- Newest
- Most votes
- Most comments
The answer to this question is Yes, even if CGW has Policy based implementation, the AWS side (VGW or TGW) will still have 2 Tunnels as well as the Tunnel Outside IPs (169.254.x.x/30) that is because AWS Site-Site VPN is a Route based VPN implementation.
Will those tunnel IP's will still be generated on AWS side, even though remote is configured just for policy based ?
That being said, if your CGW only supports Policy based VPN you can still implement it and it will work; the only issue being only 1 SA (Security Association) will be supported so that would mean 1 single Policy. This is described in this KC article.
If however your CGW does supports Route based VPN then it is recommended to use Route based instead of Policy based VPN, with this you will not run into SA limitation, you can choose to use Static or BGP based VPN.
Hello, As mentioned in the documentation below, AWS Site-Site VPN is a Route based VPN solution. So to put it in simple words, AWS Site-Site VPN does NOT support multiple policies and hence is not a policy based solution. If you are using a policy-based configuration, you must limit your configuration to a single security association (SA). Static and Dynamic are routing options depending on whether or not, your CGW device supports BGP or not. It is always recommended to use Dynamic routing with BGP. Hope this helps clear out your confusion.
Link- https://docs.aws.amazon.com/vpn/latest/s2svpn/your-cgw.html
Relevant content
- asked 3 months ago
- Accepted Answerasked 8 months ago
AWS OFFICIALUpdated a year ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 9 months ago
As per AWS only remote should initiate traffic to bring policy based VPN tunnel, not sure how that's handled from AWS side having said that there are two public IP's ? Anyways thanks Tushar for responding my queries.