Direct Connect and IPSEC VPNs

Question

Hi There,

We are pretty new to AWS World, and currently we are trying to setup some services in AWS.
Our on-prem data centre needs connecting to AWS via Direct Connect and as an option for failover, we need to build the IPSEC VPNs.

We have already built the IPSEC VPNs and they terminate on our on-prem firewalls over internet, now that we have Direct Connect available, can we connect this to our Core switch/router? And leave the IPSEC VPNs on firewalls.
Another concern is we don't have spare 10G ports on firewalls to connect direct connect, but we have 10G ports on Core router?
For the failover to work between Dx and IPSEC VPNs, is it necessary for AWS transit gateway to have same IP for peering IPSEC VPNs and BGP?

Answer

The topology you are using is not uncommon. A lot of customers use Firewalls as VPN concentrators and Routers/L3 switches as a termination points for WAN circuits.

Your second question: For the failover to work between DX and IPSEC VPNs, is it necessary for AWS transit gateway to have same IP for peering IPSEC VPNs and BGP? -- This is not a requirement.

See below from the Whitepaper the scenario you are describing:

https://docs.aws.amazon.com/whitepapers/latest/hybrid-connectivity/vpn-connection-as-a-backup-to-aws-dx-connection-example.html

Direct Connect and IPSEC VPNs

相關內容