Architecting for large number of site-to-site VPN connections
A customer would like to move their service from on-prem to AWS. Their service requires a site-to-site VPN to the client's physical location. The customer has hundreds of clients, and each of the clients may have anywhere between 1-50 locations. This adds up to a lot of site-to-site VPN connections.
I have been brainstorming on how to architect this, and I am leaning towards leveraging TGW + site-to-site VPN connection with subnet level separation for each client. This is probably the simplest way of setting this up. Alternative could be to setup self-managed EC2 instances with open source VPN installed in a transit VPC. I suspect this will be more cost effective than the former, but harder to managed. There are still things like overlapping CIDR ranges to address but I am not sure if there are better options.
Curious to see if anyone else has run into a similar situation and has any insights. Also are there any limitations I am missing in the above design?
If not much bandwidth is required, most customers tend to roll their own self-managed VPN solutions and attach them to AWS Transit Gateway (AWS Transit Gateway Connect feature is very handy here). Running your own quickly becomes cost effective and allows you to be more flexible in terms of NAT, route policies, etc. Just share some initial costings with the customer of say 100 AWS managed VPNs vs a pair of beefy EC2 instances running something like Strong Swan or a market place appliance (say Cisco CSR) and see what is their appetite for managing their own.
Relevant questions
Is it possible to set up a dynamic routing connection to AWS through a site-to-site VPN via a vendor?
Accepted Answerasked 2 years agoAddressable clients for Client VPN
Accepted Answerasked 3 years agomultiple VPN connections with same VPC
Accepted Answerasked 5 years agoAWS Client VPN Self Service Page intermittently returns a 400
asked 5 months agoLooking for clarity on site-to-site VPN connetions
asked 3 years agoHow can we connect a Sagemaker Studio user to a gitlab repo within a private VPN?
Accepted Answerasked 8 months agoCan a customer load data from their different sites to a single Snowball before shipping back to AWS?
Accepted Answerasked 6 years agoTerminate each Site-to-Site VPN Tunnels to Multiple Customer Gateways
Accepted Answerasked 2 years agoConflict between AWS site-to-site VPN (to a VPC) and non-AWS client VPN
asked 3 years agoArchitecting for large number of site-to-site VPN connections
Accepted Answer
