how to architect this, and I am leaning towards leveraging TGW + site-to-site VPN connection with subnet level separation for each client. This is probably the simplest way of setting this up. Alternative could be to setup self-managed EC2 instances with open source VPN installed in a transit VPC. I suspect this will be more cost effective than the former, but harder to managed. There are still things like overlapping CIDR ranges to address but I am not sure if there are better options.

Curious to see if anyone else has run into a similar situation and has any insights. Also are there any limitations I am missing in the above design?

asked 2 years ago28 views
1 Answer
Accepted Answer

If not much bandwidth is required, most customers tend to roll their own self-managed VPN solutions and attach them to AWS Transit Gateway (AWS Transit Gateway Connect feature is very handy here). Running your own quickly becomes cost effective and allows you to be more flexible in terms of NAT, route policies, etc. Just share some initial costings with the customer of say 100 AWS managed VPNs vs a pair of beefy EC2 instances running something like Strong Swan or a market place appliance (say Cisco CSR) and see what is their appetite for managing their own.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions