Home / server / Questions / 807831
In Process
Berlin
Asked: 2016-10-08 17:44:45 +0800 CST

AWS VPN - Fault Tolerant Cross-Region and VPC CIDR block

  • 772

I have some complicated question:

I have connected multiple VPCs with EC2 Instances (IPSec) for routing traffic between VPC's across regions, I have VPN connection to each aws region, and everything is working fine.

Traffic from my office to 10.20.*.* go to ->
VPN connection LINE 1 in AWS eu-west-1 ->
vpc_ireland - CIDR 10.20.0.0/16
here I have ipsec instance that route the traffic from 10.60.0.0/16 to vpc_viriginia

Traffic from my office to 10.60.*.* go to ->
VPN connection LINE 2 in AWS us-east-1 ->
vpc_viriginia - CIDR 10.60.0.0/16
in AWS us-east-1 I have ipsec instance that route the traffic from 10.20.0.0/16 to vpc_ireland

I want to make sure that if one of the vpn connections/lines goes down, I will still be able to access the aws region via the other VPN in the other aws region.

For example if VPN connection LINE 2 (virginia) goes down, automatically all the traffic from my office to 10.60.*.* will go to VPN connection LINE 1 (vpc_ireland) and from there it will route to vpc_viriginia with my IPSec instance, like nothing happen.

example: if VPN connection LINE 2 goes down: myoffice -> 10.60.203.11 -> VPN connection LINE 1 -> vpc_ireland -> ipsec instance in ireland -> vpc_viriginia

As I said I have connection between my regions with IPSec instances.

My question is, if VPN connection LINE 2 goes down, all the traffic to 10.60.*.* will route automatically from my office to vpc_ireland - CIDR 10.20.0.0/16, but I guess the vpc_ireland will reject them because the IPs 10.60.*.* are not in the same network of vpc_ireland - CIDR 10.20.0.0/16.

So I wonder what are my options (without removing my current AWS VPN) ?

To be more specific, how I can route traffic from IPs (lets say for example 10.60.111.9) via Ireland VPN connection (when Virginia VPN connection goes down), to vpc_ireland, but the IPs that I route are not in the same network CIDR 10.20.0.0/16 ?

The question refers only to AWS side, after I route the traffic from my office.

I will be happy to answer any questions if my question is not understandable.

Thanks in advance!!

UPDATE - I will try to be more specific with my question:

  1. AWS VPN in Virginia goes down.
  2. All the traffic from my office 10.60.*.* route to AWS VPN connection LINE 1 in AWS eu-west-1.
  3. So if I ping now from my office to 10.60.100.13 it will be route to Ireland VPN. 4.but the VPC in Ireland with CIDR block 10.20.0.0/16.

If I will be able to route somehow the traffic that goes to Ireland VPN from IPs in CIDR block 10.60.*.* to my current VPC in Ireland with CIDR block 10.20.0.0/16, I could use my routing table and my IPSEC instance to route it back to Virginia VPC.

Is it possible at all to route traffic from different subnet to another CIDR block in VPC ? IP 10.60.100.13 to CIDR block 10.20.0.0/16?

amazon-web-services amazon-vpc vpc-peering

1 Answers

  1. You can try to do something like this

    eu-west-1 - VPC1 - VPNGatewway1  -- office  (direct route)
eu-west-1 - VPC1 - VPNGatewway1  -- office  (via VPC2 route)
             | 
            peer
             |
eu-west-1 - VPC2 - VPNGatewway2  -- office  (direct route)
eu-west-1 - VPC2 - VPNGatewway2  -- office  (via VPC1 route)

    But before you do anything FYI the vpn gateway has two entry points so is redundancy built already.

    There is one thing you need to consider, the route tables even though they have entries for both office and the other VPC will send traffic to the default route for your office (vpn gateways). For this you need to make a small script that changes the route priority, so if VPNGateway1 can't connect to your office than you give this a lower priority and route office_space/netmask via VPC2.

    • 1