Architecting for large number of site-to-site VPN connections
A customer would like to move their service from on-prem to AWS. Their service requires a site-to-site VPN to the client's physical location. The customer has hundreds of clients, and each of the clients may have anywhere between 1-50 locations. This adds up to a lot of site-to-site VPN connections.
I have been brainstorming on how to architect this, and I am leaning towards leveraging TGW + site-to-site VPN connection with subnet level separation for each client. This is probably the simplest way of setting this up. Alternative could be to setup self-managed EC2 instances with open source VPN installed in a transit VPC. I suspect this will be more cost effective than the former, but harder to managed. There are still things like overlapping CIDR ranges to address but I am not sure if there are better options.
Curious to see if anyone else has run into a similar situation and has any insights. Also are there any limitations I am missing in the above design?
If not much bandwidth is required, most customers tend to roll their own self-managed VPN solutions and attach them to AWS Transit Gateway (AWS Transit Gateway Connect feature is very handy here). Running your own quickly becomes cost effective and allows you to be more flexible in terms of NAT, route policies, etc. Just share some initial costings with the customer of say 100 AWS managed VPNs vs a pair of beefy EC2 instances running something like Strong Swan or a market place appliance (say Cisco CSR) and see what is their appetite for managing their own.
Relevant questions
Access FSx for Windows over the public internet?
Accepted Answerasked 2 years agomultiple VPN connections with same VPC
Accepted Answerasked 4 years agoIs it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?
Accepted Answerasked 2 years agoAWS Transit Gateway Site-to-Site VPN Dynamic routes limit of 100. Is it per Connection or Aggregate?
Accepted AnswerArchitecting for large number of site-to-site VPN connections
Accepted AnswerAWS Client VPN timeout
Accepted Answerasked 2 years agoHow to configure AWS Client VPN users to have outbound Elastic (fixed) IP when connecting to resources outside of the Client VPN associated VPC?
Accepted Answerasked 2 years agoLooking for clarity on site-to-site VPN connetions
asked 3 years agoSite to Site IPSec VPN to multiple on-prem firewalls
asked 4 months agoHow can we connect a Sagemaker Studio user to a gitlab repo within a private VPN?
Accepted Answerasked 4 months ago