How do I configure my Site-to-Site VPN for my data center and disaster recovery while using a single EC2 server for project access?
When I establish connections with AWS Site-to-Site VPNs A and B, I want to connect them to a Cisco router. However, both Cisco VPNs, A and B, share the same subnet. How can I manage AWS VPN A to communicate exclusively with Cisco VPN A, and when Cisco VPN A is down, enable communication between AWS VPN B and Cisco VPN B? I have a single EC2 server deployed for apps that need to communicate with both VPNs. I want only one VPN to be active at a time, and when the active VPN goes down, the inactive VPN should automatically activate. Is this possible, and if so, how can I handle this?
- Newest
- Most votes
- Most comments
Hello Joni,
In your scenario, there doesn't seem to be detail concerning the set-up of the 'shared' subnet. So, I would appreciate any corrections on my interpretation.
You can use BGP to route the traffic as described, using the VPN A connection as the primary, failing over to the VPN B connection in the event of complete failure of the primary CGW (Cisco router DC) or VPN Connection. However, please be advised that each Site-to-Site VPN connection is comprised of two tunnels for redundancy. When one tunnel becomes unavailable traffic is automatically routed to the available tunnel for that specific Site-to-Site VPN connection (e.g VPN A). Both tunnels would have to fail in order to shift traffic to VPN B.
It seems like you are looking for more robust redundancy by adding a second VPN Connection, VPN B, terminating on a secondary CGW (Cisco router DR). It would be good if you could provide additional detail about the Customer Premise side of the scenario. It would help clarify configuration options.
There is additional documentation on this topic: https://docs.aws.amazon.com/vpn/latest/s2svpn/Examples.html
Site-to-Site multiple VPN connection examples
There are several configuration options for the Cisco/On-Prem side of this scenario.
AS Path Prepending
As previously mentioned, you could advertise a prepended route from the backup Cisco router over VPN B connection. The traffic from the VPC would only use this traffic when the unmodified route being advertised over VPN A disappeared due to a malfunction.
Less specific CIDR range for Backup Path
You could also advertise a less specific CIDR range from the backup Cisco router over VPN B connection. The traffic from the VPC would only use this traffic when the more specific route being advertised over VPN A disappeared due to a malfunction.
In both of these cases, the VPN B Connection is active, but not used for traffic from the VPC to the Customer because the VPN A Connection is considered the better path in terms of route priority.
Hello.
I think it's possible if you use BGP for VPN routing.
As stated in the document below, the one with the shortest AS Path is prioritized, so you can configure the Active side router to shorten the AS Path.
Since the AS Path uses the shorter route, normally Cisco VPN A should be used, but if a failure occurs, Cisco VPN B should be used.
https://docs.aws.amazon.com/vpn/latest/s2svpn/VPNRoutingTypes.html#vpn-route-priority
- BGP propagated routes from an AWS Direct Connect connection
- Manually added static routes for a Site-to-Site VPN connection
- BGP propagated routes from a Site-to-Site VPN connection
- For matching prefixes where each Site-to-Site VPN connection uses BGP, the AS PATH is compared and the prefix with the shortest AS PATH is preferred.
https://repost.aws/knowledge-center/vpn-configure-tunnel-preference
please provide specific configuration
Relevant content
- Accepted Answerasked 2 years ago
- asked 5 months ago
AWS OFFICIALUpdated 10 months ago- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
This information is very helpful. Please provide more specific example and configuration detail that will be helpfull
Hello Joni, In your scenario, there's not enough detail concerning the existing set-up of the 'shared' subnet.
Please review the following: https://community.cisco.com/t5/networking-blogs/bgp-as-path-prepending-configuration/ba-p/3819334 It contains details for configuring a route map (on R4) to AS Path prepend your advertisements to the VGW.