Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Encrypt AWS Direct connect with IPSec

0

Dear Team - We have AWS dedicated direct connect connection. One Transit VIF is configured on DXGW/TGW and one Private VIF is configured with other DXGW/VPCs (8 VPCs). Now we want to encrypt all the above traffic through Public VIF IPSec VPN . (We are not exploring Private IP VPN as of now). both the VIFs are terminated on same on-prem cisco router.

Question 1- How many IPSec VPN connections are needed to encrypt all the above traffic ? one for Transit Gateway and 8 for VGWs/VPCs ?

Question 2- How can i ensure that traffic going over IPSec and not through underlying private/transit VIF ? Do i need remove VPC routes from DXGW associations with TGW/VGW ? what other routing changes needed ?

Thanks

Topics
Networking & Content Delivery
Tags
AWS Direct Connect
Language
English
asked 2 years ago548 views
1 Answer
3
Accepted Answer

Hello,

1- yes you need to create IPSec connection to the TGW and to each VGW.

2- When you create a VPN attachment on a Transit Gateway, you get two public IP addresses for VPN endpoints at the AWS side. These public IPs are reachable over the public VIF. So you can establish the VPN connection directly over the public VIF without the need for the Transit VIF in this scenario. The same applies to the VGW VPN Connection. Please refer to point 4 in the below documentation https://docs.aws.amazon.com/whitepapers/latest/building-scalable-secure-multi-vpc-network-infrastructure/direct-connect.html

AWS
answered 2 years ago
AWS
EXPERT
reviewed 2 years ago
  • JD
    2 years ago

    Thanks for Question -1

    For quetion-2, i understand the VPN establishment process but Can you elaborate more on routing part

    For example, i am advertising 10.0.0.0/24 from Transit VIF through TGW association to DXGW and on-prem CISCO router is advertising 192.168.10.0/24 towards the transit VIF. Once i established IPSec, what would happened to those advertisement from TGW/DXGW and on-prem CISCO router ? and how to use IPSec tunnel path instead of transit VIF path ?

    Do i need to disable or delete existing Transit VIF or Private VIF ?

  • Shadi Odah
    2 years ago

    As you are planning to leverage the IPSec connections to both the TGW and the VGW over the public VIF, the BGP sessions running on top of the IPSec connections will exchange the routes between TGW/VGW and on-prem. You don’t need the transit VIF or Private VIF for your scenario

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content